What’s new in Eficode ROOT: March 2025

Platform 7

With the upgrade to 9.4.3 LTS, we’re making the leap to Platform 7, bringing significant architectural improvements and enhanced performance. This update modernizes Bitbucket’s underlying framework, ensuring better scalability and long-term support. Platform 7 deprecates some older APIs, so teams should review compatibility for custom integrations. Expect a smoother UI, improved repository handling, and security enhancements that align with the latest best practices.

While the jump from 8.19.13 to 9.4.3 is a big one, it’s all about future-proofing our development workflows. It upgrades numerous Atlassian and third-party components to benefit from the latest security patches and bug fixes. Get ready for a faster, more robust Bitbucket experience!

Add reviewer groups as code owners

This feature introduces the ability to assign reviewer groups as code owners, streamlining the review process by automatically designating teams as responsible for specific parts of the codebase. This ensures the right experts are always involved in code reviews, improving collaboration and code quality. Make sure it’s handled within your teams! Learn more here.

Actual user avatars disabled in email notifications

The latest update disables anonymous avatar access due to a reported security vulnerability. This means that in email notifications, you’ll see default user avatars instead of actual ones. Please let us know if you’d like to continue showing actual user avatars in email notifications.

Multiline comments

Enhancements to the diff view now allow you to add comments and tasks to specific line ranges. By dragging the comment marker or using the "+" icon across lines of code, reviewers can provide more precise feedback and context within the code, streamlining team communication and the review process. Learn more here.

Multiline suggestions

The recent upgrade improves code reviews with multiline suggestions, enabling reviewers to propose changes across multiple lines in a single suggestion. This enhancement makes feedback more actionable, reducing back-and-forth discussions and speeding up the review process. By allowing clearer and more comprehensive edits, teams can collaborate more effectively and maintain high code quality. Learn more here.

New login experience with two-step verification

The recent upgrade introduces a new login experience featuring two-step verification, enhancing account security. Users can now set up two-step verification and verify their identity with an authentication app during login, providing additional protection for their Atlassian accounts. This improvement simplifies enabling and managing two-step verification, ensuring a smoother and more secure authentication experience. Learn more here.

API changes

You can now use REST API for retrieving the diff statistics summary (total lines of code added and removed, and number of files changed) for commits and pull requests.

Removed Gray APIs from Bitbucket Data Center, thus reducing the scope of third-party libraries and improving dependency management.

Prevent branch creation with new permission

A new permission has been implemented to restrict the creation of new branches in repositories. This authorization can be applied to specific branching patterns or models within a cascading merge workflow. Any unauthorized users attempting to create restricted branches will encounter an error message.

 

Platform 7 Atlassian Data Center

Jira 10.0 introduces an upgrade to Atlassian Data Center Platform 7, enhancing security response while minimizing disruptions and breaking changes for Atlassian Marketplace apps.

To strengthen security and performance as part of this platform update, several key improvements have been made:

• Streamlined dependency management by reducing the number of third-party libraries.
• Upgraded multiple Atlassian and third-party components to incorporate the latest security patches and bug fixes.
• Refined the overall Java API definition for better consistency and usability.
• Established minimum required support for Java 17, ensuring compatibility with modern development standards.

Breaking changes to the REST API

In this release, Jira removed a set of REST API endpoints that have been deprecated since Jira Software 9.x. If you have any external connections configured, make sure to check those. Learn more here.

Automation rule validation

From now on, Jira will indicate if there are any configuration errors when you open an existing rule. This helps to identify and fix rule configurations before publishing.

Component validations for disabled automation rules

Component validations are now applied to both enabled and disabled automation rules whenever they are updated. This ensures that all rules are thoroughly checked, allowing for the swift detection of configuration errors.

Alert, metric, and statistics logs in Jira automation

To improve the monitoring of automation queues, we’re introducing alert, metric, and statistics logs. Every five minutes, a log will capture key details, including the number of messages added, claimed, and processed from the queue and the total rules executed. If the automation queue surpasses the configurable threshold of 10,000, an alert will appear on the Jira diagnostics screen. The queue length is also now available as a JMX metric for easier tracking.

New login experience with two-step verification

A new login experience is introduced with an extra layer of authentication for enhanced security. Users can now enable two-step verification, requiring identity confirmation through an authentication app during login. This added protection helps safeguard Atlassian accounts from unauthorized access. Learn more about managing two-step verification.

Accessibility improvements for low-vision and keyboard-only users

As part of our commitment to accessibility, Jira delivers more improvements for screen reader and keyboard-only users by addressing critical severity issues. This release focuses on refining the underlying HTML structure and JavaScript logic to enhance usability and navigation.

Jira automation support for Microsoft Teams webhooks

Microsoft recently announced the retirement of Office 365 connectors in Microsoft Teams. To maintain seamless communication between automation rules and Teams, we've introduced a workaround that enables users to create their own connectors. This solution allows you to set up a flow chain that listens to Jira webhooks, ensuring continued integration. The feature is available starting from the following Jira versions. Learn more here.

Integrity Checker improvements

The Integrity Checker has been optimized for enterprise-scale performance, reducing JVM memory pressure and preventing full garbage collection. Issue detection is now significantly faster, and corrections are more comprehensive and precise.

To improve efficiency for long-running fix operations, Atlassian introduced a configurable limit on fixes per check, jira.integrity.checker.results.limit, which defaults to 1000 but can be adjusted as needed. For better usability, the default number of displayed results has also been capped at 20.

