What’s new in Eficode ROOT: April 2025

Add reviewer groups as code owners

This feature introduces the ability to assign reviewer groups as code owners, streamlining the review process by automatically designating teams as responsible for specific parts of the codebase. This ensures the right experts are always involved in code reviews, improving collaboration and code quality. Make sure it’s handled within your teams! Learn more here.

Actual user avatars disabled in email notifications

The latest update disables anonymous avatar access due to a reported security vulnerability. This means that in email notifications, you’ll see default user avatars instead of actual ones. Please let us know if you’d like to continue showing actual user avatars in email notifications.

Multiline comments

Enhancements to the diff view now allow you to add comments and tasks to specific line ranges. By dragging the comment marker or using the "+" icon across lines of code, reviewers can provide more precise feedback and context within the code, streamlining team communication and the review process. Learn more here.

Multiline suggestions

The recent upgrade improves code reviews with multiline suggestions, enabling reviewers to propose changes across multiple lines in a single suggestion. This enhancement makes feedback more actionable, reducing back-and-forth discussions and speeding up the review process. By allowing clearer and more comprehensive edits, teams can collaborate more effectively and maintain high code quality. Learn more here.

New login experience with two-step verification

The recent upgrade introduces a new login experience featuring two-step verification, enhancing account security. Users can now set up two-step verification and verify their identity with an authentication app during login, providing additional protection for their Atlassian accounts. This improvement simplifies enabling and managing two-step verification, ensuring a smoother and more secure authentication experience. Learn more here.

API changes

You can now use REST API for retrieving the diff statistics summary (total lines of code added and removed, and number of files changed) for commits and pull requests.

Removed Gray APIs from Bitbucket Data Center, thus reducing the scope of third-party libraries and improving dependency management.

Prevent branch creation with new permission

A new permission has been implemented to restrict the creation of new branches in repositories. This authorization can be applied to specific branching patterns or models and used within a cascading merge workflow. Any unauthorized users attempting to create restricted branches will encounter an error message.

Administration

Rotate access tokens with `self_rotate` scope (all users)

You can now use the self_rotate scope to rotate access tokens. This scope is available for personal, project, or group access tokens. Previously, this required two requests: One to obtain a new token and another to perform the token rotation. The self_rotate scope allows you to rotate personal, project, or group access tokens using only one request. This eliminates the previous two-step process of obtaining a new token and then performing the token rotation. Learn more here.

Apply a compliance framework by using a project's compliance center (Premium, Ultimate)

GitLab 17.2 initially allowed group owners to manage compliance frameworks for all projects within a group through the group's compliance center. This capability has been expanded to allow group owners to apply and remove compliance frameworks at the project level, simplifying the application and monitoring of compliance.

Note: This project-level management of compliance frameworks remains exclusive to group owners and is not available to project owners. Learn more here.

Support for additional group memberships with multiple OIDC providers (Premium, Ultimate)

You can now configure additional group memberships when using multiple OIDC providers. Previously, this was limited to a single group membership. Learn more here.

New permissions for custom roles and support custom roles in merge request approval policies (Ultimate)

You can now assign custom roles as approvers in merge request approval policies and create custom roles with the Read compliance dashboard permission. This allows you to:

• Tailor approval requirements to your organization's team structures and responsibilities.
• Ensure the right roles are involved in the review process.
• Grant specific permissions to users based on their tasks.
• Define roles that are tailored to the needs of your group.
• Reduce the number of users who need the Owner or Maintainer role.

For example, you can now require approval from AppSec Engineering roles for security reviews and Compliance roles for license approvals. Learn more here and here.

Block deletion of active security policy projects (Ultimate)

Security policy projects linked to groups or projects can no longer be deleted. To delete a security policy project, any existing links to groups or projects must first be removed. This update prevents accidental deletion of active security policies, ensuring continued enforcement and protection. Learn more here.

Custom expiration date for rotated service account tokens (Premium, Ultimate)

You can now set a custom expiration date using the expires_at attribute when rotating an access token for a service account. This offers more granular management of token lifetimes and enhances your ability to maintain secure access controls.  Previously, tokens automatically expired seven days after rotation. Learn more here.

Email notifications for service accounts (Premium, Ultimate)

GitLab now allows you to specify a unique custom email address for each service account to receive email notifications. This feature improves process and event monitoring by sending notifications directly to the designated email address rather than relying on the default notification settings. Learn more here.

