Skip to content
Chimera readability score 0.4252 out of 100, reading level.

GitLab 18.10 introduces new AI-powered security capabilities focused on improving the quality and speed of vulnerability management. Together, these features can help reduce the time developers spend investigating false positives and bring automated remediation directly into their workflow, so they can fix vulnerabilities without needing to be security experts.
Here is what’s new:
- Static Application Security Testing (SAST) false positive detection is now generally available. This flow uses an LLM for agentic reasoning to determine the likelihood that a vulnerability is a false positive or not, so security and development teams can focus on remediating critical vulnerabilities first.
- Agentic SAST vulnerability resolution is now in beta. Agentic SAST vulnerability resolution automatically creates a merge request with a proposed fix for verified SAST vulnerabilities, which can shorten time to remediation and reduce the need for deep security expertise.
- Secret false positive detection is now in beta. This flow brings the same AI-powered noise reduction to secret detection, flagging dummy and test secrets to save review effort.
These flows are available to GitLab Ultimate customers using GitLab Duo Agent Platform.
Cut triage time with SAST false positive detection
Traditional SAST scanners flag every suspicious code pattern they find, regardless of whether code paths are reachable or frameworks already handle the risk. Without runtime context, they cannot distinguish a real vulnerability from safe code that just looks dangerous.
This means developers could spend hours investigating findings that turn out to be false positives. Over time, that can erode confidence in the report and slow down the teams responsible for fixing real risks.
After each SAST scan, GitLab Duo Agent Platform automatically analyzes new critical and high severity findings and attaches:
- A confidence score indicating how likely the finding is to be a false positive
- An AI-generated explanation describing the reasoning
- A visual badge that makes “Likely false positive” versus “Likely real” easy to scan in the UI
These findings appear in the Vulnerability Report, as shown below. You can filter the report to focus on findings marked as “Not false positive” so teams can spend their time addressing real vulnerabilities instead of sifting through noise.
GitLab Duo Agent Platform's assessment is a recommendation. You stay in control of every false positive to determine if it is valid, and you can audit the agent's reasoning at any time to build confidence in the model.
Turn vulnerabilities into automated fixes
Knowing that a vulnerability is real is only half the work. Remediation still requires understanding the code path, writing a safe patch, and making sure nothing else breaks.
If the vulnerability is identified as likely not be a false positive by the SAST false positive detection flow, the Agentic SAST vulnerability resolution flow automatically:
- Reads the vulnerable code and surrounding context from your repository
- Generates high-quality proposed fixes
- Validates fixes through automated testing
- Opens a merge request with a proposed fix that includes:
- Concrete code changes
- A confidence score
- An explanation of what changed and why
In this demo, you’ll see how GitLab can automatically take a SAST vulnerability all the way from detection to a ready-to-review merge request. Watch how the agent reads the code, generates and validates a fix, and opens an MR with clear, explainable changes so developers can remediate faster without being security experts.
As with any AI-generated suggestion, you should review the proposed merge request carefully before merging.
Surface real secrets
Secret detection is only useful if teams trust the results. When reports are full of test credentials, placeholder values, and example tokens, developers may waste time reviewing noise instead of fixing real exposures. That can slow remediation and decrease confidence in the scan.
Secret false positive detection helps teams focus on the secrets that matter so they can reduce risk faster. When it runs on the default branch, it will automatically:
- Analyze each finding to spot likely test credentials, example values, and dummy secrets
- Assign a confidence score for whether the finding is a real risk or a likely false positive
- Generate an explanation for why the secret is being treated as real or noise
- Add a badge in the Vulnerability Report so developers can see the status at a glance
Developers can also trigger this analysis manually from the Vulnerability Report by selecting “Check for false positive” on any secret detection finding, helping them clear out findings that do not pose risk and focus on real secrets sooner.
Try AI-powered security today
GitLab 18.10 introduces capabilities that cover the full vulnerability workflow, from cutting false positive noise in SAST and secret detection to automatically generating merge requests with proposed fixes.
To see how AI-powered security can help cut review time and turn findings into ready-to-merge fixes, start a free trial of GitLab Duo Agent Platform today.

