GitLab has released version 18.6, delivering a comprehensive update that introduces a redesigned user interface built for developer productivity, expanded AI capabilities through GitLab Duo, and significant enhancements to CI/CD pipeline management. This release demonstrates GitLab's continued commitment to streamlining software delivery workflows whilst strengthening security and compliance capabilities for enterprise organisations.
The 18.6 release addresses several long-standing challenges that DevOps teams face daily, from managing complex parallel job configurations to maintaining security policies during emergency situations. For organisations operating in regulated industries, this update brings particularly valuable improvements to audit trails, policy management, and enterprise user administration. This article provides a detailed examination of the most significant features and explains how they can benefit your software delivery operations.
The headline feature of GitLab 18.6 is the introduction of a completely redesigned user interface that prioritises developer productivity and workflow efficiency. The new side-by-side design utilises contextual panels that keep developers within their workflow, significantly reducing the number of clicks required to complete common tasks and helping teams work faster throughout their daily activities.
The redesigned interface allows users to customise their workspace according to their individual preferences and working styles. By maximising screen real estate and providing a cleaner, more dynamic experience, the new UI adapts to different workflows rather than forcing developers to adapt to rigid interface constraints. This represents a significant departure from previous GitLab interfaces and demonstrates the platform's evolution towards more user-centred design principles.
GitLab has emphasised their commitment to continuous improvement with this interface, actively inviting user feedback through a dedicated feedback issue. Organisations implementing GitLab 18.6 should encourage their development teams to explore the new interface thoroughly and provide feedback that will help shape future iterations of the platform.
GitLab 18.6 introduces substantial improvements to the GitLab Duo AI capabilities, making artificial intelligence-powered assistance more accessible and integrated throughout the development workflow. These enhancements reflect GitLab's strategic investment in AI-native features that augment developer capabilities without disrupting established working practices.
Developers using Visual Studio Code and JetBrains IDEs can now select different models for GitLab Duo Agentic Chat, providing greater flexibility in how AI assistance is delivered within their preferred development environment. This capability allows teams to optimise their AI interactions based on specific use cases, whether they require more creative responses or more deterministic outputs for particular tasks.
The GitLab Security Analyst Agent has been elevated to foundational status within GitLab Duo Agentic Chat. This means that users no longer need to manually add the Security Analyst agent from the AI Catalogue, as it is now available by default for GitLab Self-Managed and GitLab Dedicated deployments. The Security Analyst provides AI-native vulnerability management and security analysis capabilities, helping teams investigate findings, triage vulnerabilities, and navigate compliance requirements without requiring any additional setup or configuration.
This specialised assistant represents a significant step forward in making security expertise more accessible to development teams. Rather than requiring dedicated security personnel for every vulnerability assessment, teams can leverage the Security Analyst to gain initial insights and prioritise their security work more effectively. The feature remains in beta, and GitLab welcomes feedback from users to help refine its capabilities.
The GitLab Duo Planner Agent is now available by default in the agent dropdown within GitLab Duo Chat, eliminating the previous requirement to manually add it from the AI Catalogue. With full context of work items, epics, issues, and tasks, the Planner Agent can assist teams at both group and project levels, providing intelligent support for breaking down complex work, creating implementation plans, and organising team objectives.
The Planner Agent includes example prompts to help users understand its capabilities and get started quickly. Teams can leverage this agent to improve their planning processes, ensure work is properly decomposed into manageable tasks, and maintain better visibility into project progress. Like the Security Analyst, this feature is currently in beta and actively being refined based on user feedback.
GitLab 18.6 delivers several significant enhancements to CI/CD pipeline capabilities that address common challenges faced by platform engineering teams and developers working with complex build configurations. These improvements focus on reducing configuration complexity whilst enabling more sophisticated pipeline architectures.
Prior to this release, CI/CD components could not reference their own metadata, such as version numbers or commit SHAs, within their configuration. This limitation forced teams to use hardcoded values or implement complex workarounds, often leading to version mismatches when components built resources such as Docker images. There was simply no reliable way to automatically tag resources with the component's compatible version.
GitLab 18.6 introduces the ability to access component context using the new spec:component keyword. Teams can now build and publish versioned resources like Docker images when releasing a component version, ensuring that everything remains synchronised. This capability eliminates manual version management and prevents the version mismatches that previously plagued component-based pipeline architectures.