AI

Composite identity for more secure AI connections (all users)

Composite identity now allows authentication as both a service account and a user simultaneously. This is crucial for AI agent use cases, where permissions are often based on the initiating user, yet the agent needs a distinct identity. A composite identity is a new identity principal representing an AI agent's identity, linked with the human user requesting actions.

When an AI agent attempts to access a resource, a composite identity token is used. This token, belonging to a service account, is also linked with the instructing human user. Authorization checks consider both principals before granting access, enhancing resource protection within GitLab. Learn more here.

Add project files to Duo Chat in VS Code and JetBrains IDEs (Premium, Ultimate)

Enhance your AI-powered coding assistance by uploading your project files directly to Duo Chat in VS Code and JetBrains. By adding your project files, you equip Duo Chat with an in-depth understanding of your codebase, which unlocks more relevant and accurate AI assistance. This context-aware capability allows Duo Chat to provide code explanations, debugging support, and code suggestions that align seamlessly with your existing project. Learn more here.

Gitlab Duo Self-Hosted is generally available (Ultimate)

GitLab Duo Self-Hosted now allows you to utilize the power of generative AI while maintaining complete data sovereignty and privacy by enabling you to use models hosted either on-premise or in a private cloud as the source for GitLab Duo Chat or Code Suggestions. The feature is generally available on self-managed GitLab environments with applicable licensing and currently supports open-source Mistral models on vLLM or AWS Bedrock, Claude 3.5 Sonnet on AWS Bedrock, and OpenAI models on Azure OpenAI. Learn more here.

UI/UX

Dependency list filter by component in projects (Ultimate)

The Component filter now allows you to search for packages by name within the Dependencies list of a project. Learn more here.

Group sharing visibility enhancement (all users)

The new version provides expanded visibility for group sharing. The group overview page now includes both Shared projects and Shared groups tabs, allowing you to see which groups your group has been invited to join and which projects are shared. This complete view of group connections and sharing within your organization simplifies the auditing and management of group access. Learn more here.

Change work item type to another (all users)

You can now easily change the type of your work items, allowing you to manage your projects more efficiently. Learn more here.

Manage project integrations from a group with the REST API (all users)

Project integrations in GitLab can now be managed using the REST API and from a group in the GitLab UI. Learn more here.

Configure DAST scans through the UI with full control (Ultimate)

DAST scans configured through the UI now have the same granular control as pipeline-based scans, including full authentication configuration, precise crawl settings, advanced scan timeouts, custom scanner behavior, and targeted scanning modes. These configurations can be saved as reusable profiles and every change is tracked with audit events. This enhanced control and detailed audit trails help you run more effective security scans and maintain compliance. You can quickly launch the right scan for each application and find and fix vulnerabilities faster. Learn more here. 

Automatic CI/CD pipeline cleanup (all users)

Previously, deleting old CI/CD pipelines was only possible through the API. GitLab introduces a project setting to define a CI/CD pipeline expiry time. Pipelines and artifacts exceeding this retention period are automatically deleted, potentially reducing disk usage, enhancing performance, and optimizing storage in projects with numerous pipelines and large artifacts. Learn more here.

Wiki page comments (all users)

By enabling comments directly on wiki pages, Eficode ROOT transforms your documentation into a dynamic and interactive platform for team collaboration.

Benefits of Comments and Threads on Wiki Pages:

• Contextual discussions: Engage in discussions directly within the relevant content.
• Streamlined feedback: Suggest improvements and corrections effortlessly.
• Living documentation:  Maintain up-to-date and accurate documentation.
• Knowledge-sharing:  Facilitate the exchange of expertise and insights among team members.

With the addition of wiki comments, teams can foster a collaborative environment where documentation evolves organically through direct feedback and ongoing discussions, ensuring that it remains aligned with project needs. Learn more here.

Reporting

Search and filter the Credentials Inventory (Ultimate)

The Credentials Inventory now includes search and filter features to simplify locating tokens and keys that match specific criteria, such as expiration date. This is an improvement from the previous static list view. Learn more here.

OAuth application authorization audit event (Premium, Ultimate)

GitLab's latest release enhances security auditing by introducing a new audit event: "User authorized an OAuth application." This event tracks successful OAuth application authorizations by users, addressing a previous gap in audit logging and providing security teams with greater oversight into OAuth application usage within a GitLab instance. Learn more here.

View access token IP addresses (all users)

Personal access token usage information has been enhanced. Previously, you could only see how long ago a token was used. Now, you can also view up to the last seven IP addresses used to access the token. This additional information allows you to better track token usage and identify potential unauthorized access. Learn more here.

