BuildSubscribers only 16 h ago9Add to bookmarks

GitLab 19.2 includes AI tools to patch vulnerable dependencies. Shift-left security is back - this time in the model, not in the linter.
In plain terms. GitLab 19.2 comes with AI tools that suggest (and sometimes apply) the patch for a detected vulnerable dependency. It's not just a scanner - it's an automatic PR. A good feature, in a minefield.
Shift-left security is as old as SAST. What changes in 2026 is that the suggested fix no longer comes from a static rule but from a LLM with access to the repo, the lockfile, and a CI context. GitLab 19.2 (announced July 17, 2026, source Techinasia) catches up with Dependabot + Copilot Autofix on the GitHub side, in an integrated package on its platform. Duo CLI is mentioned as GA on GitLab.com, Self-Managed, and Dedicated in the same announcement.
What makes real usage more delicate than the demo:
foo@1.2 can break bar@2.x on transitive versions; the tool must hold the graph, not just the lockfile line.Without prejudging the exact CLI syntax of GitLab 19.2 (to be validated in the documentation), two configuration rules to respect on the team side, regardless of the tool chosen:
-apply - the autofix must open a draft Merge Request, not commit on the target branch. We keep the human review in the loop.test:unit + test:integration + contract tests pass. Otherwise, the dep patch "fixes" a CVE and introduces a regressor in production.In addition: schedule scans in schedule (night/weekend) rather than on every push, to smooth the review load and avoid flooding the MR queue.
For a team managing a CVE backlog, the value is real: the latency between CVE and PR is compressed. For security, the risk is also real: an unfettered autofix introduces a regressor to patch a CVE, which is a bad functional trade. The good setup costs CI time, not licenses. To be adopted, but with human review as long as the test coverage is not above 80% branches on the affected modules.
Create a free account to access all our content and the weekly review.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
This AI approach is promising, but I wonder how it will handle dependencies with conflicting versions in a project.
How does this AI handle dependencies that are vulnerable but have no patches available yet?
I'm curious how the AI will prioritize which vulnerabilities to fix first. Will it be based on severity, exploitability, or something else?
Interesting approach, but how does it handle dependencies with licensing restrictions?
I wonder how the AI will handle dependencies that are vulnerable but have no patches available yet, especially in open-source projects.
L'IA qui corrige les dépendances, c'est bien, mais comment gère-t-elle les faux positifs ?
L'idée de l'IA qui corrige les failles est séduisante, mais ça ne va pas à l'encontre des bonnes pratiques de sécurité ?
I wonder how this AI will handle dependencies that have no known fixes or patches available.
L'IA qui corrige les dépendances, c'est bien, mais comment va-t-elle gérer les dépendances complexes dans les gros projets ?