Enhanced Security Features in GitLab 18.0 Launch

GitLab has announced the upcoming release of GitLab 18.0, which will be rolled out in several phases. This major update aims to enhance security while providing users with essential migration tools.

The deployment of GitLab 18.0 will follow a carefully orchestrated timeline, beginning with significant changes termed 'Breaking Changes.' These changes will be introduced over three distinct periods: the first phase occurred from April 21 to April 23, followed by subsequent phases scheduled from April 28 to April 30, and then from May 5 to May 7.

Simultaneously, upgrades for Medium and Low Impact features will take place without specific timelines. Users of the Self-Managed version of GitLab can expect the upgrade to GitLab 18.0 to be available starting May 15. For users of the managed cloud service, GitLab Dedicated, the upgrade will occur between June 24 and June 29.

The 'High Impact' changes primarily focus on security enhancements. Key updates involve the CI/CD job tokens introduced in GitLab 14.4 and the Dependency Proxy feature. The default setting for the 'Limit access from this project' option for CI/CD job tokens will now be disabled for all new projects. Additionally, users will not be able to reactivate this setting in projects that have already turned it off in versions 16.0 or later. To manage access to job tokens more effectively, users are encouraged to utilize the 'Authorized groups and projects' option, which will be enabled by default in GitLab 18.0.

Furthermore, the Dependency Proxy for containers will receive enhanced security measures. Authentication will now be required for both 'read_registry' and 'write_registry' scopes. Any authentication attempts using access tokens that do not include these scopes will be denied by the Dependency Proxy moving forward.

To assist users in transitioning to these new features, GitLab will provide several software tools. Among these tools is the Advanced Search Deprecations Tool, which leverages the enhanced search API to identify strings in GitLab groups and projects that pertain to deprecated features. Additionally, the Dependency Scanning Build Support Detection Helper will help identify projects affected by three outdated Dependency Scanning functions.