Enhancing workflow visibility: new insights into merge request review time (Premium, Ultimate)

Value Stream Analytics (VSA) now includes a new event, "Merge request last approved at," to enhance development workflow tracking. This event signifies the conclusion of the review phase and the commencement of either the final pipeline run or the merge stage. By incorporating this enhancement, teams can gain deeper insights into potential areas for optimizing review times, ultimately decreasing the overall development cycle time and resulting in faster software delivery. For instance, to determine the total merge request review time, a VSA stage can be created with "Merge request reviewer first assigned" as the start event and "Merge request last approved at" as the end event. Learn more here.

Development workflow tracking.

Simplified access to deployments within project environments (all users)

The environments list now displays details about your latest deployments, including the most recent successful deployment and, if different, the latest deployment attempt, providing a quick overview of your project's deployments without expanding each environment. Learn more here.

Project development

Enable Dependency Scanning using SBOM for Cargo, Conda, Cocoapods, and Swift projects (Ultimate)

GitLab introduces a new Dependency Scanning analyzer that uses SBOM. This will replace Gemnasium, which will be supported until GitLab 19.0.

The SBOM-based analyzer offers better language support, GitLab integration, and industry-standard reporting.

It will be enabled by default in the latest Dependency Scanning CI/CD template for projects using:

• C/C++/Fortran/Go/Python/R with a conda-lock.yml file.
• Objective-C with a podfile.lock file.
• Rust with a cargo.lock file.
• Swift with a package.resolved file.

The DS_ENFORCE_NEW_ANALYZER variable is set to false by default, so existing users will keep using the Gemnasium analyzer.

To migrate to the new analyzer, set DS_ENFORCE_NEW_ANALYZER to true.

To prevent using the new analyzer entirely, set DS_EXCLUDED_ANALYZERS to dependency-scanning. Learn more here.

Multi-core Advanced SAST offers faster scans (Ultimate)

GitLab Advanced SAST users can now opt-in to multi-core scanning to enhance performance and significantly reduce scan duration, particularly for larger codebases. To enable this feature, set the CI/CD variable SAST_SCANNER_ALLOWED_CLI_OPTS to --multi-core N (where N represents the desired number of cores) exclusively on the gitlab-advanced-sast job. Refer to the documentation for guidance on selecting the appropriate value for N. Learn more here.

Implement OCI-based GitOps with the FluxCD CI/CD component (all users)

The new FluxCD component simplifies the implementation of GitOps best practices with GitLab. This component lets you package Kubernetes manifests into OCI images and store them in OCI-compatible container registries. Additionally, you can sign the images and initiate an immediate FluxCD reconciliation. Learn more here.

Enforce custom stages in pipeline execution policies (Ultimate)

Enhance your CI/CD pipelines with our new custom stage injection feature for pipeline execution policies. This update allows for greater control and flexibility within your pipeline structure while adhering to security and compliance standards.

Key benefits include:

• Enhanced pipeline customization: Define and inject custom stages at specific points in your pipeline for increased control over job execution.
• Improved security and compliance: Ensure security scans and compliance checks occur at optimal points in your pipeline (e.g., after build but before deployment).
• Flexible policy management: Maintain centralized policy control while granting development teams the ability to customize pipelines within established guidelines.
• Seamless integration: Custom stages integrate effortlessly with existing project stages and other policy types for a smooth enhancement of your CI/CD workflows.

How it works

The enhanced inject_policy strategy for pipeline execution policies lets you define custom stages in your policy configuration. These stages are then intelligently merged with your project's existing stages using a Directed Acyclic Graph (DAG) algorithm, ensuring proper ordering and preventing conflicts.

For example, you can effortlessly inject a custom security scanning stage between your build and deploy stages.

Important note: The inject_policy stage replaces the deprecated inject_ci stage. Opt into the inject_policy mode to access these benefits. This mode will become the default when configuring policies with Inject in the policy editor. Learn more here.

Support merge request variables in pipeline execution policies (Ultimate)

Pipeline execution policies now support additional merge request variables, giving you more control over CI/CD enforcement. These variables enable more sophisticated policies that consider merge request details for targeted and efficient control.

