What’s new in Eficode ROOT: June 2025

 

This update focuses on delivering the latest bug fixes, including a resolution for the issue where custom field contexts weren’t displaying correctly and improvements to email notification reliability. By addressing these and other behind-the-scenes gremlins, we're aiming to keep things running seamlessly while you're planning that well-deserved time off. Update now and enjoy a more reliable Jira before the vacation mode kicks in!

Administration

Assign projects when creating compliance frameworks (Ultimate, Premium)

GitLab 17.11 introduces a new step in the compliance framework creation process, allowing users to assign multiple projects to the framework before it is created.

This enhancement:

• Streamlines the workflow by keeping users in the compliance framework creation process.
• Provides better guidance on how compliance frameworks and projects work together to ensure group-wide compliance monitoring and enforcement.

Learn more here.

Ghost user contributions auto-mapped during imports (Core, Premium, Ultimate)

Ghost user contributions during migrations previously led to placeholder references requiring manual reassignment. With the updated contribution and membership mapping for direct transfer, GitHub, Bitbucket Server, and Gitea importers, this is improved. Now, when migrating to GitLab, contributions from a ghost user on the source instance are automatically mapped to the ghost user on the destination instance. This eliminates unnecessary placeholder users, declutters the user mapping interface, and simplifies the migration process. Learn more here.

Enhanced sorting options for access tokens (Core, Premium, Ultimate)

New sorting features for access tokens are now available in the UI and API, enhancing GitLab's existing token management. These options provide improved control and security for your access token inventory.

The new sorting options include:

• Expiration Date (Ascending): Quickly identify tokens nearing expiration.
• Expiration Date (Descending): See tokens with the longest validity periods.
• Last Used Date (Ascending): Find infrequently used tokens.
• Last Used Date (Descending): View the most recently accessed tokens.

Learn more here.

Docker Hub authentication UI for the dependency proxy (Core, Premium, Ultimate)

The latest Eficode ROOT update, scheduled for June 2025, introduces a simplified method for configuring Docker Hub authentication.

Previously available only through the GraphQL API in GitLab 17.10, this feature now includes a user-friendly interface accessible within your group settings.

This enhancement allows you to:

• Prevent pipeline disruptions caused by Docker Hub rate limits.
• Enable access to private Docker Hub images.
• Securely store Docker Hub credentials, personal access tokens, or organization access tokens.

This improved process eliminates the need for the GraphQL API, providing a more straightforward way to ensure continuous access to Docker Hub images in your CI/CD pipelines. Learn more here.

Geo - New replicables view (Premium, Ultimate)

The updated interface for monitoring Geo secondary sites offers a cleaner and more consistent experience with GitLab. Users can now access a detailed view for each replicated item, including primary and secondary checksums and error information. This enhancement simplifies the process of identifying and resolving Geo synchronization problems. Learn more here.

Automated Duo Pro and Duo Enterprise seat assignment (Premium, Ultimate)

SAML Group Sync now supports automatic assignment of Duo Pro or Duo Enterprise seats. When a GitLab group has available seats of either type, users mapped from the identity provider will be automatically assigned a seat, simplifying seat management. Learn more here.

Customize compliance frameworks with requirements and compliance controls (Ultimate)

GitLab's compliance framework now offers enhanced monitoring through the introduction of 'requirements'. Previously, compliance was managed using labels for project identification and security policy enforcement within groups.

This update allows compliance managers to define specific requirements from various compliance standards, laws, and regulations as part of a custom framework.

The number of out-of-the-box compliance controls has significantly increased from five to over 50. These controls can be linked to the defined compliance framework requirements.

These pre-built controls verify project, security, and merge request settings across your GitLab instance, aiding in compliance with standards like SOC2, NIST, ISO 27001, and the GitLab CIS Benchmark.

Compliance adherence is now reflected in a redesigned standard adherence report that considers both requirements and their mapping to controls.

Furthermore, users can now map requirements to external controls, encompassing items, programs, or systems outside GitLab. This enables the GitLab compliance center to serve as a central hub for compliance monitoring and audit evidence.

AI

Llama 3 models generally available for GitLab Duo Chat and Code Suggestions (Ultimate)

GitLab Duo Self-Hosted now generally supports Llama 3 models for GitLab Duo Chat and Code Suggestions. Learn more here.

Use imported files as context in Code Suggestions (Premium, Ultimate)

GitLab Duo Code Suggestions now enhances its suggestions by utilizing imported files within your IDE. This expanded context, currently available for JavaScript and TypeScript files, allows for higher quality and more relevant coding assistance by incorporating additional project information. Learn more here.