Bulk commit fetching

To enhance the efficiency of the synchronization process in the Distributed Version Control System (DVCS), we’re introducing bulk commit fetching for GitHub. With this update, DVCS can now retrieve up to 100 commits at a time for a branch instead of fetching them individually. This improvement:

• Reduces the number of REST calls to GitHub.
• Accelerates synchronization.
• Lowers the risk of hitting rate limits.

Change the default issue order in your project

You now have the flexibility to set the default sorting order for issues in your project.

To adjust the issue order:

• Ensure you have project admin permissions and navigate to your project.
• Go to Project settings and select Details.
• Under Preferences, find Issue order and choose your preferred sorting method.
• To revert to Jira’s default sorting (by priority and last update), select Not set.

Turn off the lights with dark theme

This feature reduces eye strain and enhances visual comfort, especially in low-light environments. Users can easily switch between light and dark themes according to their preferences. To enable the dark theme, click on your profile avatar in the top-right corner, select "Personal settings," and choose the "Dark" option under the "Theme" section. 

Your logo in light and dark

The latest update introduces the ability to upload a custom logo that adapts seamlessly to light and dark themes. This enhancement ensures branding remains consistent and visually appealing, regardless of the selected interface. To configure this, navigate to Administration > System > Look and Feel, and upload a logo with a transparent background. This approach guarantees that the logo displays correctly on light and dark backgrounds, maintaining a professional appearance across all user settings.

New header color in the original theme

The original theme's header color has been updated in the latest release from blue to white. This change aligns the header with the light theme, providing a more cohesive and modern user interface. Administrators should note that this modification may affect previously applied custom branding or color schemes. 

Dark Theme plugin became a system application

Keep in mind that using any dark theme external plugin may interfere with native Jira functionality. Be sure to disable it to avoid any issues.

Updates to Jira automation

Starting with Jira 9.0, Jira automation (previously known as Automation for Jira) was integrated directly into the platform, allowing upgrades through Jira or the Universal Plugin Manager (UPM). To simplify and improve the automation experience, it will now be exclusively available as a bundled feature from Jira 10.0 onward. As a result, all future Jira automation updates will be included in Jira release notes.

This change means new Jira automation versions will no longer be published on the Atlassian Marketplace. However, existing versions will continue to receive security support, and users can access new features and improvements simply by upgrading Jira.

With the release of Jira 10.0, the bundled automation version has been updated to reflect key changes, including the migration to REST v2.

Possibly breaking changes

Removal of internal GraphQL APIs in Assets

Atlassian has removed the internal Assets GraphQL APIs to improve security, standardize API patterns across Jira Service Management and Assets, and streamline the codebase. The APIs configuring Assets icons have been migrated to new internal REST endpoints.

As part of this change, the following will be removed:

GraphQL endpoint: /insight/graphql

GraphQL queries: Learn more here.

Avoid surprises with the change calendar

JSM has introduced freeze and maintenance windows in the change calendar to help minimize service disruptions and enable efficient planning for critical system changes. With all events scheduled in the calendar, change approvers can easily evaluate requests from change requestors and adjust schedules to prevent conflicts.

To start using the change calendar in your project:

1. Navigate to Project settings and select Change management.
2. Enable the change calendar.
   It is enabled by default in projects that use the ITSM template.
3. In the Default calendar view section, select the start and end date fields.
   Change requests are plotted on the calendar based on the data in the custom fields you select here.
4. Select Save.

The change calendar is now available to all agents of this project from the sidebar.

Request type field now available in the issue view

Request type field has been added in the issue view to simplify the request submission process. This enhancement improves Jira Service Management’s integration with the Jira platform by properly mapping issues to request types. As a result, all service project tickets can now include essential context and details from the outset, directing requests to the appropriate help channels and workflows for more efficient and high-quality service delivery.

Request type field

View all assets imports from one place

New improvements to import management make it easier to handle complex import schedules and optimize import configurations.

Users can now view the status, history, and schedule of imports across all object schemas from a single location, ensuring efficient scheduling without conflicts with other resource-intensive tasks.

Additionally, imports can be customized to send notifications about their status, allowing users to take timely action with minimal manual effort.

To access all imports, navigate to Assets in the top navigation bar and select Imports.

Assets import

To receive notifications about the import status:

1. Navigate to the object schema and select the import configuration for which you wish to receive notifications.
2. Select the cog icon and then select Configure.
3. In the Edit import configuration dialog, navigate to the Scheduling tab.
4. Select the Notifications check box.

All object schema managers of this import configuration will receive notifications about the job status.

ProForma app becomes free of charge

ProForma is now free for Jira Service Management licenses starting with this release. However, if you haven't used ProForma before the upgrade, you must manually install it from the Marketplace. For users on Jira Service Management 10.2 or earlier or any version of Jira Software, ProForma will still require a valid paid license. Learn more here.

Turn off the lights with dark theme

This feature reduces eye strain and enhances visual comfort, especially in low-light environments. Users can easily switch between light and dark themes according to their preferences. To enable the dark theme, click on your profile avatar in the top-right corner, select "Personal settings," and choose the "Dark" option under the "Theme" section.