Newly supported variables

• CI_MERGE_REQUEST_SOURCE_BRANCH_SHA
• CI_MERGE_REQUEST_TARGET_BRANCH_SHA
• CI_MERGE_REQUEST_DIFF_BASE_SHA

Use cases

• Implement advanced security scans by comparing source and target branch changes to ensure thorough code review and vulnerability detection.
• Create dynamic pipeline configurations that adapt to each merge request's specifics for a streamlined development process.

Learn more here.

License scanning support for Swift packages (Ultimate) 

GitLab supports license scanning on Swift packages, providing users who utilize Swift within their projects a deeper understanding of their Swift package licensing. Composition analysis users can access this data via the Dependency List, SBOM reports, and GraphQL API. Learn more here.

Get started with the GitLab integration with Kubernetes (all users)

This release includes new Kubernetes Getting Started guides that provide easy-to-follow tutorials for deploying applications to Kubernetes using GitLab directly or with FluxCD. These guides are designed for novice and experienced users and do not require in-depth Kubernetes knowledge.

In addition to the Getting Started guides, we have included a series of recommendations for integrating GitLab into Kubernetes environments. Learn more here.

Control access to GitLab Pages for groups (all users)

GitLab Pages access can now be restricted at the group level. By enabling a single setting, group owners can make all Pages sites within the group and its subgroups visible only to project members. This centralized control simplifies security management by eliminating the need to modify individual project settings. Learn more here.

Run multiple Pages sites with parallel deployments (Premium, Ultimate)

GitLab Pages now supports parallel deployments, allowing you to create multiple versions of your sites simultaneously. Each deployment has a unique URL based on your configured prefix, such as  project-123456.gitlab.io/prefix (with a unique domain) or namespace.gitlab.io/project/prefix (without).

This feature is useful for:

• Previewing design changes or content updates
• Testing site changes in development
• Reviewing changes from merge requests
• Maintaining multiple site versions

Parallel deployments expire after 24 hours by default to manage storage space, but you can customize this duration or set deployments to never expire. For automatic cleanup, parallel deployments created from merge requests are deleted when the merge request is merged or closed. Learn more here.

Multiple pages deployment view.

GitLab-managed Kubernetes resources (Premium, Ultimate)

GitLab-managed Kubernetes resources now allow for more control and automation when deploying applications to Kubernetes. This new feature eliminates the need to manually configure Kubernetes resources for each environment by automatically provisioning and managing them. With GitLab-managed Kubernetes resources, namespaces, and service accounts can be automatically created for new environments, access permissions can be managed through role bindings, and other required Kubernetes resources can be configured. During application deployment, GitLab automatically creates the necessary Kubernetes resources based on provided resource templates, streamlining your deployment process and maintaining consistency across environments. Learn more here.

The update includes error handling, stability improvements, optimizations for pipeline execution, and better performance across the system. A key focus of this update has been on plugin updates, ensuring compatibility, security, and access to the latest features. These changes aim to provide a more reliable and efficient CI/CD environment.

Machine Learning Repositories

The Machine Learning Repositories with the FrogML SDK is a local management framework designed for machine learning projects. It acts as a centralized store for models and artifacts and incorporates a robust version control system. It provides local repositories and an SDK for streamlined model deployment and resolution.

The benefits include:

• Secure storage: Safeguard your valuable data by deploying models and other resources to Artifactory local repositories, granting you granular control over access to your models.
• Easy collaboration: Efficiently share and manage your machine learning projects with your team.
• Easy version control: The Machine Learning Repositories SDK (FrogML) provides a user-friendly version control system. You can name, categorize (using namespaces), and track different versions of your machine-learning projects.

Learn more here.

Helm Enforce Layout

Helm Enforce Layout ensures that Helm charts in your repositories are organized and structured to prevent errors during deployment. It does this by:

• Preventing duplicate chart paths: This ensures that only one instance of a chart with the same name and version exists in a repository, preventing confusion and maintaining chart integrity.
• Enforcing chart names and versions: This ensures that the chart name and version in the packaged file name match those in Chart.yaml and follow Semantic Versioning (SemVer) standards, promoting uniformity and collaboration.

Learn more here

Cleanup Policies: Release Bundle v2. 

JFrog Cleanup Policies for Release Bundle v2 optimize system performance by allowing Platform and Project Administrators to define custom policies to remove unused Release Bundles. Administrators can tailor a repeatable cleanup process to meet their organization's specific requirements by establishing criteria and rules for cleanup. Learn more here.

Added Clients for PyPI Repositories

PyPI repositories now support Poetry and Twine clients. Learn more here.

