AI is writing code faster than any security team can review it. What used to be a manageable backlog of static application security testing (SAST) vulnerabilities is now an overwhelming list that has become difficult to parse. Expecting developers to manually research and fix each one isn't a process, it's a bottleneck. The answer isn't more human effort. It's an autonomous pipeline. Agentic SAST Vulnerability Resolution within GitLab Duo Agent Platform is built for that exact problem.
Now generally available, Agentic SAST Vulnerability Resolution automatically generates ready-to-merge code fixes to remediate SAST vulnerabilities. With this capability:
- Developers stay in flow
- Vulnerabilities get resolved before they reach production
- AppSec teams spend less time on triage and chasing down developers to close the loop
Agentic SAST Vulnerability Resolution is the future of application security. GitLab 18.11 also delivers faster SAST scanning, smarter prioritization, and tighter governance across the platform.
Auto-remediation without breaking your flow
When AI is generating code at scale, the math changes. A security backlog that once grew linearly now compounds with every model-assisted commit. There is no version of this problem that gets solved by asking developers to context-switch more and continue manually remediating vulnerabilities. According to GitLab's 2025 DevSecOps Report, developers already spend 11 hours per month remediating vulnerabilities post-release — that is, fixing issues that are already exploitable in production instead of shipping new work.
Agentic SAST Vulnerability Resolution changes the economics of that cycle. When a SAST scan completes, findings automatically kick off the SAST false positive detection flow. Confirmed true positives go directly into the Agentic SAST Vulnerability Resolution Flow, where GitLab Duo Agent Platform:
- Analyzes the vulnerability in context
- Generates a fix that addresses the root cause
- Validates the fix through automated testing
The developer receives a ready-to-merge MR with a confidence score so they can make an informed decision on how to remediate the vulnerability. The sprint stays on track, developers stay in flow, and vulnerabilities get resolved before they ever reach production.
Accelerating software production also means not waiting on your scanner. GitLab 18.11 introduces incremental scanning for Advanced SAST, so developers get vulnerability results without waiting for a full scan to complete, and pipelines keep moving.
Remediate by business risk, not just by score
Autonomous remediation only works if the signal driving it is trustworthy. When severity scores don't reflect real exploitability, developers stop trusting the signal and start ignoring it.
GitLab 18.11 addresses this issue on four levels. First, vulnerability scores are now grounded in Common Vulnerability Scoring System (CVSS) 4.0, the most current industry standard, with more granular metrics that better capture real-world exploitability. The score developers see in GitLab reflects the most current industry standard for measuring real-world risk.
From there, AppSec teams can define policy-based rules that automatically adjust vulnerability severity scores based on signals like Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and file path/directory. Once a policy is set, the severity overrides apply immediately so developers work from a backlog that reflects actual business risk, not raw scanner output.
Risk-based enforcement doesn't stop at the backlog. AppSec teams can now configure approval policies to block or warn based on Known Exploited Vulnerabilities (KEV) status or Exploit Prediction Scoring System (EPSS) score thresholds. When a merge gets blocked, developers know it's because the vulnerability has real-world exploitability data behind it, not a score that didn't account for their environment.
Lastly, the new Top CWEs security dashboard chart gives teams visibility into which vulnerability classes are appearing most frequently across their projects. Instead of chasing individual findings, teams can identify patterns, prioritize at the root cause-level, and address systemic risk before it compounds.
Stronger security controls with less operational overhead
An autonomous remediation pipeline is only as good as the security scanner coverage underneath it. If the scanner enablement is inconsistent, the findings flowing into the pipeline are incomplete and so are the fixes.
GitLab 18.11 introduces Security Manager, a new default role built specifically for security professionals. With the Security Manager role, security teams can enforce security scanners, define and configure security policies, manage vulnerability triage and remediation workflows, and maintain compliance frameworks and audit streams, without needing code modification or deployment permissions. Security teams get the access necessary for their jobs, and no more, keeping permissions scoped to the work at hand and keeping code and deployment permissions with developers.
For AppSec teams, getting consistent SAST scanner coverage across multiple projects and groups just got significantly easier. SAST configuration profiles give security teams a single place to define scanning once and apply it across every project in a group in one action. Teams no longer have to write and maintain YAML policy files, depend on developers to configure scanners, or manually check each project to find coverage gaps.
Get started with agentic vulnerability remediation today
GitLab 18.11 delivers the full vulnerability workflow in one platform: AI that automatically remediates vulnerabilities, smarter prioritization that cuts through vulnerability noise, and governance controls that give security teams the right access and coverage at scale.
To see how GitLab Duo Agent Platform puts automated remediation directly in your developer workflow, start a free trial of GitLab Ultimate today.