Your logo in light and dark

The latest update introduces the ability to upload a custom logo that adapts seamlessly to light and dark themes. This enhancement ensures branding remains consistent and visually appealing, regardless of the selected interface. To configure this, navigate to Administration > System > Look and Feel, and upload a logo with a transparent background. This approach guarantees that the logo displays correctly on light and dark backgrounds, maintaining a professional appearance across all user settings.

New header color in the original theme

The original theme's header color has been updated in the latest release from blue to white. This change aligns the header with the light theme, providing a more cohesive and modern user interface. Administrators should note that this modification may affect previously applied custom branding or color schemes. 

Dark Theme plugin became a system application

Keep in mind that if you’re using any dark theme external plugin, it may interfere with native Jira functionality. Make sure to disable it to avoid any issues.

Updates to Jira automation

Starting with Jira 9.0, Jira automation (previously known as Automation for Jira) was integrated directly into the platform, allowing upgrades through Jira or the Universal Plugin Manager (UPM). To simplify and improve the automation experience, it will now be exclusively available as a bundled feature from Jira 10.0 onward. As a result, all future Jira automation updates will be included in Jira release notes.

This change means new Jira automation versions will no longer be published on the Atlassian Marketplace. However, existing versions will continue to receive security support, and users can access new features and improvements simply by upgrading Jira.

With the release of Jira 10.0, the bundled automation version has been updated to reflect key changes, including the migration to REST v2.

Streamline your request intake process

JSM has introduced the ability to add restrictions to request types, giving you control over who can raise specific requests and ensuring they are routed to the appropriate channels. For example, sensitive request types like employee pay hikes can now be restricted to managers and HR staff only. These restrictions apply to both the customer portal and issue view, so only those with explicit access—such as help-seekers, agents, and admins—can create these requests. Users without access to a particular request type won't see it as an option, even in search.

Please note that restrictions cannot be applied to request types used in email channels, allowing anonymous users to send requests through these channels.

New request intake process

Automation access restrictions

Jira automation will now check if the rule actor can create the request type used in any of your automation rules.

• Create service desk request.
• Edit issue (only if the request type value changes).
• Transition issue (only if the request type value changes).

Automation rule validation

JSM now indicates if there are any configuration errors when you open an existing rule. This helps to identify and fix rule configurations before publishing.

Component validations for disabled automation rules

When updated, component validations are now performed for both enabled and disabled automation rules. This ensures all rules are validated, allowing for the quick identification of any configuration errors.

Restrict comment visibility to a group or role

The way agents and admins share information when commenting on issues has been improved. In service projects, comments can now be restricted to all internal users and specific roles or groups they belong to.

New comment view restrictions

Accessibility improvements for low-vision and keyboard-only users

As promised, more accessibility updates have been introduced for screen reader and keyboard-only users, addressing critical severity defects. Key improvements in this release include fixes to the underlying HTML structure and JavaScript logic. Learn more here.

New login experience with two-step verification

The JSM login experience has been revamped with an added layer of authentication to enhance account security. Users can now set up two-step verification and use an authentication app to verify their identity when logging in to protect their Atlassian account. Learn more here.

Jira automation support for Microsoft Teams webhooks

Microsoft recently announced the retirement of Office 365 connectors in Microsoft Teams. To maintain seamless communication between automation rules and Teams, we've introduced a workaround that enables users to create their own connectors. This solution allows you to set up a flow chain that listens to Jira webhooks, ensuring continued integration. The feature is available starting from the following Jira versions. Learn more here.

Integrity Checker improvements

The Integrity Checker has been optimized for enterprise-scale performance, reducing JVM memory pressure and preventing full garbage collection. Issue detection is now significantly faster, and corrections are more comprehensive and precise.

To improve efficiency for long-running fix operations, Atlassian introduced a configurable limit on fixes per check, jira.integrity.checker.results.limit, which defaults to 1000 but can be adjusted as needed. The default number of displayed results has also been capped at 20 for better usability.

Alert, metric, and statistics logs in Jira automation

We’re introducing alert, metric, and statistics logs to improve the monitoring of automation queues. Every five minutes, a log will capture key details, including the number of messages added, claimed, and processed from the queue and the total rules executed. If the automation queue surpasses the configurable threshold of 10,000, an alert will appear on the Jira diagnostics screen. The queue length is also now available as a JMX metric for easier tracking.

Closing down

In GitHub Enterprise Server 3.16, tag protection rules will be migrated to a ruleset, and the tag protection rule feature will no longer be available.

All users should know that GitHub Projects (classic) are closing down. They should migrate to new Projects powered by GitHub Issues. Learn more here.

GitHub Projects (classic) will be retired in GitHub Enterprise Server 3.17. Learn more here.

Dependabot

Organization owners, security managers, and users with admin access can manage and create custom auto-triage rules for Dependabot. These rules automatically dismiss alerts that meet specific criteria, helping to streamline security management. This feature is now generally available. Learn more here.

GitHub Advanced Security

Organization owners and security managers can now use the "CodeQL pull request alerts" view in the security overview to identify and address security risks across the organization and enterprise. This view highlights the most common alerts in pull requests and provides insight into corresponding remediation rates, allowing for proactive security management. Learn more here.

Code security

Security configurations now allow organization owners and security managers to streamline the deployment of GitHub security products at scale. They can create custom configurations by defining security settings and applying them across multiple repositories. Policies can be enforced to maintain consistency to prevent repositories from modifying the enablement of security features. Learn more here.

