Changing context just got easier
We’ve heard your feedback that on the left sidebar, it can be hard to find the search button and to change between things like projects and preferences. In this release, we’ve made the button more prominent. This aids discoverability as well as streamlining workflows into a single touch point.
You can try it out by selecting the Search or go to… button or with a keyboard shortcut by typing / or s.
Webhook now triggered when a release is deleted
You can use release events to monitor release objects and react to changes. Previously, a webhook was only triggered when a release was created or updated. In heavily regulated industries, deleting releases is a crucial event that must be monitored and followed up.
With GitLab 16.5, a webhook is now also triggered when a release is deleted.
Export individual wiki pages as PDF
From GitLab 16.5, you can export individual wiki pages as PDF files. Now, sharing team knowledge is even more seamless. Exporting a wiki to PDF can be used for a variety of use cases. For example, to provide a copy of technical documentation that is kept in a wiki or share information in a wiki with project status. Gone is the need to leverage alternative tools to convert Markdown files to PDF, since in some organizations, using these tools is prohibited, creating another challenge. Thank you to JiHu for contributing this feature!
Set a parent for a task, objective, or key result with a quick action
You can now set a parent item for a task, objective, or key result by using the /set_parent quick action.
DAST analyzer updates
During the 16.5 release milestone, we enabled the following active checks for browser-based DAST by default:
- Check 78.1 replaces ZAP check 90020 and identifies command injection, which can be exploited by executing arbitrary OS commands on the target application server. This is a critical vulnerability that can lead to a full system compromise.
- Check 611.1 replaces ZAP check 90023 and identifies External XML Entity Injection (XXE), which can be exploited by causing an application’s XML parser to include external resources.
- Check 94.4 replaces ZAP check 90019 and identifies “Server-side code injection (NodeJS)”, which can be exploited by injecting arbitrary JavaScript code to be executed on the server.
- Check 113.1 replaces ZAP check 40003 and identifies “Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)”, which can be exploited by inserting Carriage Return / Line Feed (CRLF) characters to inject arbitrary data into HTTP responses.
API to create PAT for currently authenticated user
You can now use a new REST API endpoint at user/personal_access_tokens to create a new personal access token for the currently authenticated user. This token’s scope is limited to k8s_proxy for security reasons, so you can use it to only perform Kubernetes API calls using the agent for Kubernetes. Previously, only instance administrators could create personal access tokens through the API.
Back up and restore repository data in the cloud
The GitLab backup and restore feature now supports storing repository data in object storage. This update improves performance by eliminating the intermediate steps used to create a large tarball, which needs to be manually stored in an appropriate location.
With this update, repository backups get stored in an object storage location of your choice (Amazon S3, Google Cloud Storage, Azure Cloud Data Storage, MinIO, etc.). This change eliminates the need to manually move data off of your Gitaly instance.
Export the compliance violations report
The compliance violations report can contain a lot of information. Previously, you could only view the information in the GitLab UI. This was fine for individual issues, but
could be tricky if you needed to, for example:
- Create an artifact of the current compliance status for a release. For example, prove to an auditor that there were 0 violations.
- Aggregate the data with another data set or process it in another tool.
In GitLab 16.5, you can now export a list of the items included in the compliance violations report in CSV format.
You can now trigger bulk resync or reverify for any data component managed by Geo, through buttons in the Geo admin UI. Selecting the button will apply the operation to all data items related to the respective component. Before, this was only possible by logging into the Rails console. These actions are now more accessible, and the experience of troubleshooting and applying large scale changes that require a full resync or reverify of specific components, such as moving storage locations, is improved.
New customizable permissions
The permissions to manage group members and project access tokens have been added to the custom roles framework. You can add these permissions to any base role to create a custom role. By creating custom roles with only the permissions needed to accomplish a particular set of tasks, you do not have to unnecessarily assign highly privileged roles such as Maintainer and Owner to users.
Use the API to delete a user's SAML and SCIM identities
Previously, group Owners had no way to programmatically delete SAML or SCIM identities. This made it difficult to troubleshoot issues with the user provisioning and sign-in processes. Now, group Owners can use new endpoints to delete these identities.
Thank you jgao1025 for your contribution!
With the GitLab for Jira Cloud app, you can connect GitLab and Jira Cloud to sync development information in real time. You can view this information in the Jira development panel.
Previously, when a reviewer was assigned to a merge request, the reviewer information was not displayed in the Jira development panel. With this release, the reviewer name, email, and approval status are displayed in the Jira development panel when you use the GitLab for Jira Cloud app.
Add a child task, objective, or key result with a quick action
You can now add a child item for a task, objective, or key result by using the /add_child quick action.
With this release, you can link tasks and OKRs as “related,” “blocked by,” or “blocking” to provide traceability between dependent and related work items.
When we migrate epics and issues to the work item framework, you will be able to link across all these types.
Make jobs API endpoint rate limit configurable
A rate limit for the project/:id/jobs API endpoint was added recently,
defaulting to 600 requests per minute per user. As a follow up iteration, we are making this limit
configurable, enabling instance administrators to set the limit that best matches their requirements.
Redesigned Service Desk issues list
We’ve redesigned Service Desk issues list to load faster and more smoothly.
It now matches more closely the regular issues list. Available features include:
- The same sorting and ordering options as on the issue list.
- The same filters, including the OR operator and filtering by issue ID.
Activate and deactivate headers for streaming audit events
Previously, you had to delete HTTP headers added to audit event streaming destinations, even if you only wanted to deactivate
them temporarily.
With GitLab 16.5, you can use the Active checkbox in the GitLab UI to toggle each header on and off individually. You can use this to:
- Test different headers.
- Temporarily deactivate a header.
- Switch between two versions of the same header.
Configurable locked user policy
Administrators can now configure a locked user policy for their instance by choosing the number of unsuccessful sign-in attempts, and how long the user is locked for. For example, five unsuccessful sign-in attempts would lock a user for 60 minutes. This allows administrators to define a locked user policy that meets their security and compliance needs. Previously, the number of sign-in attempts and locked user time period were not configurable.
Find epics with advanced search
The popularity of epics in GitLab continues to grow. Previously, finding epics was a little more difficult than other content types. With this release, you can now search and view results for epics when you use advanced search.
Integrate deployment approval and approval rule changes into audit events
Deployments in regulated industries are a central topic of compliance. In previous releases, deployment approvals were not part of audited events, which made it difficult to tell when and how approval rules changed.
GitLab now ships with a new set of audit events for deployment approval and approval rule changes. These events fire when deployment approval rules change, or when approval rules for protected environments change.
Vulnerability report grouping by status and severity
As a user, you require the ability to group vulnerabilities so that you can more efficiently triage vulnerabilities. With this release, you are able to group by severity or status. This will help you better answer questions like how many confirmed vulnerabilities are in a group or project, or how many vulnerabilities still need to be triaged.
