惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
人人都是产品经理
人人都是产品经理
博客园 - 聂微东
IT之家
IT之家
V
V2EX
Jina AI
Jina AI
V
Visual Studio Blog
有赞技术团队
有赞技术团队
博客园 - 司徒正美
博客园 - 叶小钗
The Cloudflare Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
小众软件
小众软件
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - 三生石上(FineUI控件)
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Google DeepMind News
Google DeepMind News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
腾讯CDC
Google Online Security Blog
Google Online Security Blog
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
N
News and Events Feed by Topic
N
News and Events Feed by Topic
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
月光博客
月光博客
Security Archives - TechRepublic
Security Archives - TechRepublic
Webroot Blog
Webroot Blog
SecWiki News
SecWiki News
博客园_首页
罗磊的独立博客
量子位
Latest news
Latest news
I
Intezer
V
Vulnerabilities – Threatpost
A
Arctic Wolf
Last Week in AI
Last Week in AI
Recent Commits to openclaw:main
Recent Commits to openclaw:main
S
SegmentFault 最新的问题
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Palo Alto Networks Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
N
News | PayPal Newsroom

The New Stack | DevOps, Open Source, and Cloud Native News

Agentic development hinges on verification. For cloud-native software, that is a runtime problem. AI agents need infrastructure: Why Europe’s regional cloud strategy matters Transform your AI coding agent into a deterministic Java Spring expert WeAreDevelopers is coming to the US to give unsung developers a bigger voice Cleaner AI training data, fewer bugs: Sonar’s SonarSweep explained Observability overload is drowning engineers Google’s DiffusionGemma is 4x faster than its other Gemma models Fable 5: Guardrails and burn rate are annoying users, who say it’s still better than Opus 4.8 The Anthropic leader who built Claude Code says he ditched prompting — now he just writes loops. AWS can now mathematically prove your VMs are isolated Microsoft pulled 73 GitHub repos after malware attack — but still won’t say who’s compromised Databricks wants to kill the “email me a file” problem for AI agent skills Ramp bets forward deployed engineers can do what off-the-shelf finance AI can’t Git real: AI agents aren’t just for solo developers anymore Anthropic launches Claude Mythos/Fable 5, but you better try it soon Spring is 23 years old. AI just made it a security emergency. This AI agent startup ditched Anthropic for DeepSeek — and says it’s saving millions When your data model is the bottleneck: lessons from Medium’s feature store How long before we stop reading the code? The tokenmaxxing party is over, and Revenium is mopping up How AI is solving the memory crunch it created Microsoft’s pitch to enterprises: Ditch Azure Repos for GitHub, despite its rocky reliability record Claude Code’s biggest upgrade yet ran 5 agents at once — here’s what happened Why Anthropic just doubled Claude Cowork limits at no charge For years, Apache Cassandra handed this work to your team — 6.0 takes it back “A dangerous combination”: The 2 factors that can “corrupt” AI agent workflows With Foundry, Microsoft bets the enterprise AI battle is about reliability, not capability Microsoft unlocks Visual Studio for developers left behind by its own AI AI teams now deploy 1,000 times a month. Your pipeline wasn’t built for that. Microsoft just made the agent runtime free — and kept everything around it “Whoever builds the most joyous product wins”: The agent war begins Netlify CTO Dana Lawson: Writing code is no longer the job From Jupyter Notebook to production: How to ship AI systems that actually work OpenClaw used Gavriel Cohen’s code and exposed the AI Agent accountability problem Replit shows how vibe coding is getting its own financial stack — and a path to profit Cloudflare aqui-hires VoidZero: Did a piece of the open web just stabilize, or become more brittle? Cursor cuts prices and adds enterprise spend controls amid “tokenomics” reckoning Google Gemma 4 12B nearly matches 26B benchmarks — and runs on your laptop Snowflake thinks it knows what’s really slowing developers down Autonomous agents have met their biggest challenge yet: The database. Why agentic AI makes the ops platform the most important layer in the enterprise How to dramatically improve enterprise security alert tuning to battle cyberattacks Why the need for humans won’t disappear in the age of autonomous databases How to secure Kubernetes in the age of AI workloads Asana says its new AI “chief of staff” turns your Slack chaos into trackable work Nvidia’s best model is now live Mate Security’s Asaf Wiener made every backend engineer a model router. He’s right to. The AI cost crisis finally has a watchdog — just not the companies causing it How to get operational data off the factory floor without creating an IT breach Why CPUs still matter in the age of AI agents Rayfin: Microsoft’s answer to the gap between vibe coding and enterprise production Microsoft bets the enterprise AI race will be won on data context, not model power “A successful attack could be catastrophic”: Anthropic gives more groups access to Claude Mythos How GitHub plans to win developers back Microsoft really, really, really wants developers to love Windows again With Intelligent Terminal, Microsoft is reinventing the Windows terminal Microsoft debuts “Scout” at Build, a new personal agent for work OpenAI’s Codex adds new tools — Sites, Annotations, more plugins — for knowledge workers GitHub Copilot’s usage-based billing is live: Here’s what you need to know OpenAI, Anthropic, Google, Amazon, and xAI all fail on type of attack, study finds JetBrains open-sources Mellum2 to go where Claude Code can’t Claude Code vs. Cursor vs. Codex vs. Antigravity — six months in This coding agent doesn’t want your feedback — it ships without it “Blowing things up”: The one move vendors got wrong on AI agents At Sapphire, SAP makes the case that enterprise AI is a context problem Gavriel Cohen found his own code inside OpenClaw, so he walked away AI retrieval at scale is becoming a systems problem, not a tooling problem The DIY platform trap that’s burning out engineering teams I tested Cursor’s new Jira integration and it’s 5 stars, no notes. Here’s why. Why GPT-5.4, Claude, and Gemini can’t agree on basic, real-world facts Replit’s vibe coding platform just got a Visa-backed identity layer for AI agents — and it changes how agents spend money Opus 4.8 Made Claude Smarter. Token Discipline Got Urgent. Why Linux creator Linus Torvalds gets angry hearing “99% of code is AI” Vendor neutrality isn’t magic: A hard look at the OpenTelemetry ecosystem “The AI did it” won’t save you when EU regulators come knocking The fix for soaring AI cloud bills exists — so why won’t we trust it? AI is shipping code faster than security was built to handle Why AWS scrapped OpenSearch’s architecture to chase agent workloads Claude Opus 4.8 is here: effort controls, dynamic workflows, cheaper fast mode, better honesty, less deception Percona celebrates 20th birthday with new foundation — and a goat cake Why OpenAI and Anthropic are hiring forward deployed engineer teams Claw-style AI agents are coming to the enterprise. The governance infrastructure is still catching up. The agentic identity crisis: Why your security isn’t ready for the AI revolution Debugging the undebuggable: building observability into probabilistic AI systems Snowflake commits $6B to AWS as it pushes deeper into AI Why MotherDuck refuses to fork DuckDB Researcher “gave Claude Code ‘ADHD’… and it thinks 2x better now.” Outside experts want more proof. “There is no accountability”: AI coding agents are installing packages no one owns “Tokenmaxxing is real, expensive & it’s spreading”: AI budgets are exploding With Google’s debut, the most important AI agent feature is now the most boring one Why AI agents need a Context Lake Google ranks the best AI for building Android apps, and the winner isn’t Gemini Google pushes Pro, Ultra, and free users from open-source Gemini CLI to closed-source Antigravity CLI The reason enterprise outages almost never start where ops teams think Taming the agentic influx: a blueprint for AI business observability How the AC/DC framework helps teams govern AI coding agents Who’s monitoring the agents? How Jaeger hit 8.6× compression on 10 million spans with ClickHouse What ClickHouse learned from a year of coding with AI agents OpenClaw passed 300,000 GitHub stars. Then Google launched Spark.
GitLab 19.0 trades its string section for a full DevSecOps orchestra
Adrian Bridgwater · 2026-05-26 · via The New Stack | DevOps, Open Source, and Cloud Native News

