GitLab 18.11 + Duo Agent Platform — CI Expert, Agentic SAST Auto-Resolution, Custom Flow YAML, and GitLab Credits Guardrails Redefining 2026 AI-Native DevSecOps
On April 16, 2026, GitLab shipped 18.11 and dropped three new agents onto the Duo Agent Platform that went GA back in January. The new lineup is the CI Expert Agent (Beta) that writes a working .gitlab-ci.yml from an empty repository, the Data Analyst Agent (GA) that answers natural-language queries via GLQL, and Agentic SAST Vulnerability Resolution (GA) that ships a ready-to-review merge request the moment a SAST scan finishes. At the same time the default model for Agentic Chat moved from Claude Haiku 4.5 to Claude Sonnet 4.6 on Vertex AI, the self-hosted LLM list gained Mistral AI, and — critically for ops teams — GitLab introduced subscription-level and per-user GitLab Credits caps to stop runaway spend. This post is the ManoIT DevSecOps team's consolidated reference: the four-tier Duo Agent Platform architecture, the Custom Flow v1 YAML schema, the CI/CD and SAST automation patterns, the Credits cost model, and the migration checklist (including the forced PostgreSQL 17 upgrade).
1. Why GitLab 18.11 Is the Inflection Point — Q1 2026 Duo Agent Platform Trajectory
The Q1 2026 storyline of GitLab Duo can be summarized in one line: "the AI plugin became the platform." 18.8 (2026-01-15) promoted the Duo Agent Platform to GA on Premium and Ultimate, shipping the Planner Agent, Security Analyst Agent, and the MCP Client all at once. 18.9 (2026-02-19) made self-hosted LLMs first-class. 18.10 introduced GitLab Credits as the usage-based billing currency in beta. 18.11 then converged the trajectory: it pushed CI Expert into Beta on every tier, promoted Agentic SAST to GA so a fix MR appears the instant a scan completes, and capped credit consumption at both the subscription and the user level.
| Version (release date) | Headline change | Tier | Practical impact |
|---|---|---|---|
| 18.8 (2026-01-15) | Duo Agent Platform GA, Duo Planner / Security Analyst / MCP Client GA, 5 new flows (Issue→MR, Convert to GitLab CI/CD, Fix CI/CD pipeline, Code Review, Software Dev in IDE) | Premium / Ultimate | MCP-connected Slack, Jira, Confluence inside the IDE |
| 18.9 (2026-02-19) | Self-hosted LLMs official (AWS Bedrock, Vertex AI, Azure OpenAI, Anthropic, OpenAI), Agentic SAST Vulnerability Resolution Beta | Ultimate (self-hosted), all tiers (Beta) | Duo usable in air-gapped finance/government environments |
| 18.10 | GitLab Credits usage-based billing (beta) | All tiers | $1 / credit, automated code review at $0.25 flat |
| 18.11 (2026-04-16) | CI Expert Agent Beta, Data Analyst Agent GA, Agentic SAST GA, Custom Flow tool option overrides, Mistral AI self-hosting, Sonnet 4.6 default for Agentic Chat, subscription + per-user credit caps, MR pipeline inputs customization | Free / Premium / Ultimate | "AI writes your .gitlab-ci.yml and patches SAST" reaches Free and Self-Managed |
The architectural takeaway is that the agents are platform-native. External copilots see only the code in the IDE; Duo agents see the code, issues, MRs, pipelines, vulnerabilities, and runner logs of the same project at the same time. That is why the CI Expert can pick the right cache pattern instead of pasting a generic template — it actually inspects the repository.
2. Duo Agent Platform Architecture — AI Gateway, Workflow Service, Knowledge Graph, Runner
The 18.11 runtime decomposes into four well-defined components. Understanding their responsibilities aligns the self-hosted deployment, observability, and pricing model in one shot.
2.1 AI Gateway — One Entry for Auth, Routing, and Metering
Every Duo call passes through the AI Gateway. It validates the GitLab user token, routes to the configured model provider, and meters GitLab Credits. 18.11 adds two enforceable guardrails. A subscription-level usage cap suspends Duo Agent Platform access for the entire subscription as soon as on-demand credits cross the configured threshold. A per-user usage cap suspends only the offender, leaving everyone else unaffected. When both caps are configured, whichever cap is hit first wins.