GitLab Duo Chat now uses Anthropic Claude Sonnet 3.7 (Premium, Ultimate)

GitLab Duo Chat has upgraded its base model to Anthropic Claude 3.7 Sonnet from Claude 3.5 Sonnet for most queries.

This enhancement brings stronger coding and reasoning capabilities, leading to more detailed and accurate Chat responses, particularly in explaining and generating code, processing text data, and answering complex DevSecOps questions.

The upgrade is applied across all Chat features, ensuring a consistently improved user experience throughout the interface. Learn more here. 

Manage multiple conversations in GitLab Duo Chat (Premium, Ultimate)

GitLab Self-Managed web UI now supports multiple simultaneous GitLab Duo Chat conversations. Users can initiate new chats, review past conversations, and move between them while maintaining context.

To ensure privacy, inactive conversations (30 days of no activity) are automatically removed. Users can also delete conversations manually at any point. GitLab Self-Managed administrators have the ability to shorten the conversation retention period. Learn more here.

Select individual models for AI-powered features on GitLab Duo Self-Hosted (Ultimate)

GitLab Duo Self-Hosted users can now customize their GitLab Self-Managed instance by choosing and setting up specific supported models for each GitLab Duo feature and its sub-features. Learn more here.

Open files as context now available on GitLab Duo Self-Hosted Code Suggestions (Ultimate)

On Gitlab Duo Self-Hosted, you can now use files open in tabs in your IDE as context when using Code Suggestions. Learn more here.

GitLab Duo with Amazon Q is generally available (Ultimate)

GitLab Duo with Amazon Q, a generally available integrated solution combining GitLab's AI-powered DevSecOps platform with autonomous Amazon Q AI agents. This offering embeds AI agents directly into developer workflows, enabling faster completion of essential tasks within a single environment. These intelligent assistants automate processes like code generation, testing, reviews, and Java modernization, allowing teams to prioritize innovation while upholding security and quality.

Key advantages of GitLab Duo with Amazon Q for development teams include:

• Accelerated feature development: The `/q dev` command transforms issue descriptions into merge-ready code quickly.
• Simplified legacy code modernization: The `/q transform` command automates the entire Java modernization process.
• Enhanced code reviews: The `/q review` command provides immediate, intelligent feedback on code quality and security within merge requests.
• Automated testing for reliable releases: The `/q test` command generates comprehensive unit tests that understand application logic.

More GitLab Duo features now available on GitLab Duo Self-Hosted (Ultimate)

You can now use more GitLab Duo features with GitLab Duo Self-Hosted in your GitLab Self-Managed instance. The following features are available in beta:

• Root Cause Analysis
• Vulnerability Explanation
• Vulnerability Resolution
• AI Impact Dashboard
• Discussion Summary
• Merge Request Commit Message
• Merge Request Summary
• GitLab Duo for the CLI

Code Review Summary is also available on GitLab Duo Self-Hosted as an experiment. Learn more here.

UI/UX

Email delivery for dependency list and vulnerability report export (Ultimate)

Generating dependency lists or vulnerability reports no longer requires users to remain on the page during export. Instead, upon completion, a download link to the report will be sent via email notification. Learn more here.

Filter placeholder users in Admin area (Core, Premium, Ultimate)

The Users page in the Admin area now allows administrators to easily identify placeholder accounts created during imports. Previously, these accounts were indistinguishable from regular users. This update introduces a filtering option within the search box. Administrators can now select "Type" from the dropdown menu and then choose "Placeholder" to view only these specific accounts. Learn more here.

Tool filter replaced with Scanner and Report Type filters (Ultimate)

The vulnerability report's tool search filter has been updated. Previously, filtering was based on a single group combining scanner type (e.g., ESLint, Gemnasium) and report type (e.g., SAST, container scanning).

To simplify finding specific tools, the tool filter has been split into separate scanner and report type filters. You can now filter your search independently by these two categories. Learn more here.

Improved wiki sidebar styling (Core, Premium, Ultimate)

The custom wiki sidebar now has improved styling for better readability. Heading sizes have been reduced, and lists have increased left-padding. These changes enhance the visual hierarchy of custom navigation menus created using the \_sidebar wiki page, making it easier for teams to find information within their organized wiki content. Learn more here.

Improved pipeline graph visualization for failed jobs (Core, Premium, Ultimate)

New visual cues in the pipeline graph now offer a quick way to spot failed jobs. In each stage, failed jobs are now grouped at the top, and entire failed job groups are highlighted in the pipeline graph. This enhanced visualization simplifies the process of identifying and troubleshooting pipeline failures, eliminating the need to navigate intricate pipeline layouts. Learn more here.

