GitLab 18.10 introduces new AI-powered security capabilities focused on improving the quality and speed of vulnerability management. Together, these features can help reduce the time developers spend investigating false positives and bring automated remediation directly into their workflow, so they can fix vulnerabilities without needing to be security experts.Here is what’s new:Static Application Security Testing (SAST) false positive detection is now generally available. This flow uses an LLM for agentic reasoning to determine the likelihood that a vulnerability is a false positive or not, so security and development teams can focus on remediating critical vulnerabilities first.Agentic SAST vulnerability resolution is now in beta. Agentic SAST vulnerability resolution automatically creates a merge request with a proposed fix for verified SAST vulnerabilities, which can shorten time to remediation and reduce the need for deep security expertise.Secret false positive detection is now in beta. This flow brings the same AI-powered noise reduction to secret detection, flagging dummy and test secrets to save review effort.These flows are available to GitLab Ultimate customers using GitLab Duo Agent Platform.Cut triage time with SAST false positive detectionTraditional SAST scanners flag every suspicious code pattern they find, regardless of whether code paths are reachable or frameworks already handle the risk. Without runtime context, they cannot distinguish a real vulnerability from safe code that just looks dangerous.This means developers could spend hours investigating findings that turn out to be false positives. Over time, that can erode confidence in the report and slow down the teams responsible for fixing real risks.After each SAST scan, GitLab Duo Agent Platform automatically analyzes new critical and high severity findings and attaches:A confidence score indicating how likely the finding is to be a false positiveAn AI-generated explanation describing the reasoningA visual badge that makes “Likely false positive” versus “Likely real” easy to scan in the UIThese findings appear in the Vulnerability Report, as shown below. You can filter the report to focus on findings marked as “Not false positive” so teams can spend their time addressing real vulnerabilities instead of sifting through noise.GitLab Duo Agent Platform's assessment is a recommendation. You stay in control of every false positive to determine if it is valid, and you can audit the agent's reasoning at any time to build confidence in the model.Turn vulnerabilities into automated fixesKnowing that a vulnerability is real is only half the work. Remediation still requires understanding the code path, writing a safe patch, and making sure nothing else breaks.If the vulnerability is identified as likely not be a false positive by the SAST false positive detection flow, the Agentic SAST vulnerability resolution flow automatically:Reads the vulnerable code and surrounding context from your repositoryGenerates high-quality proposed fixesValidates fixes through automated testingOpens a merge request with a proposed fix that includes:Concrete code changesA confidence scoreAn explanation of what changed and whyIn this demo, you’ll see how GitLab can automatically take a SAST vulnerability all the way from detection to a ready-to-review merge request. Watch how the agent reads the code, generates and validates a fix, and opens an MR with clear, explainable changes so developers can remediate faster without being security experts.As with any AI-generated suggestion, you should review the proposed merge request carefully before merging.Surface real secretsSecret detection is only useful if teams trust the results. When reports are full of test credentials, placeholder values, and example tokens, developers may waste time reviewing noise instead of fixing real exposures. That can slow remediation and decrease confidence in the scan.Secret false positive detection helps teams focus on the secrets that matter so they can reduce risk faster. When it runs on the default branch, it will automatically:Analyze each finding to spot likely test credentials, example values, and dummy secretsAssign a confidence score for whether the finding is a real risk or a likely false positiveGenerate an explanation for why the secret is being treated as real or noiseAdd a badge in the Vulnerability Report so developers can see the status at a glanceDevelopers can also trigger this analysis manually from the Vulnerability Report by selecting “Check for false positive” on any secret detection finding, helping them clear out findings that do not pose risk and focus on real secrets sooner.Try AI-powered security todayGitLab 18.10 introduces capabilities that cover the full vulnerability workflow, from cutting false positive noise in SAST and secret detection to automatically generating merge requests with proposed fixes.To see how AI-powered security can help cut review time and turn findings into ready-to-merge fixes, start a free trial of GitLab Duo Agent Platform today.