2.2 Workflow Service — Home of Custom Flow v1
The Duo Workflow Service consumes YAML definitions written against the Flow Registry v1 specification with the fields version, environment, components, prompts, routers, and flow. In Custom Flow definitions, environment accepts only ambient (the chat and chat-partial values are restricted), the model field inside a prompts entry is not supported (the model is determined by group/instance settings), and v1 top-level name, description, and product_group are also restricted. The 18.11 headline addition is tool option and parameter overrides directly in the flow definition, which lets you pin tool behaviour and enforce guardrails per flow regardless of LLM defaults.
2.3 Knowledge Graph — The Source of "Now"
The Knowledge Graph is a synced graph index over code, issues, MRs, pipelines, commits, and vulnerabilities. External copilots that depend on stale embeddings often answer with last week's context; Duo pulls fresh state from the Knowledge Graph on every call. That is why the CI Expert nails build/test patterns and the Agentic SAST agent can trace a vulnerable function through its callers.
2.4 GitLab Runner 18.11 — Where Remote Flows Actually Run
Remote Flows execute as pipeline jobs on a GitLab Runner; the Rails backend triggers them with start_workflow = true. 18.11 ships two ops-level improvements. First, a concrete helper image with bundled dependencies reduces external image pulls at job startup. Second, the job router feature flag is now read from the runner config file instead of an environment variable, which removes an entire class of incidents where a leaked or overridden env var broke routing silently. Bug fixes in the same release land CONCURRENT_PROJECT_ID collisions, the after_script ordering when pre_build_script fails, pipeline hangs on cache operations, and the silent fallback to job payload credentials when the DOCKER_AUTH_CONFIG credential helper binary is missing.
3. CI Expert Agent — From an Empty .gitlab-ci.yml to a Working Pipeline
CI Expert Agent shipped in 18.11 in Beta on every tier (Free, Premium, Ultimate) and on GitLab.com, Self-Managed, Dedicated, and Dedicated for Government. The premise is straightforward: starting from an empty repository or empty .gitlab-ci.yml, the agent inspects the codebase, asks a few guided questions about your build and test process, and emits a reviewable pipeline. It does not paste a template — it identifies language, framework, test runner, and cacheable directories from the actual code.
3.1 Invocation and Output
You invoke CI Expert from the VS Code extension or the Web UI's Agentic Chat:
# Web UI — Agentic Chat
/ci-expert
> Automate the build and test for this project, and deploy to Kubernetes on push to main.
# VS Code (Duo extension)
Cmd+Shift+P → "GitLab Duo: Generate CI Pipeline"
A typical first-cut output for a Node.js + Helm project looks like this:
# .gitlab-ci.yml — first draft from CI Expert
stages:
- install
- test
- build
- deploy
default:
image: node:20-bookworm
cache:
key:
files:
- package-lock.json
paths:
- node_modules/
install:
stage: install
script:
- npm ci --prefer-offline
artifacts:
paths:
- node_modules/
expire_in: 1 hour
unit-test:
stage: test
needs: ["install"]
script:
- npm run test:unit -- --reporter=junit
artifacts:
when: always
reports:
junit: junit.xml
build-image:
stage: build
needs: ["unit-test"]
image: docker:25
services:
- docker:25-dind
script:
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
rules:
- if: $CI_COMMIT_BRANCH == "main"
deploy-prod:
stage: deploy
needs: ["build-image"]
image: alpine/helm:3.16.2
script:
- helm upgrade --install web ./chart
--set image.tag=$CI_COMMIT_SHA
--namespace prod --atomic --wait
environment:
name: production
url: https://app.example.com
rules:
- if: $CI_COMMIT_BRANCH == "main"
when: manual
Each decision comes with a plain-language rationale. For example: "We use npm ci --prefer-offline because package-lock.json exists, and we set it as the cache key so dependencies only reinstall when it changes." That rationale lands in the MR description, which materially reduces reviewer friction.