The parallel:matrix feature has long enabled teams to run multiple jobs in parallel with different requirements, making it straightforward to test code across multiple platforms simultaneously. However, creating dependencies between specific parallel jobs using needs:parallel:matrix required complex and inflexible configuration that was difficult to maintain.
The new $[[matrix.VARIABLE]] expression, introduced as a beta feature in GitLab 18.6, enables dynamic one-to-one dependencies that make complex parallel:matrix configurations significantly easier to manage. This improvement delivers faster pipelines through efficient artifact handling, better scalability for large configurations, and cleaner YAML that is easier to understand and maintain.
The feature proves particularly valuable for multi-platform builds, Terraform deployments across multiple environments, and any workflow requiring parallel processing across multiple dimensions. Platform engineering teams working with complex build matrices should evaluate this feature as it can substantially reduce configuration overhead whilst improving pipeline reliability.
GitLab 18.6 brings exact code search to limited availability status, representing a significant advancement in how teams can locate code across their GitLab instances. Users can now employ exact match and regular expression modes to search for code across an entire instance, within a group, or within a specific project.
The exact code search functionality is built on top of Zoekt, an open-source search engine designed specifically for code search use cases. This architectural choice ensures that searches deliver precise, relevant results whilst maintaining the performance characteristics necessary for large codebases. For organisations managing extensive code repositories, this feature transforms the code discovery process from a time-consuming manual effort into a rapid, accurate search operation.
Additionally, advanced search now returns matching results from both issue descriptions and comments within a single query. Previously, users had to search issue descriptions and comments separately, which complicated the search workflow. This improvement provides a more streamlined and comprehensive search experience when working with GitLab issues.
Security and compliance capabilities receive substantial attention in GitLab 18.6, with features designed to help organisations maintain strong governance whilst enabling the flexibility needed for real-world operational requirements. These enhancements are particularly relevant for teams operating in regulated industries where audit trails and policy enforcement are critical requirements.
Organisations can now designate specific users, groups, roles, or custom roles that can bypass merge request approval policies during critical situations. This capability provides essential flexibility for emergency responses whilst maintaining comprehensive audit trails and governance controls that satisfy compliance requirements.
When authorised users invoke a policy bypass, they must provide detailed reasoning using an intuitive modal interface, ensuring every exception is properly documented with full context. Every bypass generates detailed audit events including user identity, policy context, reasoning, and timestamps, providing complete visibility into exception usage patterns for compliance review.
The configuration supports flexible permission definitions using YAML or UI configuration, accommodating individual users, GitLab groups, standard roles, and custom roles. Users with pre-approved policy exceptions can push directly when invoking the push bypass option with security_policy.bypass_reason. This feature eliminates the previous requirement to entirely disable security policies during emergencies, providing a controlled path for urgent changes whilst preserving organisational governance.
Security teams can now deploy policies in warn mode, which generates informative bot comments without blocking merge requests. Optional approvers can be designated as points of contact for policy questions, creating a more collaborative approach to security policy adoption. This approach enables security teams to assess policy impact and build developer trust through transparent, gradual policy rollout.
Clear indicators in merge requests inform users when policies are operating in warn or enforce mode, and audit events track policy violations and dismissals for compliance reporting purposes. Developers can dismiss vulnerabilities whilst providing reasoning for the dismissal, fostering a collaborative relationship between security and development teams rather than an adversarial one.
Security teams can now apply business context to projects by leveraging the new security attributes feature. These attributes are organised by categories including business impact with structured pre-defined selections, application context, business unit, internet exposure, and location. Organisations can also create custom attribute categories and define labels within those categories to match their specific requirements.
By applying these attributes across projects, teams can more quickly search, filter, and identify which projects within the security inventory require action based on risk posture and organisational context. This enables security teams to identify mission-critical projects requiring better scan coverage, review scan coverage by application or business unit, and quickly locate projects that contribute to publicly accessible applications.
GitLab 18.6 includes several infrastructure improvements that address operational challenges faced by platform engineering teams and self-managed GitLab administrators. These enhancements focus on removing limitations, improving performance, and enabling GitLab deployment in more restrictive network environments.
GitLab Self-Managed administrators operating in offline or tightly controlled network environments can now configure a custom Web IDE extension host domain, enabling full Web IDE functionality without requiring external internet access. Previously, the Web IDE required connectivity to external CDN domains to load VS Code extensions and functionality, which blocked Web IDE adoption for security-conscious organisations, government and public sector customers, and enterprises with strict network policies.