Organization owners and security managers can programmatically create, apply, enforce, and monitor security configurations using REST API calls and audit logs. Learn more here.

Organization owners and security managers will see a new organization-level code security settings UI. In the organization settings sidebar, an expanding Code security option has replaced the Code security and analysis option. This contains new Configurations and Global settings options. Learn more here.

GitHub Actions

For self-hosted GitHub Actions runners on this GitHub Enterprise Server release, the minimum required version of the GitHub Actions Runner application is 2.319.1. If your instance uses ephemeral self-hosted runners and you've disabled automatic updates, upgrade your runners to this version of the Runner application before upgrading your instance to this GitHub Enterprise Server release. Learn more here.

Known issues

In some situations, large .adoc files stored in a repository do not render properly in the web UI. The raw contents are still available to view as plaintext.

Administration

View paused Flux reconciliations on the dashboard for Kubernetes (Core, Premium, Ultimate)

Previously, suspending Flux reconciliation from the Kubernetes dashboard lacked a clear visual indicator. They have introduced a new "Paused" status alongside the existing status indicators to improve visibility. This makes it easy to see when Flux reconciliation is suspended, providing better insight into the state of your deployments. Learn more here.

Primary domain redirect for GitLab Pages (Core, Premium, Ultimate)

It is now possible to set a primary domain in GitLab Pages, allowing all requests from custom domains to be automatically redirected. This helps preserve SEO rankings and ensures a consistent brand experience by directing visitors to the preferred domain, regardless of the URL they originally used. Learn more here.

View subgroups and projects pending deletion (Premium, Ultimate)

When a group is marked for deletion, visibility into all affected subgroups and projects is essential. Previously, only the group displayed a "Pending deletion" label, while its subgroups and projects did not, making identifying content scheduled for removal difficult. Now, all subgroups and projects within a deleted group will display the "Pending deletion" label, providing clearer visibility and making it easier to distinguish between active and soon-to-be deleted content across the entire group hierarchy. Learn more here.

Search for pods on the dashboard for Kubernetes

Locating specific pods in large Kubernetes deployments can be time-consuming. A new search bar has been introduced to streamline this process, allowing pods to be quickly filtered by name. The search applies across all available pods and can be combined with status filters, making it easier to find the exact pods needed for monitoring or troubleshooting. Learn more here.

Use roles to define project members as Code Owners (Premium, Ultimate)

You can now use roles as Code Owners in your CODEOWNERS file to manage role-based expertise and approvals more efficiently. Instead of listing individual users or creating groups, you can use the following syntax:

• @@developers - References all users with the Developer role.
• @@maintainers - References all users with the Maintainer role.
• @@owners - References all users with the Owner role.

For example, add * @@maintainers to require approval from any maintainer for all changes in the repository.

This simplifies Code Owner management as team members join, leave, or change roles in your project. The CODEOWNERS file remains current without manual updates because GitLab automatically includes all users who have the specified role. Learn more here.

Project creation protection for groups now includes Owners (Core, Premium, Ultimate)

Project creation within a group can be restricted to specific roles using the Allowed to create projects setting. The Owner role is now included as an option, allowing project creation to be limited exclusively to users with this role. Previously, the Owner role was not available in the selection options. Learn more here.

Extended token expiration notifications (Core, Premium, Ultimate)

Previously, token expiration email notifications were only sent seven days before expiry. Now, these notifications are also sent 30 and 60 days before expiry. The increased frequency and date range of notifications makes users more aware of tokens that may expire soon. Learn more here.

New description field for access tokens (Core, Premium, Ultimate)

When creating a personal, project, group, or impersonation access token, you can now optionally enter a description of that token. This helps provide extra context about the token, such as where and how it is used. Learn more here.

Enable secret push protection in your groups with APIs (Ultimate)

With this release, you can activate secret push protection for all projects in your group using the REST API and the GraphQL API. Enabling secret push protection at the group level allows for more efficient management rather than configuring it for each project individually. Audit events are logged whenever push protection is enabled or disabled. Learn more here.

Kubernetes 1.31 support (Core, Premium, Ultimate)

This release fully supports Kubernetes version 1.31, released in August 2024. If you deploy your apps to Kubernetes, you can upgrade your connected clusters to the most recent version and take advantage of all its features. Learn more here.

New Planner user role (Core, Premium, Ultimate)

GitLab introduced the new Planner role to provide tailored access to Agile planning tools, such as epics, roadmaps, and Kanban boards, without over-provisioning permissions. This change enhances collaboration while ensuring workflows remain secure and aligned with the principle of least privilege. Learn more here.

AI

GitLab MLOps Python Client Beta (Core, Premium, Ultimate)

GitLab acknowledged that data scientists and machine learning engineers typically work in Python environments, but integrating their machine learning workflows with GitLab's MLOps features often required switching contexts and understanding GitLab's API structure. This added friction to the development process and slowed the ability to track experiments, manage model artifacts, and collaborate with team members.

To address this, the new GitLab MLOps Python client is introduced, which provides a seamless, Pythonic interface to GitLab's MLOps features. Data scientists can now interact directly with GitLab's experiment tracking and model registry capabilities from their Python scripts and notebooks. The client includes:

• GitLab experiment tracking: Easily track machine learning experiments within GitLab.
• Model registry integration: Register and manage models in GitLab's model registry.
• Experiment management: Create and manage experiments directly from the client.
• Run tracking: Initiate and monitor training runs with ease.