3.2 Pipeline Failure Triage
CI Expert is not just for greenfield projects — it triages broken pipelines. It reads the failed job log, classifies issues like cache misses, missing tests, or image pull failures, and proposes a patch.
# Trigger directly from a failed job
gitlab-duo ci-expert debug --job-id=42 --project=acme/web
# Sample output
Diagnosis:
- Cache miss: package-lock.json modified since last successful run.
- Suggested: pin Node 20.18.1, add --frozen-lockfile guard.
Patch (preview):
- install:
- script:
- - npm ci --prefer-offline
+ - npm ci --prefer-offline --frozen-lockfile
Apply? [y/N]
4. Agentic SAST Vulnerability Resolution — Patch MRs Open the Moment a Scan Closes
Agentic SAST Vulnerability Resolution debuted as a Beta in 18.9 and is GA in 18.11 on Ultimate. The principle is "scan ends → next step happens immediately." When the SAST scan on the main branch completes, false-positive detection runs first; the surviving Critical/High findings are handed to the agent, which uses multi-shot reasoning to traverse the surrounding code and opens a fix MR plus a verification pipeline automatically.
4.1 The Workflow
- The SAST scanner finishes on the main branch and writes the vulnerability list.
- SAST False Positive Detection runs to drop noisy findings.
- The agent analyses each remaining Critical/High vulnerability in context.
- If confidence is sufficient, an MR is created and a SAST scan re-runs against the proposed patch to confirm the fix.
- The vulnerability detail page exposes a one-click "Apply resolution" button.
4.2 Language Coverage and Triggers
The auto-fix is most reliable for languages directly supported by GitLab Advanced SAST: C, C++, C#, Go, Java, JavaScript, Python, Ruby, and TypeScript. Other languages fall back to the Semgrep-based analyzer with reduced fix confidence. You can also manually trigger the agent for any SAST vulnerability from its detail page.
# .gitlab-ci.yml — Agentic SAST integration (Ultimate)
include:
- template: Jobs/SAST.gitlab-ci.yml
variables:
# Auto-fix after SAST (default true in 18.11)
SAST_DUO_AUTO_RESOLVE: "true"
# Extend to medium severity if desired
SAST_DUO_AUTO_RESOLVE_SEVERITY: "critical,high,medium"
# Branch the auto-fix MR targets
SAST_DUO_AUTO_RESOLVE_TARGET_REF: "$CI_DEFAULT_BRANCH"
# Extra SAST verification for auto-fix MRs
sast-verify:
stage: test
rules:
- if: $CI_MERGE_REQUEST_LABELS =~ /duo:auto-fix/
script:
- echo "Re-running SAST on auto-generated fix MR"
4.3 Troubleshooting — "The MR was created but the diff is empty"
Symptom: the vulnerability page shows "Resolution generated" but the MR diff is empty.
Cause: the agent's confidence assessment fell below threshold. 18.11 will not force a low-quality patch; it leaves an "Insufficient context" reason and a recommended next step (e.g., add the calling functions) in the MR description. Fix: confirm the Knowledge Graph index for the codebase is current, and re-trigger from the vulnerability detail page if needed.
5. Custom Flow YAML Schema — How to Codify Your Own Workflow
For platform engineering teams, the most attractive 18.11 capability is tool option overrides combined with MCP integration. Below is a simplified version of the "security review assistant" Custom Flow that the ManoIT security team uses to pull in Confluence security guidelines as additional context.
# .gitlab/duo/flows/security_review.yml
version: "1"
environment: ambient # custom flows allow only "ambient"
components:
- name: collect_context
type: AgentComponent
prompt_id: collect_context_prompt
inputs:
- from: "context:project_id"
as: "project_id"
- from: "context:goal"
as: "mr_iid"
# 18.11: tool overrides pin parameters regardless of LLM defaults
tool_overrides:
- tool: "gitlab.read_merge_request"
params:
include_diff: true
include_pipelines: true
max_files: 50
- tool: "mcp.confluence.search"
params:
space: "SECURITY"
max_results: 10
- name: review
type: AgentComponent
prompt_id: security_review_prompt
inputs:
- from: "components.collect_context.output"
as: "evidence"
prompts:
- id: collect_context_prompt
template: |
Read MR {{ mr_iid }} in project {{ project_id }}.