Packages and Repositories

Updating multiple repositories using a batch request

A single batch request can now update multiple repositories simultaneously, even with a mix of package types (e.g., Docker, Maven) and repository types (e.g., local, remote). Learn more here.

Virtual repositories can include repositories not assigned or shared to the same project

When editing a virtual repository configuration, you can now include local and remote repositories that are not assigned to or shared with the same project as the virtual repository. If aggregated, a message will appear in the UI with a button displaying a list of these repositories when clicked. This list can be exported to a CSV file. Learn more here.

Federated Repositories

Performance enhancement for Federated repositories

The performance of mirroring among Federation members is enhanced by a new system property that allows bulk fetching of event properties from the database. Learn more here.

Converting Federated repositories back to local

You can now convert a Federated repository back to a local repository using a REST API, provided it is not part of a Federation containing additional members. Learn more here.

OCI and Docker-related Changes

Enhanced Webhook Event Support for OCI and Docker Images

The Webhook events functionality for Docker images now includes OCI repositories and images.

• Support has been expanded to include OCI repositories, increasing integration capabilities.
• Events related to OCI images are now fully supported.
• A new image_type key has been added to the event action payload to indicate whether the action was performed on an OCI or Docker image.

Learn more here.

Additional Keys Added to the Webhook Promoted Event in the Docker Domain

The Image Promotion Webhook in the Docker domain has been expanded with two additional keys:

• targetRepo: The repository where the image is promoted to.
• targetTag: The new tag of the promoted image.

Learn more here.

Enabling SSO Disables Basic Authentication By Default

Enabling single sign-on authentication now disables internal password authentication by default. Learn more here about how to disable basic authentication methods and here about how to enable multi-factor authentication.

Cleanup policies

• Terraform: Terraform packages are now supported in Cleanup.
• Terraform BE Packages: Terraform BE packages are now supported in Cleanup and Archive.
• CocoaPods: CocoaPod packages are now supported in Cleanup.
• Hugging Face: Hugging Face packages are now supported in Cleanup.
• OCI: Helm OCI and OCI packages are now supported in Cleanup and Archive.
• Cargo: Cargo packages are now supported in Cleanup and Archive.
• Frog ML: Frog ML models are now supported in Cleanup and Archive.
• Ansible: Ansible packages are now supported in Cleanup and Archive.

Support for Scheduled Workers

JFrog now supports creating scheduled workers to trigger at predefined times or intervals, which you can define using Cron expressions. Learn more here.

Builds Security Overview

The update introduces a new Builds Security Overview dashboard that provides a centralized and comprehensive view of build versions. This dashboard allows you to analyze trends, identify the most vulnerable components, and mitigate security risks effectively. Learn more here.

Jira Ticket summary and description

Jira ticket summaries and descriptions created through the Xray/Jira integration have been refined for improved clarity and readability.

Indexing support for raw disc images 

Additionally, Xray now supports indexing raw disk images (.img) and SquashFS (.squashfs), expanding its artifact analysis capabilities. 

Support for 3 additional fields in CycloneDX vulnerabilities description

These 3 added fields greatly enhance the detail level and completeness of our CycloneDX SBOM reports:

• Vulnerability ratings: Include CVSS Score, CVE severity, Scoring method, and Vector.
• Vulnerability description: A detailed description of the specific vulnerability.
• Vulnerability CWEs: A list of CWE (Common Weaknesses Enumerations) that fit this specific CVE.

Other new features

Violation reports

JFrog added Repo Path to the generated Violation reports.

Operational Risk Policy

The enhanced Operational Risk Policy now enables customization of the release age in months rather than adhering to a default range.

Secrets Detection

The following repository types are now supported: RPM, Debian, Alpine, Go, RubyGems, and Gradle.

JFrog Curation

From now on, you can directly create a Curation Policy from a condition. New users can now follow a guided onboarding process for Curation. The process includes visual cues for tracking progress and outlines steps for enabling curation, connecting repositories, and setting policies.

Security Managers can now use a new Conditions Template to create Curation Policies based on OpenSSF scorecard results. Policies based on this template can detect and block third-party packages if their scorecard scores fall within a defined range.

Curation policies can now be applied to current and future repositories of a specific package type.

Improvements

• We improved the performance of Synchronizer user deactivation by implementing a batch-based solution.
• To accommodate varying environment needs, use the new configuration flag 'synchronizer_deactivation_batch_size' to adjust the batch size.

Important notes

• We've added support for Ubuntu 24.04.