This integration allows data scientists to focus on model development while automatically capturing their ML lifecycle metadata in GitLab. The Python client integrates smoothly with existing ML workflows, requiring minimal setup, making GitLab's MLOps features more accessible to the data science community.

Machine learning model experiments tracking in GA (Core, Premium, Ultimate)

When creating machine learning models, data scientists often experiment with various parameters, configurations, and feature engineering to improve model performance. Tracking all this metadata and the associated artifacts so the data scientist can later replicate the experiment is not easy. Machine learning experiment tracking allows them to log parameters, metrics, and artifacts directly into GitLab, ensuring easy access later on while keeping all experimental data within the GitLab environment.

This feature is now generally available with enhanced data displays, improved permissions, deeper integration with GitLab, and bug fixes. Learn more here.

UI/UX

Customizable colors for epics (Premium, Ultimate)

You now have more flexibility in categorizing your epics with an expanded set of color options, including pre-existing values and custom RGB or hex codes. This enhanced visual customization allows you to easily associate epics with squads, company initiatives, or hierarchy levels, making prioritizing and organizing your work on roadmaps and epic boards simpler. Learn more here.

Show iteration field on child items in epics, issues, and objectives (Premium, Ultimate)

When viewing epic detail, planners need to see which child issues are planned into iterations (sprints) and which are not yet planned. This will allow teams to more easily make sure that all defined work is slated into sprints. Learn more here.

Epic ancestors (Ultimate)

The redesigned Ancestry widget now provides a clear and concise breadcrumb-like view of the epic hierarchy, prominently displayed at the top of each epic page. Easily visualize parent and child epic relationships, maintaining a clear project structure overview and simplifying navigation between related epics. Learn more here.

Expanded Code Flow view for Advanced SAST (Ultimate)

The Advanced SAST code flow view is now available in the Vulnerability Report, Merge request security widget, Pipeline security report, and Merge request changes view. The new views are on by default, starting in GitLab 17.6 (all views except MR changes view) and GitLab 17.7 (MR changes view). Learn more here.

Navigation and usability improvements for the compliance center (Ultimate, Premium)

The compliance center's user experience for both groups and projects has been enhanced with GitLab 17.7.  Users can filter by groups in the Projects tab to easily find the right project and its associated compliance framework. Additionally, a new Frameworks tab within a project's compliance center allows users to search for attached compliance frameworks. Remember that adding or editing frameworks is still managed at the group level. Learn more here. 

Set your preferred text editor as default (Ultimate, Premium)

This version introduces the ability to select a default text editor, allowing for a more personalized editing experience. Users can now choose between the rich text editor, the plain text editor, or no default editor. This update improves workflows and ensures the editor interface aligns with individual and team preferences. Learn more here.

Rotate personal, project, and group access tokens in the UI (Core, Premium, Ultimate) 

You can now use the UI to rotate personal, project, and group access tokens. Previously, you had to use the API to do this. Learn more here.

Reporting

Find the commit that resolved a vulnerability (Ultimate)

GitLab improved the visibility into vulnerability resolution. Now, when a vulnerability is no longer detected, we display a link to the specific commit SHA where it was resolved. This enhancement provides better traceability, insight into the resolution process, and facilitates collaboration between security and development teams. Learn more here.

Track time spent on epics (Premium, Ultimate)

You can now track time directly in epics, giving you more granular control over your project's time management. This feature allows you to log time spent on different aspects of your project, helping you monitor progress, stay on schedule, and keep your budget in check as you work through sprints and milestones. Learn more here.

Track multiple to-do items in an issue or merge request ore, Premium, Ultimate)

Stay informed and organized with the ability to track multiple discussions and mentions within a single issue or merge request. With the new multiple to-do items feature, you'll receive individual to-do items for each action or mention. This ensures you won't overlook any important updates or requests, allowing you to manage your work more effectively and efficiently address your team's needs. Learn more here.

Webhooks for epics (Premium, Ultimate)

Supercharge your workflow automation with the epic webhooks, allowing you to receive real-time updates in your preferred tools whenever changes occur in your epics. By integrating GitLab with your other services, you can enhance collaboration, stay on top of project developments, and streamline your processes without constantly switching between applications. Learn more here.

List the deployments related to a release (Core, Premium, Ultimate)

GitLab's release management features have been improved. Users can now directly view all deployments associated with a specific release on the release page. This allows release managers to quickly confirm deployment locations and identify pending deployments. This new functionality enhances the existing deployment page integration, which displays release notes for tagged deployments. Learn more here.

Track CI/CD component usage across projects (Premium, Ultimate)

DevOps teams need insight into where their CI/CD components are used across pipelines to effectively manage and optimize them. Previously, a lack of visibility made it difficult to track outdated component use, understand adoption rates, and support component life cycles. To solve this, we've introduced a new GraphQL query that shows DevOps teams which projects use a specific component within their organization's pipelines. This feature gives DevOps teams the data they need to increase productivity and make informed decisions. Learn more here.

Project development

Support multiple distinct approval actions in merge request approval policies (Ultimate)

Now, you can create up to five approval rules for each merge request approval policy, allowing for more flexible and robust approval policies. Each rule can have different approvers or roles and is evaluated independently. This update enables security teams to create complex approval workflows to ensure compliance and enhanced control in sensitive workflows.