With this update, administrators can configure their GitLab instance to serve Web IDE assets directly, removing the dependency on external domains entirely. Organisations can now use the full Web IDE feature set in completely offline environments, enable the Extension Marketplace with a custom extension registry service, and enable markdown preview, code editing, and GitLab Duo Chat within the Web IDE in isolated networks.
The GitLab Helm chart registry previously generated metadata responses on-the-fly, creating performance bottlenecks when repositories contained large numbers of charts. To maintain system stability, GitLab enforced a hard limit of the 1,000 most recent charts, which caused frustrating 404 errors when platform teams attempted to access older chart versions.
Platform engineers were forced to implement complex workarounds such as splitting charts across multiple repositories, manually managing chart retention policies, or maintaining separate chart storage solutions. These workarounds added operational overhead and fragmented deployment workflows, making it difficult to maintain centralised chart governance.
GitLab 18.6 eliminates the 1,000 chart limitation entirely by pre-computing metadata responses and storing them in object storage. This architectural change delivers both unlimited chart access and improved performance, as metadata is now generated once in background jobs rather than on every request. Organisations with extensive Helm chart collections can now manage all their charts in a single registry without artificial limitations.
Webhook integrations play a critical role in automated workflows and keeping external systems synchronised with GitLab activities. GitLab 18.6 introduces several enhancements that provide more detailed information in webhook payloads, enabling more sophisticated automation workflows.
When GitLab automatically resets approvals, such as when new commits are pushed to a merge request with "Reset approvals on push" enabled, external systems previously could not distinguish these system-initiated events from manual user actions. GitLab 18.6 addresses this limitation by including enhanced webhook payloads that clearly identify system-initiated approval resets.
When approvals are automatically reset, webhooks now include a system field set to true and a system_action field that provides specific context about why the reset occurred, such as approvals_reset_on_push or code_owner_approvals_reset_on_push. Webhook integrations can now distinguish between manual approval changes and automatic system resets, enabling more sophisticated automation workflows that respond appropriately to the specific context of each approval change.
Previously, when reviewers were re-requested for merge requests, webhook consumers had no way to identify which specific reviewer was being re-requested. This made it difficult to trigger appropriate notifications or automation based on reviewer assignments.
Webhook payloads for merge requests now include a re_requested attribute in reviewer data that clearly indicates which reviewer was re-requested. This attribute is set to true for the specific reviewer being re-requested and set to false for all other reviewers. This improvement enables more precise automation around the merge request review process, allowing webhook consumers to send targeted notifications, update external tracking systems, and trigger appropriate workflows when reviews are re-requested.
GitLab 18.6 improves code ownership management and collaboration capabilities, addressing challenges that organisations face when managing complex group structures and enterprise user administration.
Code ownership is critical for maintaining code quality and ensuring the right people review changes to sensitive parts of a codebase. However, managing Code Owners in organisations with complex group structures has been challenging. Previously, to reference a group in a CODEOWNERS file, that group had to be directly invited to each specific project, even if it was already a member of a parent group.
GitLab 18.6 now supports groups with inherited memberships as eligible approvers. Groups with inherited access through parent group membership are recognised as valid code owners when Code Owners approvals are enabled. This change eliminates the need to invite groups directly to every project whilst maintaining the same level of control over who can approve changes to critical code paths. Existing CODEOWNERS files continue to work without modifications, and the change reduces administrative overhead significantly for organisations with hierarchical group structures.
Group owners can now update the primary email address of enterprise users within their group through the Users API. Previously, each enterprise user had to manually update their own email address, which created administrative burden at scale. This change makes it considerably easier to manage enterprise users when organisations need to update email addresses in bulk, such as during domain changes or organisational restructuring.
Users can now designate an account beneficiary with permission to manage their GitLab account if they become incapacitated or unavailable. To access the account, the beneficiary must provide appropriate legal documentation. This feature helps ensure the continuity of work and projects whilst preventing unauthorised access, addressing an important consideration for business continuity planning.
Beyond the major features highlighted above, GitLab 18.6 includes several additional updates that improve the platform's capabilities and stability.
The GitLab MCP server is now available in beta, enabling integration with AI assistants like Claude Code, Cursor, and other MCP-compatible tools. With the GitLab MCP server, teams can interact with their GitLab projects, issues, merge requests, and pipelines through AI assistants without building custom integrations for each tool. The server provides key tools covering issues, merge requests, and pipelines, and GitLab continues to refine it based on user feedback.
