GitLab 18.10 brings AI-native triage and remediation
Source: GitLab Blog
What’s new
- Static Application Security Testing (SAST) false positive detection is now generally available. This flow uses an LLM for agentic reasoning to determine the likelihood that a vulnerability is a false positive, so security and development teams can focus on remediating critical vulnerabilities first.
- Agentic SAST vulnerability resolution is now in beta. It automatically creates a merge request with a proposed fix for verified SAST vulnerabilities, shortening time to remediation and reducing the need for deep security expertise.
- Secret false positive detection is now in beta. This flow brings the same AI‑powered noise reduction to secret detection, flagging dummy and test secrets to save review effort.
These flows are available to GitLab Ultimate customers using GitLab Duo Agent Platform.
Cut triage time with SAST false positive detection
Traditional SAST scanners flag every suspicious code pattern they find, regardless of whether code paths are reachable or frameworks already handle the risk. Without runtime context, they cannot distinguish a real vulnerability from safe code that just looks dangerous.
This can cause developers to spend hours investigating findings that turn out to be false positives, eroding confidence in the report and slowing down teams responsible for fixing real risks.
After each SAST scan, GitLab Duo Agent Platform automatically analyzes new critical and high‑severity findings and attaches:
- A confidence score indicating how likely the finding is to be a false positive
- An AI‑generated explanation describing the reasoning
- A visual badge that makes “Likely false positive” versus “Likely real” easy to scan in the UI
These findings appear in the Vulnerability Report. You can filter the report to focus on findings marked as “Not false positive” so teams can spend their time addressing real vulnerabilities instead of sifting through noise.
GitLab Duo Agent Platform’s assessment is a recommendation. You stay in control of every false positive to determine if it is valid, and you can audit the agent’s reasoning at any time to build confidence in the model.
Turn vulnerabilities into automated fixes
Knowing that a vulnerability is real is only half the work. Remediation still requires understanding the code path, writing a safe patch, and ensuring nothing else breaks.
If the vulnerability is identified as likely not a false positive by the SAST false positive detection flow, the Agentic SAST vulnerability resolution flow automatically:
- Reads the vulnerable code and surrounding context from your repository
- Generates high‑quality proposed fixes
- Validates fixes through automated testing
- Opens a merge request with a proposed fix that includes:
- Concrete code changes
- A confidence score
- An explanation of what changed and why
In the demo, GitLab automatically takes a SAST vulnerability from detection to a ready‑to‑review merge request. The agent reads the code, generates and validates a fix, and opens an MR with clear, explainable changes so developers can remediate faster without being security experts.
Note: As with any AI‑generated suggestion, you should review the proposed merge request carefully before merging.
Surface real secrets
Secret detection is only useful if teams trust the results. When reports are full of test credentials, placeholder values, and example tokens, developers may waste time reviewing noise instead of fixing real exposures, slowing remediation and decreasing confidence in the scan.
Secret false positive detection helps teams focus on the secrets that matter so they can reduce risk faster. When it runs on the default branch, it will automatically:
- Analyze each finding to spot likely test credentials, example values, and dummy secrets
- Assign a confidence score for whether the finding is a real risk or a likely false positive
- Generate an explanation for why the secret is being treated as real or noise
- Add a badge in the Vulnerability Report so developers can see the status at a glance
Developers can also trigger this analysis manually from the Vulnerability Report by selecting “Check for false positive” on any secret detection finding, helping them clear out findings that do not pose risk and focus on real secrets sooner.
Try AI‑powered security today
GitLab 18.10 introduces capabilities that cover the full vulnerability workflow, from cutting false positive noise in SAST and secret detection to automatically generating merge requests with proposed fixes.
To see how AI‑powered security can help cut review time and turn findings into ready‑to‑merge fixes, start a free trial of GitLab Duo Agent Platform today.