Skip to content

One vulnerability view: From scanner coverage to AI governance

Chimera readability score 60 out of 100, Graduate reading level.

Published on: June 18, 2026
4 min read
As AI writes more code, security must keep pace. GitLab is one platform for all scanner coverage, detection, and remediation, with AI governance over agents.
Most enterprises use a handful of different security scanners, each configured and enforced, project by project. With no single view of what scanners run where, policies drift, blind spots go undetected, and important projects could silently go unprotected. With GitLab 19.1, you can now integrate the security scanners you already use, giving a single view of your scanner coverage. GitLab enforces third-party scanners at scale across all of your projects, and the vulnerabilities they detect get remediated automatically. On the governance side, we're launching the beta of AI audit event streaming, so you can see whether your agents are acting safely.
For most security teams, the hardest part of application security is scanner coverage. Different scanners are set up project by project, so whether a scanner runs depends on individual teams setting it up. New projects can go unnoticed and can ship for weeks before teams realize they are not scanned. When coverage depends on tribal knowledge rather than policy, code ships unscanned, vulnerabilities ship to production, and audits expose gaps.
You can now enforce third-party scanners at scale across all of your GitLab projects. Any scanner that outputs SARIF runs under your policies, and the vulnerabilities identified flow into GitLab natively. Every finding lands in one vulnerability view governed by the same rules, so coverage becomes something you can prove rather than hope for.
From there, third-party scanner findings run through the same GitLab Duo Agent Platform auto-remediation workflow as GitLab native scanner findings. SAST False Positive Detection triages findings to prioritize those with real risk, and Agentic SAST Vulnerability Resolution opens a ready-to-merge fix to automatically remediate findings before they go into production. Your team gets coverage it can prove with one governed view across every scanner, and automated remediation for third-party findings.
Secret detection runs in your pipelines to catch leaked credentials, but teams have historically struggled with two things: missed secrets and noisy findings. On a new branch, only the latest commit gets scanned, so a secret committed earlier might ship unnoticed. The findings detected come mixed with test credentials, placeholder values, and example tokens, so developers spend time clearing noise instead of addressing real exposures.
Secret detection now scans every commit on a new branch instead of only the latest one, and Secret False Positive Detection, now generally available, adds a confidence score and an explanation to each finding, shown in the vulnerability report. Your team catches secrets wherever they were introduced, and spends time reducing risk from real exposures rather than false positives.
Companies have adopted AI agents for coding. Agents open merge requests, call tools, and commit code alongside the developers they work for. However, once an agent is approved for a project, it can write, delete, and push without anyone reviewing the action first. Your company remains accountable for changes in the codebase, regardless of whether an agent makes them or a developer. Enterprises need to determine what an agent is allowed to do before it acts, and to show exactly what it did after.
GitLab 19.1 closes that governance gap. With AI audit event streaming, now in beta, every action an agent takes is recorded as an audit event and streamed to your audit log destinations, with the rest of your audit trail. The release also gives you control over what agents can do on your platform. Agent tool approval guardrails, also in beta, let an administrator set each agent tool to run on its own, pause for human approval, or stay blocked, so a sensitive action like writing a file or deleting a resource waits for a team reviewer before it runs. Every approval decision is recorded as an audit event for teams to retroactively review.
The result is governed autonomy. Agents can run end to end, inside the guardrails you set, and a risky action does not reach the codebase unless a person signs off on it. When an auditor or an incident responder later asks what an agent did, the answer is already in the audit trail the team runs.
GitLab 19.1 puts governance around the agents in your codebase, with full security scanner coverage across every project and automatic remediation of third-party scanners. You set what each agent is allowed to do before it acts, and every action lands in your audit trail.
To see what your agents can do inside the guardrails you set, and prove what they did, start a free trial of GitLab Duo Agent Platform today.
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback

Facts Only

* GitLab 19.1 integrates third-party security scanners into a single view of scanner coverage.
* GitLab enforces third-party scanners at scale across all GitLab projects.
* Vulnerabilities detected by third-party scanners flow natively into a single vulnerability view governed by the same rules.
* Third-party scanner findings run through the same auto-remediation workflow as native scanner findings.
* AI audit event streaming is launching in beta to record every agent action and stream it to audit log destinations.
* Agent tool approval guardrails are launching in beta, allowing administrators to set rules for agents running tools (e.g., run, pause for approval, block).
* Secret detection now scans every commit on a new branch, not just the latest one.
* Secret False Positive Detection assigns a confidence score and explanation to each finding.
* Agent actions are recorded as audit events streamed alongside the rest of the audit trail.
* Automated remediation is applied to third-party scanner findings.

Executive Summary

GitLab 19.1 introduces integrated security scanning and enhanced AI governance features. The platform now provides a single view of scanner coverage by enforcing third-party scanners at scale across all projects, automatically remediating vulnerabilities detected by these tools. For governance, GitLab is launching beta features for AI audit event streaming to track agent actions and agent tool approval guardrails, allowing administrators to set specific controls for what agents can do before they execute actions in the codebase. Furthermore, secret detection has been improved by scanning every commit on a new branch, and false positive detection now assigns confidence scores and explanations to findings. These updates aim to provide security teams with demonstrable coverage, automated risk reduction, and clear accountability for AI-driven development workflows.

Full Take

The evolution described moves security accountability from project-specific, tribal knowledge-dependent enforcement to centralized, provable policy and automated action. The shift in scanner coverage represents a move from fragmented detection to systemic control, addressing the historical failure point where coverage depended on individual teams rather than mandated policy. This integration creates a powerful mechanism for ensuring that risk is uniformly addressed regardless of team ownership.
The introduction of AI governance, specifically agent auditing and tool approval guardrails, addresses the inherent accountability vacuum created by autonomous coding agents. By making every action an auditable event, the system attempts to bridge the gap between agent autonomy and human responsibility, establishing a framework for "governed autonomy." This design suggests that the challenge is not simply implementing tools, but creating verifiable, transparent policies around autonomous execution.
The improvement in secret detection highlights a pattern of operational friction: developers spend valuable time managing noise (false positives) instead of addressing genuine risk, and security teams struggle with temporal blind spots (missed secrets). The proposed solutions aim to automate the triage and coverage issues while simultaneously establishing an unbreakable chain of custody for agent actions. The deeper implication is that future success in AI-driven security depends less on catching individual errors and more on successfully engineering verifiable processes—where the system itself enforces adherence to policy, rather than relying solely on human oversight to catch deviations.

Sentinel — Likely Human

Confidence

This analysis appears to be a carefully constructed piece of corporate marketing copy designed to explain new product features. While factually coherent, its predictable structure and uniform tone suggest significant AI assistance or generation.

Signals Detected
medium severity: Transition homogeneity and uniform rhythm; heavy reliance on feature listing rather than narrative variance.
medium severity: Text is highly fluent but lacks idiosyncratic emphasis or the natural digressions found in human journalistic prose; follows a strict problem-solution template.
high severity: Argumentative skeleton perfectly matches marketing patterns (Problem -> Product Feature A -> Feature B -> Governance Solution -> Call to Action).
low severity: Claims are internally consistent and technically specific, typical of LLM generation drawing from structured product documentation.
Human Indicators
The text employs persuasive marketing language intended to drive action, which is characteristic of corporate content. The structure is highly optimized for feature communication rather than organic exploration of the topic.