LuckyStep - stock.adobe.com

How GitLab is tapping AI in DevSecOps

GitLab CISO Josh Lemos explains how the company is weaving AI, through its Duo tool, into the entire software development lifecycle to enhance efficiency and automate incident response

GitLab is integrating artificial intelligence (AI) across its DevSecOps cycle to streamline software development and bolster security operations, its chief information security officer, Josh Lemos, revealed in a recent interview with Computer Weekly.

Lemos, whose role at GitLab includes securing the company, contributing to product security capabilities and acting as an external champion, detailed how the company is reaping benefits from GitLab Duo, which provides AI capabilities to help DevSecOps teams with planning, building and deploying software, as well as managing issues and security incidents.

For example, Lemos said GitLab Duo, which taps the power of large language models (LLMs), can summarise issues that span pages of information into concise paragraphs, and in more advanced use cases, take an incident report, open a ticket and kickstart the incident response process.

This AI-driven process can “powerfully use AI to pull scraps of information together, get the right people to respond to the incident and pull the necessary data sources in order to meaningfully investigate the incident,” he added.

GitLab also uses AI in product security to identify anti-patterns in code, common responses to problems that are usually ineffective and contrary to best practices. However, while AI is a powerful tool, Lemos said it serves best as an “accelerant” for those with existing expertise, whether it’s writing software or investigating a security incident.

“If I am to write some code in a programming language that I’m very proficient in, I can prompt the AI to write the code, and then I can recognise if there are security anti-patterns and prompt it to fix those anti-patterns,” he said. “But if it’s a language I’m less familiar with, and if it writes suboptimal code that I can’t recognise, it makes me less effective.”

To counter this, GitLab employs model routing on its backend and uses different LLMs for different programming languages.

Read more about software development in APAC

GitLab measures its success in adopting AI through various metrics, including reductions in vulnerabilities and security anti-patterns, as well as faster resolution of issues. “We’re looking at a lot of efficiency gains,” said Lemos. “The resolution time and number of issues a developer fixes ultimately add up to faster time to market for shipping code and features.”

In security operations, he sees AI as “just another accelerant for automation”, adding that “anything that we’re doing, whether it’s a manual process or something we’re doing more than a few times”, becomes automated by AI.

Lemos said AI will eventually require security professionals and developers to pick up new skills. While software development skills have always been a requirement for developers, he said there’s a growing need to hire those with machine learning, data science or prompt engineering skills. “The next generation of security practitioners will also need to know how to use AI effectively and to secure AI to be successful in their roles,” he added.

Even as GitLab is pushing ahead with AI, Lemos acknowledged that customer adoption is still in its early stages, noting that the tech industry is ahead of user organisations that are just starting to experiment with AI in DevSecOps. He advised organisations to look at the problems they are hoping to solve and make sure they are clear on what the outcomes would look like.

Ultimately, GitLab views AI as a transformative force in the DevSecOps landscape, with the benefits to teams outweighing the benefits to individuals, said Lemos. “I think it’s going to be an exciting year to see how they adopt agentic AI in their DevSecOps lifecycles,” he added.

In April 2025, GitLab started integrating Amazon Q Developer agents into GitLab Duo to ease software development in areas such as refactoring legacy code, remediating software vulnerabilities, reviewing code and automating feature development.

Osmar Alonso, a DevOps engineer at Volkswagen Digital Solutions who participated in the early access programme for the integration, said even in its early stages, his team saw how the use of autonomous agents could streamline development processes, from code commit to production. “We’re excited to see how this technology empowers our team to focus on innovation and accelerate our digital transformation,” he said.

Read more on Software development tools