There are orchestras… and then there are mere string, horn, or woodwind sections. As the self-styled intelligent orchestration platform for DevSecOps, GitLab wants to put on a full show with a new coordinated play that encompasses every possible instrument.

The organization released GitLab 19.0 last Thursday with a louder, more harmonious score that encompasses expanded secrets management, agentic merge request workflows, continuous integration (CI) pipeline visibility, support for the self-hosted open-source model, and supply chain visibility.

Prisoners of the AI paradox

As the amount of AI-driven code starts to surface in working codebases, software engineering teams are aiming to avoid the gravitational pull of the AI paradox, i.e., more AI code means more workflow credentials to secure, more review and merge changes to oversee, more pipeline standards to uphold, more regulatory compliance checks, and so on. 

It may feel like intelligent automation and intelligent infrastructure orchestration were never playing from the same sheet of music. GitLab 19.0 has been engineered to combat the production paradox and reduce the handoffs between writing code and shipping it.

“Today, putting a credential into a CI/CD variable grants that secret to every job in the project, including jobs added later by contributors who weren’t around when the secret was created, GitLab Secrets Manager flips the default.” – Manav Khurana, GitLab.

Key among the updates, GitLab Secrets Manager (a technology that stores credentials inside the same platform that runs code and pipelines) is now in public beta for GitLab Premium and Ultimate users. The tool scopes each secret to only the jobs authorized to use it. Access control and audit logging use the same group and project structure already in GitLab, with no separate permission model to maintain. 

If a credential is compromised, developers (who are likely platform engineers in this instance) can trace every job that used it in the GitLab audit trail, linked to the originating pipeline, without having to correlate logs across separate systems. It works alongside existing integrations with HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

The principle of least privileged access

Scoping secrets to individual jobs is presented here as a fundamental change to developers’ security posture during pipeline construction.