Pull related security guidelines from Confluence SECURITY space.
Output structured evidence.
- id: security_review_prompt
template: |
Given evidence: {{ evidence }}
Produce a security review with:
- Risk classification (low/medium/high/critical)
- Specific code locations of concern
- Suggested mitigations referencing internal policies
routers:
- from: collect_context
to: review
flow:
- collect_context
- review
Two things matter here. First, tool_overrides (new in 18.11) pins tool call parameters so the LLM cannot drift from the contract — guardrails travel with the flow. Second, MCP tools (e.g., mcp.confluence.search) are first-class citizens alongside built-in GitLab tools. MCP configuration lives in a separate file gated by Code Owners approval.
// .gitlab/duo/mcp.json — Code Owners approval required
{
"mcpServers": {
"confluence": {
"command": "npx",
"args": ["-y", "@atlassian/mcp-confluence"],
"env": {
"CONFLUENCE_BASE_URL": "https://acme.atlassian.net/wiki",
"CONFLUENCE_TOKEN": "$CONFLUENCE_API_TOKEN"
}
},
"slack": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-slack"],
"env": {
"SLACK_BOT_TOKEN": "$SLACK_DUO_BOT_TOKEN"
}
}
}
}
5.1 Custom Flow Trigger Mapping
A Custom Flow can react to three trigger types, and each delivers a different shape of context:goal. Knowing this prevents flows from behaving inconsistently across triggers.
| Trigger |
context:goal format |
Example |
|---|---|---|
| Mention event | Input: <comment_text>\nContext: {<resource_type> IID: <iid>} |
@ai-security Can you review? on issue #2 |
| Assign / Assign reviewer | A single integer (the resource IID) | Assigning the service account as reviewer on MR !10 → 10
|
| Pipeline event | The full pipeline event webhook payload | Auto-analysis of a failed pipeline |
6. GitLab Credits — Usage-Based Pricing and the 18.11 Guardrails
Duo Agent Platform's cost model standardizes on GitLab Credits: 1 credit = $1 on-demand list price, billed monthly in arrears. 18.10 introduced automated code reviews at a flat $0.25 per MR, regardless of size. 18.11 added the two enforcement guardrails operations teams had been asking for.
| Control | Scope | Behaviour on hit | Notes |
|---|---|---|---|
| Subscription-level cap | Whole subscription | Auto-suspends Duo Agent Platform until the next billing period; admin email notification | Hard guardrail against unexpected overage |
| Per-user cap | Individual user | Suspends only that user, others unaffected | Stops one user from absorbing the subscription pool |
| Credits dashboard history | Subscription | Browse past months daily, compare consumption, reconcile with invoices | FinOps standard input |
Both caps can run simultaneously, and whichever is hit first applies. Caps reset automatically each billing period. ManoIT's operational guidance:
- Set the per-user cap at ~1.5× the average developer's expected usage (e.g., 50 credits/month) to absorb the learning ramp without runaway.
- Set the subscription cap conservatively in the first quarter (e.g., 80% of forecast) and tighten or relax it after two cycles of dashboard data.
- Agentic SAST runs in the background, so budget separately for it depending on scan cadence (every push vs. nightly).
7. Model Policy — Sonnet 4.6 Default and Mistral for Self-Hosting
Two lines describe 18.11's model policy. Agentic Chat's default model moved from Claude Haiku 4.5 to Claude Sonnet 4.6 hosted on Vertex AI, and Mistral AI joined the supported self-hosted LLM list. Sonnet 4.6 reasons better but uses a higher GitLab Credit multiplier than Haiku. Existing explicit choices are preserved.