Example uses:

• Distinct role approvals: One approval from a Developer and another from a Maintainer.
• Role and group approvals: One approval from the Developer or Maintainer and another from a member of the Security Group.
• Distinct group approvals: One approval from a member of the Python Experts Group and another from a member of the Security Group.

Learn more here.

Enforce centralized workflow rules for the `override_ci` strategy (Ultimate)

Workflow rules can now be used with the override_ci strategy in pipeline execution policies to control policy-defined and project configuration jobs (when using include: project). This allows for finer policy enforcement, such as restricting the use of branch pipelines.

To ensure workflow rules only target policy-defined jobs, it's recommended to define rules at the job level or group jobs and rules using a separate include field.

Previously, workflow rules with override_ci only applied to jobs within the policy. The inject_ci strategy remains unaffected; workflow rules only control policy job enforcement without impacting project workflow rules.

Epic parent (Ultimate)

Epics can now be assigned a parent epic directly, streamlining the management of epic hierarchies and enhancing project organization. Learn more here.

Epic health status (Ultimate)

The new health status feature for epics allows you to easily communicate the progress of your projects. You can set the status as "On track," "Needs attention," or "At risk" to provide a quick visual indicator of your epic's health. This feature allows you to manage risk and inform stakeholders about the project's overall status. Learn more here.

Make `skip_ci` configurable for pipeline execution policies (Ultimate)

Pipeline Execution Policies (PEPs) now have a new configuration option to manage the [skip ci] directive, providing greater flexibility. This feature addresses scenarios like semantic releases, where pipeline execution must be bypassed while performing essential security and compliance checks.

To use this feature, set skip_ci to allowed: false in the pipeline execution policy YAML configuration or enable "Prevent users from skipping pipelines" in the policy editor. Then, specify the users or service accounts allowed to use [skip ci]. By default, all users will be prevented from skipping pipeline execution jobs unless they are specified as an exception within the skip_ci configuration. Learn more here.

Manage concurrency of scheduled scan execution pipelines (Ultimate)

A new time_window property to scan execution policies is added, which can be configured in YAML mode. This improvement enhances the scalability of global scheduled scan execution by allowing you to define a time period for policy-created schedules, ensuring optimal performance. Use the time_window schema and specify the time window in seconds (e.g., 86400 for 24 hours). Additionally, set the distribution: random field and value to randomly distribute schedule execution within the defined time window. Learn more here.

Secret detection now includes remediation steps (Ultimate)

To enhance your system's security, GitLab incorporated specific remediation steps for each type of detected secret into our secret detection process. These guidelines, which appear on all vulnerabilities after a pipeline run, will help you systematically address secret exposures and mitigate the risk of security breaches. This is crucial, as it's essential to quickly fix exposed secrets and take further steps - such as rotating credentials and investigating potential unauthorized access - to minimize the risk of attackers exploiting them to gain access to your systems. Learn more here.

Safeguard your dependencies with protected packages (Core, Premium, Ultimate)

Safeguarding your valuable dependencies against accidental alterations or deletions is vital in maintaining the efficiency of your software development process. GitLab's new Protected Packages feature prevents unintended disruptions by allowing you to create protection rules for your most critical packages.

Starting with GitLab 17.8, you can define protection rules for PyPI packages. When a package matches a specified rule, only designated users can update or delete it. This targeted control adds a layer of security and stability to your package management, promoting a more reliable and efficient development environment. Learn more here.

Enhance security with protected container repositories (Core, Premium, Ultimate)

Protected container repositories offer users value by reducing the risk of security breaches and accidental changes to critical assets. This feature streamlines workflows by maintaining security without sacrificing development speed, improves overall governance of the container registry, and provides peace of mind knowing that important container assets are protected according to organizational needs. Learn more here.

This feature and the protected packages feature are both community contributions from gerardo-navarro and the Siemens crew. Thank you, Gerardo and the rest of the crew from Siemens, for their many contributions to GitLab! If you are interested in learning more about how Gerardo and the Siemens crew contributed to this change, check out this video in which Gerardo shares his learnings and best practices for contributing to GitLab based on his experience as an external contributor.

Improved detection accuracy in Advanced SAST (Ultimate)

GitLab updated Advanced SAST to detect the following vulnerability classes more accurately:

• C#: OS command injection and SQL injection.
• Go: path traversal.
• Java: code injection, CRLF injection in headers or logs, cross-site request forgery (CSRF), improper certificate validation, insecure deserialization, unsafe reflection, and XML external entity (XXE) injection.
• JavaScript: code injection.

The detection of user input sources for C# (ASP.NET) and Java (JSF, HttpServlet) has also been improved, and the severity levels have been updated for consistency.

To see which types of vulnerabilities Advanced SAST detects in each language, see Advanced SAST coverage. To use this improved cross-file, cross-function scanning, enable Advanced SAST. The new rules are automatically activated if you've already enabled Advanced SAST.

Setting `environment.action: access` and `prepare` resets the `auto_stop_in` timer (Core, Premium, Ultimate)

You can now change to the new implementation by enabling the prevent_blocking_non_deployment_jobs feature flag. Multiple breaking changes are intended to differentiate the behavior of the environment.action: prepare | verify | access values. The environment.action: access keyword will remain the closest to its current behavior, except for the timer reset. You should review your use of these keywords to prevent future compatibility issues. Learn more about these proposed changes in the following issues:

• Issue 437132
• Issue 437133
• Issue 437142

Faster first analysis

With the new optimizations in the way git-blame data is handled in SonarQube, the first project analysis is now even faster than before. Projects that involve a large number of commits will see the time required for the first full analysis drop to a fraction of what it used to be.