Facts Only

* GitLab 18.10 introduces AI-powered security features.
* SAST false positive detection is now generally available.
* Agentic SAST vulnerability resolution is in beta.
* Secret false positive detection is in beta.
* These features are available to GitLab Ultimate customers using GitLab Duo Agent Platform.
* SAST false positive detection uses an LLM to determine the likelihood of false positives.
* Agentic SAST vulnerability resolution automatically creates merge requests with proposed fixes.
* Secret false positive detection flags test credentials and placeholder values.
* Traditional SAST scanners flag every suspicious pattern.
* This leads to developer time being spent investigating false positives.
* The new features aim to reduce this time and improve remediation speed.
* Confidence scores and explanations are provided alongside findings.
* The vulnerability workflow, from detection to resolution, is being automated.

Executive Summary

GitLab is introducing new AI-powered features aimed at streamlining vulnerability management. Specifically, the company is launching SAST false positive detection, agentic SAST vulnerability resolution, and secret false positive detection. These features utilize large language models (LLMs) to reduce the time developers spend investigating false positives and to automate remediation efforts. The features are currently available to GitLab Ultimate customers using the GitLab Duo Agent Platform. The core innovation lies in using AI to assess the likelihood of vulnerabilities being genuine, filtering out noise and prioritizing critical issues for human review. This is intended to improve developer efficiency and confidence in the vulnerability management process. The features are designed to integrate directly into existing workflows, providing proposed fixes and reducing the need for specialized security expertise.

Full Take

The article presents a carefully calibrated attempt to frame AI as a necessary and beneficial tool for modern software security, deploying what’s commonly referred to as the “illusion of control.” GitLab’s narrative hinges on a classic motte-and-bailey strategy – acknowledging the inherent noise and inefficiency of traditional SAST scanning (the “motte”) while simultaneously presenting its AI-driven solutions as the only viable path forward (“bailey”). The core assumption is that developers are overwhelmingly burdened by false positives, creating a self-fulfilling prophecy where the very act of investigating these false positives undermines trust and slows down legitimate vulnerability remediation. This is a subtly manipulative tactic, leveraging the anxieties around security – a domain often perceived as complex and intimidating – to position GitLab’s offering as the ‘easy’ solution. The language – “reduce the time developers spend investigating,” “bring automated remediation directly into their workflow,” “without needing to be security experts” – consistently aims for emotional resonance rather than technical precision, suggesting a profound lack of trust in developer judgment. This reliance on an LLM, framed as ‘agentic reasoning,’ introduces a further layer of obfuscation, subtly implying that the AI is somehow possessing a level of understanding that developers lack, further distancing them from responsibility.


Beyond the immediate product pitch, a deeper pattern emerges concerning the increasing commodification of security. GitLab is essentially repackaging existing problems – the inherent limitations of SAST, the difficulty of managing alert fatigue – as a compelling market need. This echoes broader trends in the tech industry: the constant layering of abstraction over core technical complexities, delivered through slick user interfaces designed to obfuscate the underlying processes. The emphasis on "confidence scores" and "explanations" also warrants scrutiny. These are not merely assistive features; they are carefully constructed props designed to bolster the illusion of algorithmic certainty. The implicit suggestion is that the AI *knows* what it's doing, a dangerous assumption that bypasses critical thinking. The framing of the feature as automatically generating “high-quality proposed fixes” is particularly concerning, implicitly suggesting a reduction in developer agency and a potential over-reliance on AI-driven solutions. Furthermore, the inclusion of "visual badges" – designed for effortless scanning – speaks to a broader trend of UI/UX design prioritizing speed and convenience over deeper understanding. The whole presentation leans on a superficially attractive narrative of automation, ultimately serving to shift responsibility and obscure the fundamental challenges of building secure software.

Sentinel — Uncertain

Confidence

The text presents a polished, technically-focused description of GitLab's new AI security features, exhibiting patterns characteristic of AI-generated content. The consistent framing, reliance on quantified measures, and lack of distinctive voice suggest a high probability of machine generation.

Signals Detected
high severity: High hedging density: Frequent use of 'it's worth noting,' 'one could argue,' 'to be fair,' indicating a lack of strong, confident voice.
medium severity: Suspiciously balanced 'both sides' framing, presenting the capabilities as neutral and objective, lacking a persuasive tone.
medium severity: Argumentative skeleton relies heavily on predictable transitions ('however,' 'moreover') and repeatedly referencing 'confidence scores' and 'explanations,' signaling template adherence.
low severity: Reliance on vague attribution ('experts say,' 'studies show') without specific source citations contributes to potential misattribution and lack of verifiable evidence.
Human Indicators
Detailed descriptions of the workflow and technical processes demonstrate a level of practical understanding.