GitLab has added support for 40 new rules to the pipeline secret detection capabilities. Some existing rules have also been updated to improve quality and reduce false positives. These changes are released in version 7.20.1 of the secrets analyser, providing broader coverage for identifying accidentally committed secrets in code repositories.
GitLab has introduced rate limiting for the /api/v4/projects/:id/members/all and /api/v4/groups/:id/members/all endpoints to improve API stability and ensure fair resource usage across all users. These endpoints now have a rate limit of 200 requests per minute per user. This change helps protect GitLab instances from excessive API usage that could impact performance for all users. Integrations using these endpoints should implement appropriate retry logic with backoff to handle HTTP 429 responses.
GitLab Runner 18.6 is released alongside the main GitLab release. GitLab Runner is the highly-scalable build agent that runs CI/CD jobs and sends results back to a GitLab instance. Working in conjunction with GitLab CI/CD, the open-source continuous integration service included with GitLab, the Runner enables organisations to execute their pipeline workloads on their own infrastructure or cloud environments.
| Category | Feature | Availability | Key Benefit |
|---|---|---|---|
| User Interface | Redesigned UI with contextual panels | General Availability | Reduces clicks and improves developer productivity through customisable workspace and side-by-side design. |
| AI Capabilities | Security Analyst Agent as foundational | Beta | Provides AI-native vulnerability management without setup, available by default on Self-Managed and Dedicated. |
| AI Capabilities | Planner Agent available by default | Beta | Assists with breaking down complex work and creating implementation plans at group and project levels. |
| CI/CD | Components metadata reference | General Availability | Enables components to access version information, eliminating manual version management and mismatches. |
| CI/CD | Dynamic parallel matrix dependencies | Beta | Simplifies complex parallel configurations with cleaner YAML and more efficient artifact handling. |
| Code Search | Exact code search | Limited Availability | Enables precise code discovery across instances using exact match and regular expressions powered by Zoekt. |
| Security | Emergency policy bypass | General Availability | Allows designated users to bypass policies during emergencies with full audit trail and accountability. |
| Security | Warn mode for policies | General Availability | Enables gradual policy adoption with informative comments rather than blocking merge requests. |
| Infrastructure | Custom Web IDE extension host | General Availability | Enables full Web IDE functionality in offline and air-gapped environments. |
| Infrastructure | Unlimited Helm charts | General Availability | Removes the 1,000 chart limit through pre-computed metadata storage in object storage. |
Organisations working with OTTRA to implement GitLab should consider how these new features align with their software delivery transformation objectives. For teams focused on improving deployment frequency whilst maintaining compliance, the enhanced security policy capabilities offer a balanced approach that no longer requires choosing between governance and agility.
The CI/CD component metadata reference capability is particularly relevant for organisations building standardised pipeline components. By enabling components to reference their own version information, teams can create more reliable and maintainable pipeline architectures that reduce the operational burden on platform engineering teams.
For organisations operating in regulated industries with strict network requirements, the custom Web IDE extension host domain capability removes a significant barrier to Web IDE adoption. This feature enables consistent developer experiences across both connected and air-gapped environments, which is essential for organisations in financial services, government, and defence sectors.
OTTRA recommends that customers review their current GitLab configurations against these new capabilities and identify opportunities to simplify existing workarounds or enable previously unavailable features. Our team can assist with upgrade planning and feature implementation to ensure your organisation maximises the value of GitLab 18.6.
GitLab 18.6 represents a substantial release that addresses real challenges faced by development and platform engineering teams. The redesigned user interface demonstrates GitLab's commitment to developer productivity, whilst the expanded AI capabilities through GitLab Duo make intelligent assistance more accessible throughout the development workflow.
The CI/CD improvements, particularly around component metadata and parallel matrix dependencies, will help platform teams build more sophisticated pipeline architectures with less configuration complexity. For organisations in regulated industries, the enhanced security policy features provide the flexibility needed for real-world operations without compromising governance requirements.
Infrastructure improvements like the unlimited Helm chart support and custom Web IDE domains address long-standing operational challenges, making GitLab more suitable for enterprise deployments with specific requirements. Combined with the enhanced webhook capabilities and code ownership features, GitLab 18.6 delivers meaningful improvements across the entire software delivery lifecycle.
Organisations currently using GitLab should evaluate these new features against their current workflows and identify opportunities for improvement. Those considering GitLab adoption will find that version 18.6 addresses many common enterprise requirements, particularly around security policy management and offline deployment scenarios. For guidance on implementing these features within your organisation, contact OTTRA to discuss your specific requirements and upgrade planning.