For example, in SonarSource’s own benchmarks using the TypeScript compiler source code, the time needed for the first full analysis dropped from over 20 hours to a mere 5 minutes.

SCIM for Azure AD

Much anticipated automated user provisioning and deprovisioning support for SAML/Azure AD configurations through SCIM.

With SCIM enabled, you don’t have to manually manage users and groups on SonarQube. The integration can automatically synchronize not only the usual user creations and deletions but also group operations—group creations and deletions, group membership additions and removals, and possible group name updates.

Static analysis for Docker

Dockerfiles can easily become a nightmare when it comes to security issues. With the introduction of Docker support, SonarQube 10.0 can also help you mitigate potential problems with your Docker files.

SonarQube implements a bash command parser and introduces over 20 new best practice rules to help you find possible security misconfigurations in your Docker instructions.

Using GitLab with SonarQube? You’re in for a treat!

This release of SonarQube further enhances its GitLab integration by making SonarQube security analysis an integral part of GitLab dashboards. When your SonarQube instance is configured with GitLab, vulnerability issues get automatically synced from SonarQube to GitLab.

Simply navigate to the Vulnerability Report to see the results of the SonarQube scan.

For SonarQube Community Edition users, the vulnerability report contains issues related to the main branch, while Developer Edition and higher gain extended support for providing the report across all branches. Learn more here.

Flex that main branch

On commercial editions of SonarQube (Developer Edition and higher), changing the project’s main branch has now become a breeze. 

Project administrators can easily shift the project’s focus by designating another existing branch as the main one for their project. Changing the main branch doesn’t destroy any history, as SonarQube will preserve all of the historical data, analysis, and insights tied to the previous branches designated as the main ones.

Streamlining reviews through SonarLint enhancements

Synchronization features between SonarLint and SonarQube have been enhanced to support “muting” issues directly within the VS Code environment before SonarQube even completes its analysis.

For a developer, it allows classifying issues as either “Won’t fix” or “False positive” beforehand. This will prevent them from unnecessarily reappearing in your IDE and from being flagged for review in SonarQube once the analysis is finalized, paving the way for a more streamlined, clutter-free coding and code review experience.

Enhanced cloud secret detection

SonarQube 10.2 expands its cloud secrets detection feature and is now capable of detecting secrets across 29 cloud services, covering over 60 different kinds of secrets and tokens.

Strict Clean as You Code criteria for quality gates

This release of SonarQube adopts more rigorous Clean as You Code criteria for the built-in Sonar way quality gates. The new policy allows new code to have exactly zero issues for passing the quality gate to ensure any newly written and modified code meets the highest possible clean code standards.

Additionally, the Sonar way Quality Gate no longer differentiates between bugs, vulnerabilities, and code smells in its policy; it’s now a single issues category with zero allowed. The previous quality gates are still available as “Sonar way (legacy)” if you’re not quite ready for the change yet.

Secrets detection at the source

Keep your code free of unwanted secrets with the new secret detection engine in SonarQube and SonarLint. With SonarLint in your IDE, you can leverage the detection capabilities to ensure your codebase is clean of any unwanted sensitive information before pushing anything into your CI/CD pipeline.

Right out of the box, Sonar can detect the top 100+ common patterns for sensitive secrets or tokens, and custom rules can be added to detect company-specific secrets.

Stay in sync with GitLab

The GitLab integration introduced in the previous version synchronized issues back to the GitLab Vulnerability Report whenever SonarQube detected a new issue or updated the status of an existing one.

With this release, synchronization has turned a full circle. Status changes of issues in GitLab are automatically replicated back to the corresponding issue in SonarQube in the subsequent analysis, keeping both in sync.

UI and language updates

The UI modernization of series 10 progresses with the following getting updated to the latest UI:

• Quality gates page.
• Quality profiles page.
• Rules page.
• DevOps platform configuration modal shown during project onboarding.

Language packs also received a hefty amount of updates:

Making your Clean Code efforts visible

This release of SonarQube embraces your Clean Code efforts by making the results and benefits of going the extra mile visible.

Pull requests (PR) show issues that will be fixed

There’s no more need to guess what issues you’re fixing with your pull request. SonarQube now shows the issues that will be fixed even before the code is merged, making it easier to verify the issues you intended to fix are actually resolved by the PR. This information can be viewed through the pull request summary view in SonarQube, as well as through the pull request decoration for all four supported CI platforms (Azure DevOps, Bitbucket, GitHub, and GitLab).

Improved issue overview for branches and software quality view for overall code

The branch summary screen has been updated to show the single count of issues for new code instead of the previously displayed separate issue categories (bugs, code smells, and vulnerabilities). This makes the UI overview more in line with the pull request decoration and summary views, further highlighting the issues (or the lack of them!) affecting new code.

The overall code tab has also been reworked to show a better overview of the whole codebase. It now has software quality categories for issues of high, medium, and low severity as well as accepted issues.

Accepting issues appropriately

A “won’t fix” statement has its charms, but it doesn’t always deliver the right message. There’s the possibility of interpreting a “won’t fix” to have certain levels of “Nah mate can’t be bothered” associated with it.

