GitLab has announced the release of version 17.8, which has significant security enhancements, new container repository features, machine learning capabilities, and better deployment tracking. The update includes over 60 improvements, with 121 contributions from the wider GitLab community.
However, a high-priority cross-site scripting vulnerability was recently found in this new release and in older versions 17.6 and 17.7, and GitLab encourages users to upgrade to version 17.8.2. Vulnerability CVE-2025-0376 has been issued describing the problem, which allows an attacker to execute unauthorised actions via a change page.
The headline functionality of the 17.8 release is the introduction of protected container repositories, giving stricter access control and granular permissions for image push, pull and management operations. This tool adds a parameter for the minimum access level a user needs to push to a repo, thus integrating with GitLab CI/CD pipelines to reduce the risk of unauthorised access to sensitive container repositories.
In a video demonstration on GitLab's YouTube Channel, developer advocates Daniel Helfand and Fernando Diaz discuss the new protected container repositories feature. The feature, which was contributed by Gerardo Navarro and a team at Siemens, allows organisations to implement role-based access controls for container registry pushes, enhancing security for sensitive container images.
The demonstration casts Helfand with developer permissions and Diaz with owner access. Diaz then demonstrates how to configure protection rules for container repositories, explaining, "We can add a repository path pattern... anything containing the word 'main' in the middle will be protected." He sets the minimum access level for pushing to maintainer, ensuring that only users with maintainer privileges can modify protected container images.
To prove the effectiveness of the protection, the presenters conduct two tests. First, Diaz successfully runs a pipeline and pushes a container image using his maintainer account. The process completes without issue, showing that users with appropriate permissions can still update protected repositories. Helfand then attempts the same pipeline with his developer account, demonstrating the security controls. As expected, the attempt fails with the system preventing the push, and confirming that users without maintainer access cannot modify protected containers.
GitLab 17.8 ships with many other enhancements. The release page now tracks where a release has been deployed and which environments are pending deployment, bringing this information together from previously disparate sources.
The release also promotes machine learning model experiments tracking to general availability, enabling data scientists to log parameters, metrics, and artifacts from MLflow experiments directly within GitLab. This also helps with the replicability of the experiments. This release also has a new GitLab MLOps Python client in beta, allowing users to interact with GitLab's MLOps features such as experiment tracking and model registry integration directly from Python scripts and notebooks, reducing the need for context switching.
SAST scanning in VS Code is now available as an experimental feature for GitLab Ultimate subscribers. Local SAST scanning allows developers to find security vulnerabilities before committing or pushing code.
Large M2 Pro hosted runners for macOS are now in beta, offering up to twice the performance of M1 runners for teams developing applications in the Apple ecosystem. For GitLab Dedicated - GitLab's single-tenant SaaS solution - now has limited availability of hosted Linux runners. This feature eliminates the need to maintain separate runner infrastructure.
Compliance and security are improved, with new support for multiple distinct approval actions in merge request approval policies. This enhancement allows organisations to create up to five approval rules per policy, including complex workflows needing specific combinations of approvers from different roles or groups. Vulnerability management is also improved, with a link to the commit that resolved a vulnerability now added to an issue.
The update includes many other workflow improvements, among them the following:
- The ability to track multiple to-do items within issues or merge requests
- Enhanced epic features around management, time-tracking, health, and new webhooks for epics
- Remediation steps for fixing secret leaks
- Roles can now be used to define project members in code owners
GitLab 17.8 is available now.
About the Author
