Back to Gitlabhq

Dependency scanning auto-remediation (Beta)

doc/releases/19/gitlab-19-2-released/ds-auto-remediation-beta.md

19.2.01.7 KB
Original Source
<!-- Category: Software Composition Analysis -->

GitLab 19.2 introduces Dependency scanning auto-remediation in Beta. The feature brings automated vulnerability remediation directly into your dependency scanning workflow, with two capabilities:

  • Automated dependency version bumps, available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated.
  • Agentic Breaking Change Resolution, available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated, and consumes GitLab Credits.

Automated dependency version bumps automatically opens merge requests to update vulnerable dependencies to their safe versions. Once turned on, GitLab monitors your projects for vulnerable dependencies and opens remediation MRs without manual intervention. By default, updates target patch and minor versions.

Agentic Breaking Change Resolution extends the remediation flow to handle complex updates. When a merge request that bumps dependency versions has a pipeline fails on a breaking change, GitLab Duo analyzes the pipeline errors, the dependency's changelog, and how your code uses the dependency.

GitLab Duo commits fixes to the same MR and re-runs the pipeline until the pipeline passes. When you enable Agentic Breaking Change Resolution, version bumps extend to include major versions.

Together, the two capabilities form a complete remediation loop: GitLab opens the MR, and when the update is complex, GitLab Duo resolves it.

For setup instructions, see Dependency scanning auto-remediation.

Share feedback in the beta feedback issue.