SonarQube adds the option to address issues that won’t or can’t be fixed in a more appropriate manner. Developers can now mark an issue as “accepted” instead of “won’t fix” with a clear message explaining how the issue was judged to be acceptable and how accepting it contributes to technical debt.

As described in the sections above, the number of accepted issues will be shown on PR decoration and various summary screens in SonarQube. Clicking on the count of accepted issues anywhere in the UI will bring you to the list of accepted issues with details on why they are what they are.

Faster scanning

Previously, SonarScanner fetched all analyzers from SonarQube regardless of the languages present in the project. This logic has now been streamlined: The scanner will only download the analyzers that are required based on the files and the languages used in the project. Small streams, little acorns, and all that.

It doesn’t end there, as SonarQube now also supports analyzing Helm Charts for Kubernetes deployments. The same Kubernetes rules that apply to other YAML files also apply to the Helm variety.

Seventeen hundred rules in the Learn as You Code feature have been improved and added to the “How can I fix it?” and “More info” sections.

Java 21, C++23, and TypeScript 5.4

SonarQube brings several notable enhancements aimed at improving code quality and simplifying project setups. The release supports new language versions:

• Java 21
• C++23
• TypeScript 5.4

It’s expanding its utility for developers working with the latest programming technologies. Significant improvements include faster and more in-depth secrets detection and static application security testing (SAST), which is especially beneficial for projects involving large Java libraries. Finally, the end of support of Node.js 16 in the scanner environment was announced.

Branch and pull request overview simplified

Duplication of failed quality gate conditions has been reduced. New and overall code are presented in their tabs, improving focus on new code while practicing Clean as You Code.

Clean as You Code (CaYC) in-product guided tour

The project page offers an in-product guided tour that explains the basics of Clean as You Code and the main concepts behind the methodology.

Set rule priority to uphold your coding standards

A dev manager or anyone who determines company code standards can now configure the priority of rules in the quality profile and add a quality gate condition to the overall code so that developers can address the corresponding issues before the next release.

Connected mode

Open issues from SonarQube in Visual Studio

In connected mode, you can now open an issue from SonarQube in Visual Studio (available in all IDE flavors). Learn more about connected mode.

Report dataflow bugs in VS Code and IntelliJ (starting in Developer Edition)

In connected mode, SonarLint reports in VS Code and IntelliJ the Java and Python dataflow bug detection (DBD) issues that can be detected by analyzing a single file.

Share connected mode setup with other contributors

It’s now possible to share a connected mode setup configuration file with your team, simplifying the process.

For details, see the "sharing your setup" section on the team features page of your IDE.

AI-generated fix suggestions (available in Early Access in the Enterprise Edition and above)

When investigating an issue, you can ask for an AI-generated fix suggestion and open it directly in your IDE (VS Code, IntelliJ, and Eclipse). Learn more here.

AI code assurance (available starting in Developer Edition)

You can now flag projects as containing AI-generated code. The flagged projects will use the Sonar way quality gate to ensure clean AI-generated code. Learn more here.

Automatic synchronization of project permissions and roles with GitLab (available starting in Developer Edition)

When integrating with GitLab, project permissions and custom roles are now automatically synchronized. Learn more here.

New rules for Javascript and Typescript

This feature added 10 new rules that find structure problems in JavaScript and TypeScript code. Learn more here.

Support for Dart (available starting in Developer Edition)

Analysis of Dart is now supported. It includes support for loading coverage data provided by LCOV and more than 70 rules, including cognitive complexity. Learn more here.

Secrets Detection includes more patterns and cloud services (available starting in Developer Edition)

With added support for more than 30 new patterns, SonarQube now covers 146 secret patterns and can detect secrets/tokens generated by 81 cloud services. Learn more here.

Support added for C23

Analysis of C23, the latest major revision of C, is now supported.

Other improvements

Among all the above-mentioned improvements are:

7 new preprocessor and code presentation rules inspired by MISRA C++2023.

30% increased analysis time on Mac Apple Silicon for C/C++/Objective-C Projects.

Advanced security rules for the Spring Framework to reach a coverage of 92% for security-sensitive Spring features.

Introducing Multi-Quality Rule Mode

You can now toggle your SonarQube Community Build instance between the Standard Experience and Multi-Quality Rule Mode (MQR). See the Instance mode overview for more information. In both modes, you can customize the severity of issues and rules. New SonarQube Server instances use MQR Mode by default. Upon upgrading, existing SonarQube Server 10.1 and earlier are configured with the Standard Experience by default.

Faster analysis bootstrap

To improve analysis efficiency, we’ve shortened the time it takes to load the active rules in your quality profile.

Improvement to BitBucket server onboarding

To improve the import of BitBucket repositories, you can now browse and easily import all the projects from the onboarding page, without any limitation of number.

Analyzers, scanners, languages

Python

Python 3.13 is now supported.

Java

Analysis of Java 22 Projects is now supported.

JSpecify annotations are now supported with one new rule. 

24 main code rules enabled for test code. 

.NET / C#

Analysis of C#13 is now supported, and the rules have been updated to support .NET 9. We also added 3 new advanced rules around locking and misuse of Linq queries on collections known to not be empty.

Kotlin

Analysis of Kotlin 2.0 is now supported.

Language updates

PHP analysis now supports asymmetric property visibility (PHP 8.4).

Java 21 is supported for running SonarQube Community Build

SonarQube Community Build can now run in a Java 21 environment.