Manav Khurana, chief product & marketing officer at GitLab, tells The New Stack that this move is all about the principle of least privileged access. 

“Today, putting a credential into a CI/CD variable grants that secret to every job in the project, including jobs added later by contributors who weren’t around when the secret was created,” says Khurana. “GitLab Secrets Manager flips the default.”

Khurana explains what happens now and says that when a developer creates a credential, they define the conditions under which a job can use it: which branch, which environment, and whether the branch is protected. Anything outside that scope can’t see the secret, so a compromised job stays contained.

Keeping developers in flow across the lifecycle

GitLab 19.0 also extends Developer Flow across the full merge request lifecycle to address reviewer feedback, resolve conflicts, split oversized merge requests, and implement features at any stage. Launched by GitLab last year, Developer Flow (the clue is in the name; it aims to keep programmers in a state of flow) exists to turn an issue into a merge request.

Since the flow reads project-specific standards from AGENTS.md before committing, the output reflects team context, workflows, and guardrails rather than generic defaults. 

“The agent works for a developer’s project, not against a generic template,” says Khurana. “Customization goes as deep as the team specifies. AGENTS.md captures the project-level context the agent wouldn’t otherwise have: conventions, architectural decisions, environment quirks, the commands a new contributor would need someone to explain.”

He further clarifies that agent-config.yml (a configuration file that defines agent behavior, environment, and parameters) sets up the development environment with the necessary dependencies and tooling, enabling the agent to run tests and pre-commit hooks before committing. 

“The point is to give the agent a machine that’s ready to go, so output matches the team’s standards instead of creating rework. Two projects in the same group can produce very different agent behavior because Developer Flow reads each project’s own files, rather than a shared default,” says Khurana.

Four new open source models

Other updates in this release include Components Analytics, which gives platform engineering teams visibility into which CI/CD catalog components are running across an organization and which versions are in use.

Additionally, the GitLab Duo Agent Platform Self-Hosted now runs its agents on four additional open-source models, Mistral Devstral 2 123B, GLM-5.1, Kimi-K2.6, and MiniMax-M2.7. Each model was evaluated against the GitLab Duo Agent Platform task requirements, including multi-step tool use, code-generation quality, and reasoning across large code differences. Both on-premises and private cloud deployment options are supported.

“The introduction of four new open source models is about eliminating the choice between compliance and capability. Teams in air-gapped and regulated environments have stronger local options than before,” says Khurana.

He points out that GitLab users can also set up hybrid deployments, mixing self-hosted and GitLab-managed models by feature, choosing based on data sensitivity, infrastructure cost, latency, and the capability gap between the model they can run locally and the managed option available through GitLab.

GitLab 19.0 also adds security capabilities that give teams more control over governing what ships and who can access the platform. Dependency scanning with a software bill of materials (SBOM) produces an auditable inventory of third-party components that can be matched against GitLab security advisories.

“This approach doesn’t cover how agents make autonomous decisions across a team’s pipeline and act on permissions that were granted once, then subsequently forgotten about. If software engineering teams don’t have execution governance and observability wired up before they flip the switch on agent deployments, they’re going to learn what someone else decided on a different day – and they’re going to learn it the hard way,” – David Girvin, Sumo Logic.

Don’t forget forgotten permissions

David Girvin, AI security researcher at cloud monitoring and log management SIEM specialist Sumo Logic, tells The New Stack that he concurs with the direction of the work being carried out here. 

“Most AI coding tools solve problems that take up about 52 minutes of a developer’s day. GitLab is asking what happens during the other seven hours,” Girvin says. “GitLab 19 is betting on agentic orchestration across the full software lifecycle, not just the editor, which is the right problem to be solving.”

However, Girvin notes that this approach doesn’t address how agents make autonomous decisions across a team’s pipeline and act on permissions that were granted once and then forgotten. 

“If software engineering teams don’t have execution governance and observability wired up before they flip the switch on agent deployments, they’re going to learn what someone else decided on a different day – and they’re going to learn it the hard way,” underlines Girvin.

Fix AI infrastructure first, then code

GitLab has directed its engineering efforts to try to combat the “more AI code equals more headaches” issue that has brought the AI-infrastructure first debate into the spotlight this year. 

As GitLab’s Khurana summarizes, “This release means developers spend less time on the manual work that surrounds a merge request, and a compromised credential stays contained to the job that used it. Security teams focus remediation on real exposure, not every package in the manifest, just the ones your code actually calls.”

The core message here is to put security, automation, and governance on the same platform as the code, so that one can be initiated before the other.

As the cartoon says: first pants, then shoes.

YOUTUBE.COM/THENEWSTACK

Tech moves fast, don't miss an episode. Subscribe to our YouTube channel to stream all our podcasts, interviews, demos, and more.

Created with Sketch.