Placeholder user limits appear in group usage quotas (Core, Premium, Ultimate)

For GitLab.com imports, the number of placeholder users is limited for each top-level group, based on your GitLab license and seat count. This update allows you to easily check your current placeholder user usage and set limits for any top-level group directly within the user interface.

Instructions:

1. Navigate to your desired top-level group by using the "Search or go to" function in the left sidebar.
2. In the group's settings, select Settings > Usage Quotas.
3. Go to the Import tab to view your current placeholder user usage and limits.

Learn more here.

Service accounts UI (Premium, Ultimate)

GitLab now features a dedicated user interface for creating and managing service accounts, providing a centralized space to create, monitor, and control automated access to GitLab resources. This functionality was previously limited to API access. Learn more here. 

New issue look now generally available (Core, Premium, Ultimate)

The latest GitLab release introduces a redesigned issue view, now generally available and consistent with epics and tasks. Key improvements include:

Viewing and navigation:

• Drawer view: Open items quickly from lists or boards in a side panel, with an option to expand to full-page view.
• Ancestry: View the complete item hierarchy above the title and in the Parent field. Manage relationships using new quick actions: /set_parent, /remove_parent, /add_child, and /remove_child.
• Layout: Enjoy a more consistent user interface across issues, epics, tasks, and merge requests for improved workflow navigation.

Functionality and actions:

• Change type: Easily convert between epics, issues, and tasks using the "Change type" action.
• Start date: Issues now support start dates, similar to epics and tasks.
• Controls: All actions are now located in the top menu (vertical ellipsis), which stays visible while scrolling.

Development and relationships:

• Development: A unified list now displays all related development items (merge requests, branches, and feature flags) for an issue or task.
• Linked items: Enhanced linking options allow you to create relationships between tasks, issues, and epics. Drag and drop to change link types and control the visibility of labels and closed items.

Learn more here.

Reporting

Dynamic analysis support for reflected XSS checks (Ultimate)

The Dynamic Analysis team has implemented a new check for CWE-79, enabling the DAST scanner to detect reflected XSS attacks. This check is enabled by default. To disable it, set the `DAST_FF_XSS_ATTACK` configuration option to `false`. Learn more here.

CycloneDX export for the project dependency list (Ultimate)

Many organizations are now mandating a software bill of materials (SBOM) to comply with regulations and enhance software supply chain security. GitLab has expanded its export functionality to address this need. Previously, users could only export dependency lists as JSON or CSV files. Now, GitLab can generate SBOMs by exporting dependency lists in the standardized CycloneDX format.

To download an SBOM in CycloneDX format, navigate to the dependency list and select Export > Export as CycloneDX (JSON). Learn more here. 

Display last comment as a column in GLQL views (Core, Premium, Ultimate)

Gain immediate insight into issue and merge request activity with the new GLQL feature. You can now display the last comment directly as a column by including 'lastComment' in your GLQL queries. This eliminates the need to open each item individually to check for updates, saving time and providing a clear overview of ongoing discussions and progress, ultimately helping teams maintain momentum. Learn more here. 

Store and filter a `source` value for CI/CD jobs (Core, Premium, Ultimate)

GitLab 17.11 enhances security and compliance by enabling verification of build artifact origins through a new "source" attribute for CI/CD jobs. This allows organizations to strengthen software supply chain security and ensure auditable compliance, such as verifying security scan evidence.

The "source" attribute, indicating if a job originated from a scan execution policy, a pipeline execution policy, or a regular pipeline, can be accessed via a new filter on the Build > Jobs page, the Jobs API, or through ID token claims for artifact verification.

This feature enables users to:

• Confirm the authenticity of security scan results.
• Filter jobs based on their source to quickly locate policy-driven scans.
• Employ cryptographic artifact verification using new ID token claims.
• Maintain compliance through improved audit trails.

Security and compliance teams can utilize this functionality to:

• View only policy-enforced jobs using the new Jobs page filter.
• Automate workflows by accessing the source information via the Jobs API.
• Implement artifact verification using the following new ID token claims:
  • `job_source`: Specifies the origin of the job.
  • `job_policy_ref_uri`: Links to the relevant policy file for policy-defined jobs.
  • `job_policy_ref_sha`: Provides the Git commit SHA of the policy.

Learn more here.

