All auto-disabled webhooks now automatically re-enable

All auto-disabled webhooks now automatically re-enable

With this release, webhooks that return 4xx errors are now automatically re-enabled. All errors (4xx, 5xx, or server errors) are treated the same way, allowing for more predictable behavior and easier troubleshooting. This change was announced in this blog post.

Failing webhooks are temporarily disabled for one minute, extending to a maximum of 24 hours. After a webhook fails 40 consecutive times, it now becomes permanently disabled.

Webhooks that were permanently disabled in GitLab 17.10 and earlier underwent a data migration.

• For GitLab.com, these changes apply automatically.
• For GitLab Self-Managed and GitLab Dedicated, these changes affect only those instances where the auto_disabling_webhooks ops flag is enabled.

Thanks to Phawin for this community contribution!

Placeholder user limits appear in group usage quotas

Placeholder user limits appear in group usage quotas

For imports to GitLab.com, placeholder users are limited per top-level group. These limits depend on your GitLab license and number of seats. With this release, it’s possible to check your placeholder user usage and limits for a top-level group in the UI.

To view your current usage and limits:

1. On the left sidebar, select Search or go to and find your group. This group must be at the top level.
2. Select Settings > Usage Quotas.
3. Select the Import tab.

Docker Hub authentication UI for the dependency proxy

Docker Hub authentication UI for the dependency proxy

We’re excited to announce UI support for Docker Hub authentication in the GitLab Dependency Proxy. This feature was initially introduced in GitLab 17.10 with GraphQL API support only, and now includes a user interface for easier configuration.

With this enhancement, you can now configure Docker Hub authentication directly from your group settings page, helping you:

• Avoid pipeline failures due to rate limits.
• Access private Docker Hub images.
• Store your Docker Hub credentials, personal access token, or organization access tokens securely.

This streamlined approach makes it easier to maintain uninterrupted access to Docker Hub images in your CI/CD pipelines without using the GraphQL API.

Pre-deployment opt-out toggle to disable event data sharing

Pre-deployment opt-out toggle to disable event data sharing

In GitLab 18.0, we plan to enable event-level product usage data collection from GitLab Self-Managed and GitLab Dedicated instances. Unlike aggregated data, event-level data provides GitLab with deeper insights into usage, allowing us to improve user experience on the platform and increase feature adoption.

Starting in GitLab 17.11, you will have the ability to opt out of event data collection before it starts, effectively allowing you to choose participation in advance. For more information and details on how to opt-out please see our documentation.

CycloneDX export for the project dependency list

CycloneDX export for the project dependency list

Many organizations now require a software bill of materials (SBOM) to meet regulatory requirements and help further increase the security of the software supply chain. Previously, you could only export your dependency list as a JSON or CSV file from GitLab. Now, GitLab can produce your SBOM by exporting your dependency list in the CycloneDX format that has become the adopted SBOM standard.

To download an SBOM directly as a CycloneDX file, in the dependency list, select Export > Export as CycloneDX (JSON).

Store and filter a source value for CI/CD jobs

Store and filter a source value for CI/CD jobs

GitLab 17.11 introduces a new feature that allows users to verify the origin of build artifacts by tracking the source attribute of CI/CD jobs. This enhancement is particularly valuable for security and compliance workflows. For example, organizations can implement software supply chain security measures or require verifiable evidence of security scans for compliance purposes.

Jobs in GitLab now store and display a source value that identifies whether they originated from:

• A scan execution policy
• A pipeline execution policy
• A regular pipeline

You can access the source attribute on the Build > Jobs page with a new filter option, using the Jobs API, or through the ID token claims for artifact verification.

With this new feature, you can now:

• Verify the authenticity of security scan results.
• Filter jobs by source type to quickly identify policy-enforced scans.
• Implement cryptographic verification of artifacts using the new ID token claims.
• Ensure compliance requirements are met with proper audit trails.

Security and compliance teams can leverage this feature to:

• View only policy-enforced jobs using the new filter on the Jobs page.
• Automate tasks by accessing the source field in the Jobs API.

• Implement artifact verification using the new ID token claims:

  • job_source: Identifies the job’s origin.
  • job_policy_ref_uri: Points to the policy file (for policy-defined jobs).
  • job_policy_ref_sha: Contains the git commit SHA of the policy.

Assign projects when creating compliance frameworks

Assign projects when creating compliance frameworks

In the past, you couldn’t assign new compliance frameworks to projects without navigating to the Projects tab in the compliance center after creating the compliance framework. This situation created unnecessary friction to creating new compliance frameworks in your groups.

In GitLab 17.11, when creating a compliance framework, we introduced a new step that provides the option of assigning multiple projects to the compliance framework before it is created.

This new feature:

• Helps keep you in the compliance framework creation workflow.
• Provides guidance for you to understand that compliance frameworks work together with projects in a group to monitor and enforce compliance adherence for the entire group.

Ghost user contributions auto-mapped during imports

Ghost user contributions auto-mapped during imports

Previously, ghost user contributions would create placeholder references that required manual reassignment, creating extra work during migrations. Now, importers using new contributions and membership mapping functionality, migration by direct transfer, GitHub, Bitbucket Serber and Gitea importers, handle ghost user contributions more intelligently. When importing content to GitLab, contributions previously made by the ghost user on the source instance are now automatically mapped to the ghost user on the destination instance.

This enhancement eliminates the creation of unnecessary placeholder users for ghost user contributions, reducing clutter in user mapping interface and simplifying the migration process.

Force-cancel CI/CD jobs stuck in canceling state

Force-cancel CI/CD jobs stuck in canceling state

CI/CD jobs can occasionally get stuck in the ‘canceling’ state, blocking deployments or access to shared resources.

Users with the Maintainer role can now force-cancel these stuck jobs directly from the job logs page, ensuring problematic jobs can be properly terminated.

Kubernetes 1.32 support

Kubernetes 1.32 support

This release adds full support for Kubernetes version 1.32, released in December 2024. If you deploy your apps to Kubernetes, you can now upgrade your connected clusters to the most recent version and take advantage of all its features.

You can read more about our Kubernetes support policy and other supported Kubernetes versions.

Dynamic analysis support for reflected XSS checks

Dynamic analysis support for reflected XSS checks

The Dynamic Analysis team has introduced a check for CWE-79. This work allows our DAST scanner to check for reflected XSS attacks.

Checking for Reflective XSS is on by default. To turn off this check, in you configuration, set DAST_FF_XSS_ATTACK: false. If you have questions or feedback, see issue 525861.

Export dependency list in CSV format

Export dependency list in CSV format

Previously, you could not export a dependency list from GitLab as CSV file. Now, when you download a dependency list, you can select the new CSV option to export the list in in this format.

Tool filter replaced with Scanner and Report Type filters Type”

Tool filter replaced with Scanner and Report Type filters Type”

Previously, the Tool search filter in the vulnerability report allowed you to filter results based on a single group of tools that included the type of scanner (like ESLint or Gemnasium) and the type of report (like SAST or container scanning).

To help you find the appropriate tools more easily, we’ve replaced the Tool filter with the Scanner filter and the Report Type filter. You can now filter your search based on each of these types of tools separately.