7.1 Model Selection Cheatsheet
| Workload | Recommended model | Reason |
|---|---|---|
| General Agentic Chat | Claude Sonnet 4.6 (default) | Best code reasoning and MR review quality; 18.11 default |
| High-volume background calls (Agentic SAST) | Claude Haiku 4.5 or self-hosted Mistral | Lower credit multiplier |
| Air-gapped finance/government | Mistral AI or Vertex AI Private | No external LLM hop; new in 18.11 |
| Long-context codebase analysis | Vertex AI Gemini 2.5 Pro or Sonnet 4.6 | Long context plus reasoning depth |
# config/gitlab.rb — adding Mistral to self-hosted models (new in 18.11)
gitlab_rails['duo_self_hosted_models'] = [
{
'name' => 'mistral-large-latest',
'provider' => 'mistral',
'endpoint' => 'https://api.mistral.ai/v1',
'api_key_env' => 'MISTRAL_API_KEY',
'use_for' => ['code_completion', 'agentic_chat']
},
{
'name' => 'claude-sonnet-4-6',
'provider' => 'vertex_ai',
'endpoint' => 'https://us-central1-aiplatform.googleapis.com/v1',
'project_id' => 'acme-prod-ai',
'use_for' => ['agentic_chat', 'agentic_sast']
}
]
8. 18.11 Migration Checklist — Forced PostgreSQL 17 and MR Pipeline Inputs
Last but not least, the migration checklist the ManoIT operations team wrote up while moving to 18.11. The most consequential change is the forced PostgreSQL 17 path: 19.0's minimum supported version becomes PostgreSQL 17. Instances not running PostgreSQL Cluster will be auto-upgraded to PostgreSQL 17 during the 18.11 upgrade. PostgreSQL Cluster users (and anyone who opts out of the auto-upgrade) must move to PostgreSQL 17 manually before 19.0.
8.1 MR Pipeline Inputs Customization
18.11 lets you override spec:inputs values per merge request pipeline run, so you can rerun the same pipeline against a different environment without code changes.
# .gitlab-ci.yml — 18.11 MR pipeline inputs
spec:
inputs:
target_env:
default: "staging"
options: ["staging", "uat", "prod"]
canary_traffic:
default: 10
type: number
---
deploy:
stage: deploy
script:
- helm upgrade web ./chart
--set env=$[[ inputs.target_env ]]
--set canaryTraffic=$[[ inputs.canary_traffic ]]
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
8.2 Operational Checklist
- Backup and rollback plan — full PostgreSQL backup and WAL archive verified before the auto-upgrade.
- Runner upgrade — move runners to 18.11 to pick up the concrete helper image and the runner-config-driven job router. Remove any scripts that forced job router via env vars.
-
Agentic SAST policy — decide whether to enable the GA auto-fix and define the MR label workflow (e.g.,
duo:auto-fix). - Credits caps — configure both subscription and per-user caps. Compare actual consumption on the Credits dashboard for the first 7 days.
- Model policy — assess Sonnet 4.6 default cost impact; route background calls (Agentic SAST etc.) to Haiku or Mistral.
-
Custom Flow audit — change
environmentfromchat/chat-partialtoambient. Remove fields rejected by 18.11:modelin prompts,response_schema_id,stop, top-levelname,description,product_group. -
MCP governance —
.gitlab/duo/mcp.jsonrequires Code Owners approval. Inject tokens via GitLab CI/CD variables or Vault.
9. Conclusion — "AI-Native DevSecOps" Is Now the GitLab Default Surface
By May 2026, GitLab 18.11 makes two things explicit. First, Duo Agent Platform is no longer an option — it is the default surface. The moment CI Expert reaches every tier, "AI writes your pipeline" stops being marketing and becomes the new-project baseline experience. Second, operations finally has hard guardrails. Subscription and per-user caps are not advisory — they cut access the instant the threshold is hit.
ManoIT's roadmap for the next quarter splits into three workstreams. First, enable Agentic SAST GA to compress patch lead time for SOC 2 / ISO reporting into single-digit days. Second, standardize a code-review and release-notes automation pipeline using Custom Flows + MCP to bind Confluence, Jira, and Slack as live context. Third, layer OpenTelemetry-derived metrics on top of the GitLab Credits FinOps dashboard so cost, quality, and lead time live on the same screen. 18.11 is the first GitLab release that makes all three of those workstreams feasible in production.
Originally published at ManoIT Tech Blog.
Top comments (0)