Token statistics for service account management (Premium, Ultimate)

The service account token management interface now features a statistics dashboard, offering a quick overview of your token inventory. This dashboard aids in evaluating token status and pinpointing tokens needing action. Key metrics include: total active tokens, tokens expiring within two weeks, manually revoked tokens, and previously expired tokens. Learn more here.

Export dependency list in CSV format (Ultimate)

The dependency list download feature in GitLab now includes a CSV export option. Previously, only other formats were available. This new functionality allows users to export their dependency lists as CSV files. Learn more here.

Epic, issue, and task custom fields (Premium, Ultimate)

This release introduces configurable text, number, single-select, and multi-select custom fields for issues, epics, tasks, objectives, and key results. Custom fields offer a more user-friendly method for adding structured metadata to planning artifacts compared to the current label-based categorization.

Custom fields are configured at the top-level group and are then applied to all subgroups and projects. These fields can be mapped to various work item types, and you can filter issues and epics lists based on custom field values. Learn more here.

Project development

Force-cancel CI/CD jobs stuck in canceling state (Core, Premium, Ultimate)

Occasionally, CI/CD jobs may become stuck in a 'canceling' state, which can impede deployments and resource access. To address this, Maintainers can now directly force-cancel these jobs from the job logs page, ensuring their proper termination. Learn more here.

Set work in progress limits by weight (Premium, Ultimate)

Manage team workload more flexibly by setting work in progress limits based on issue weight, in addition to the existing issue count. This allows teams using issue weights to represent effort to avoid overcommitment by limiting the total weight of issues within a board list. This feature enables better optimization of team productivity and a more balanced workflow that considers the varying complexity of tasks, controlling work flow based on effort rather than just the number of issues. Learn more here.

Improved runner management in projects (Core, Premium, Ultimate)

The runner management interface in projects has been updated for improved efficiency. Runners are now presented in a streamlined single-column layout, organized in dedicated lists instead of the former two-column view. This new organization simplifies the process of locating and managing runners. Enhancements include the display of assigned projects, runner managers, and the history of jobs executed by each runner. Learn more here. 

All auto-disabled webhooks now automatically re-enable (Core, Premium, Ultimate)

Previously, webhooks returning 4xx errors would not be re-enabled. Now, all error types (4xx, 5xx, and server errors) are handled uniformly, providing more consistent behavior and simplifying debugging. This update was previously announced in a blog post.

Webhook disabling behavior has also changed. Instead of being permanently disabled after a single failure, failing webhooks are now temporarily disabled for one minute, with the temporary disabling period increasing up to a maximum of 24 hours. A webhook will become permanently disabled only after 40 consecutive failures.

Webhooks permanently disabled in GitLab versions 17.10 and earlier have been migrated.

These changes are automatically applied to GitLab.com users. For GitLab Self-Managed and GitLab Dedicated instances, these updates are only active if the `auto_disabling_webhooks` operations flag is enabled. Learn more here.

Nuxt project template for GitLab Pages (Core, Premium, Ultimate)

GitLab now offers templates for popular Static Site Generators (SSGs), including Nuxt, a Vue.js framework, to create GitLab Pages sites. Nuxt is beneficial for building modern, high-performing web applications with reduced setup.

This enhancement broadens the choices for swiftly deploying Pages sites with integrated CI/CD pipelines and a contemporary development workflow, eliminating the need for extensive initial configuration. Learn more here.

Extension marketplace for Web IDE on self-managed instances (Core, Premium, Ultimate)

The extension marketplace is now available in the Web IDE for self-managed users, allowing them to discover, install, and manage third-party extensions. By default, GitLab instances use the Open VSX registry, which can be activated by following the provided steps. Users also have the option to connect a custom extension registry for greater flexibility. After the marketplace is enabled, individual users must opt in via the Integrations section in their Preferences. While some extensions requiring a local runtime are not compatible with the web-only version, a wide variety of extensions are available to enhance productivity and customize workflows. Learn more here. 

CI/CD pipeline inputs (Core, Premium, Ultimate)

CI/CD variables are crucial for dynamic workflows, serving as environment, context, tool configuration, and matrix variables. However, using them to inject pipeline variables for manual pipeline modification carries risks due to the higher precedence of pipeline variables.

GitLab introduces inputs as a safer alternative for modifying pipeline behavior in scheduled, downstream, and triggered pipelines, among others. Inputs offer a structured and flexible way to inject dynamic content at CI/CD job runtime. By adopting inputs, you can subsequently disable access to pipeline variables entirely. Learn more here.

