Published on: March 19, 2026

5 min read

GitLab 18.10 brings AI-native triage and remediation

Learn about GitLab Duo Agent Platform capabilities that cut noise, surface real vulnerabilities, and turn findings into proposed fixes.

Alisa HoAlisa Ho

product

security

features

GitLab 18.10 introduces new AI-powered security capabilities focused on improving the quality and speed of vulnerability management. Together, these features can help reduce the time developers spend investigating false positives and bring automated remediation directly into their workflow, so they can fix vulnerabilities without needing to be security experts.

Here is what’s new:

  • Static Application Security Testing (SAST) false positive detection is now generally available. This flow uses an LLM for agentic reasoning to determine the likelihood that a vulnerability is a false positive or not, so security and development teams can focus on remediating critical vulnerabilities first.
  • Agentic SAST vulnerability resolution is now in beta. Agentic SAST vulnerability resolution automatically creates a merge request with a proposed fix for verified SAST vulnerabilities, which can shorten time to remediation and reduce the need for deep security expertise.
  • Secret false positive detection is now in beta. This flow brings the same AI-powered noise reduction to secret detection, flagging dummy and test secrets to save review effort.

These flows are available to GitLab Ultimate customers using GitLab Duo Agent Platform.

Cut triage time with SAST false positive detection

Traditional SAST scanners flag every suspicious code pattern they find, regardless of whether code paths are reachable or frameworks already handle the risk. Without runtime context, they cannot distinguish a real vulnerability from safe code that just looks dangerous.

This means developers could spend hours investigating findings that turn out to be false positives. Over time, that can erode confidence in the report and slow down the teams responsible for fixing real risks.

After each SAST scan, GitLab Duo Agent Platform automatically analyzes new critical and high severity findings and attaches:

  • A confidence score indicating how likely the finding is to be a false positive
  • An AI-generated explanation describing the reasoning
  • A visual badge that makes “Likely false positive” versus “Likely real” easy to scan in the UI

These findings appear in the Vulnerability Report, as shown below. You can filter the report to focus on findings marked as “Not false positive” so teams can spend their time addressing real vulnerabilities instead of sifting through noise.

Vulnerability report

GitLab Duo Agent Platform's assessment is a recommendation. You stay in control of every false positive to determine if it is valid, and you can audit the agent's reasoning at any time to build confidence in the model.

Turn vulnerabilities into automated fixes

Knowing that a vulnerability is real is only half the work. Remediation still requires understanding the code path, writing a safe patch, and making sure nothing else breaks.

If the vulnerability is identified as likely not be a false positive by the SAST false positive detection flow, the Agentic SAST vulnerability resolution flow automatically:

  1. Reads the vulnerable code and surrounding context from your repository
  2. Generates high-quality proposed fixes
  3. Validates fixes through automated testing
  4. Opens a merge request with a proposed fix that includes:
    • Concrete code changes
    • A confidence score
    • An explanation of what changed and why

In this demo, you’ll see how GitLab can automatically take a SAST vulnerability all the way from detection to a ready-to-review merge request. Watch how the agent reads the code, generates and validates a fix, and opens an MR with clear, explainable changes so developers can remediate faster without being security experts.

As with any AI-generated suggestion, you should review the proposed merge request carefully before merging.

Surface real secrets

Secret detection is only useful if teams trust the results. When reports are full of test credentials, placeholder values, and example tokens, developers may waste time reviewing noise instead of fixing real exposures. That can slow remediation and decrease confidence in the scan.

Secret false positive detection helps teams focus on the secrets that matter so they can reduce risk faster. When it runs on the default branch, it will automatically:

  1. Analyze each finding to spot likely test credentials, example values, and dummy secrets
  2. Assign a confidence score for whether the finding is a real risk or a likely false positive
  3. Generate an explanation for why the secret is being treated as real or noise
  4. Add a badge in the Vulnerability Report so developers can see the status at a glance

Developers can also trigger this analysis manually from the Vulnerability Report by selecting “Check for false positive” on any secret detection finding, helping them clear out findings that do not pose risk and focus on real secrets sooner.

Try AI-powered security today

GitLab 18.10 introduces capabilities that cover the full vulnerability workflow, from cutting false positive noise in SAST and secret detection to automatically generating merge requests with proposed fixes.

To see how AI-powered security can help cut review time and turn findings into ready-to-merge fixes, start a free trial of GitLab Duo Agent Platform today.

More to explore

View all blog posts

Security

Manage vulnerability noise at scale with auto-dismiss policies

Security

A complete guide to GitLab Container Scanning

Security

Track vulnerability remediation with the updated GitLab Security Dashboard

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Start building faster today

See what your team can do with the intelligent orchestration platform for DevSecOps.

Get your free trial Contact sales