Security

Increased rule coverage for secret push protection and pipeline secret detection (Ultimate)

GitLab secret detection has received significant updates, including 17 new secret push protection rules and 12 new pipeline secret detection rules. Some existing rules have also been updated to improve quality and reduce false positives. Learn more here.

Dynamic analysis support for reflected XSS checks (Ultimate)

The Dynamic Analysis team has enhanced the DAST scanner with a new check for CWE-79, enabling the detection of reflected XSS attacks.

Reflected XSS checking is enabled by default. To disable it, set the `DAST_FF_XSS_ATTACK` flag to `false` in your configuration. Learn more here. 

Static reachability beta with Python support (Ultimate)

Beta support for Python static reachability is now available from the Composition Analysis team. This release improves stability, observability, and user experience through simplified configuration.

Static reachability, powered by GitLab Advanced SAST, enhances Software Composition Analysis (SCA) by scanning source code to determine which open source dependencies are actively used.

Utilize static reachability data in your triage and remediation processes. It can also be combined with CVSS and EPSS scores, as well as KEV indicators, to provide a more targeted view of vulnerabilities. Learn more here.

Enhance security with protected container tags (Core, Premium, Ultimate)

Container registries are vital for modern DevSecOps practices. Previously, GitLab allowed users with Developer access and above to push and delete any container tag within their projects. This posed security risks by potentially enabling accidental or unauthorized modifications to critical production container images.

To address these vulnerabilities, GitLab introduces protected container tags, offering granular control over container tag management. This new feature enables you to:

• Establish up to five protection rules per project.
• Utilize RE2 regular expressions to define protected tags. Examples include `latest`, semantic versions (e.g., `v1.0.0`), and stable release tags (e.g., `main-stable`).
• Restrict push and delete operations to users with Maintainer, Owner, or Administrator roles.
• Prevent protected tags from being removed by container registry cleanup policies.

This functionality relies on the next-generation container registry, which is enabled by default for GitLab.com users. Enabling the metadata database is required for self-managed GitLab instances to utilize protected container tags. This enhancement significantly strengthens the security and stability of your container image management workflows. Learn more here.

Safeguard your registry with protected Maven packages (Core, Premium, Ultimate)

Enhance the security and stability of your GitLab package registry with the new support for protected Maven packages. This feature allows you to create protection rules for your critical Maven dependencies, preventing accidental modifications that can disrupt development.

By defining protection rules, only specified users can push new versions of packages matching those rules. This safeguarding mechanism prevents accidental overwrites, strengthens compliance, and reduces the need for manual monitoring.

This valuable addition, along with protected package support for other formats, was contributed by gerardo-navarro and the Siemens team. We extend our sincere gratitude to Gerardo and the Siemens crew for their significant contributions to GitLab. To learn more about their contribution experience, including learnings and best practices, watch Gerardo's video on contributing to GitLab as an external contributor. Learn more here.

 

Removal of Yahoo! user interface library

Actually, there is nothing more to be said. Jenkins decided to remove the Yahoo! user interface library. 

UI/UX

This release also brings a batch of thoughtful UI/UX enhancements to make your Jenkins experience smoother and more intuitive. The highlight is the new experimental Details widget for builds, a sleek addition aimed at improving how build information is presented (and yes, it’s worth a test drive). User avatars have received a visual refresh, adding a bit more personality to your pipelines. There’s now a handy Cancel button when editing descriptions (because sometimes we all change our minds), and the interrupted build icon has been updated for clearer status at a glance. Oh, and if you're in an insecure context, the copy button now politely excuses itself for safety’s sake.

Add grouping to Command Palette search results.

Thanks to that small improvement, it’s easier to identify what each result is. 

Bug fixes

No update is complete without a round of bug fixes, and this one delivers a few quality-of-life improvements under the hood. Jenkins now correctly displays dates in the History widget based on your configured time zone, because no one likes temporal confusion, especially in CI/CD. In addition to this, several smaller fixes have been applied across the board to improve stability, reduce glitches, and keep everything running just a bit more predictably. It's the kind of quiet progress that keeps your pipelines humming.

These fixes contribute to a more seamless experience, allowing you to monitor and manage your software supply chain with greater confidence.

Notable fixes include:

• Fix NEW_VULNERABILITIES_SUMMARY notification dispatch failing for PostgreSQL.
• Fix team email addresses not being available when publishing scheduled notification emails.
• Prevent duplicate tag names and relationships.
• Fix missing NONE value in classifier check constraint.
• Improve stability of tag binding.
• Fix tag deletion failing when tag is used by project collection logic.