Changelog: Now on GitLab

Miguel Martinez
Isometric diorama of a matte black GitLab repository cube connected by glowing cyan channels to merge request, scan, and remediation blocks on a blueprint grid

Last month we said it plainly: coverage started with GitHub, and GitLab was coming. Now it has landed. As of v1.95.1, GitLab is a fully supported source-control provider in Chainloop, with the same path from connected repo to signed evidence that GitHub teams already had. This release is mostly about closing that gap, and then reaching a little further into the tools your team already uses: findings that keep your Linear tickets honest, a Slack assistant that knows when to speak up, opencode joining the traced AI coding providers, and managed scanners that got sharper without asking anything of you.

GitLab Is a First-Class Provider

Connect a GitLab instance the same way you connect anything else in Chainloop. Register a connection with a GitLab host and an access token, personal, group, or service account, from the Integrations view. We validate the token on the spot, and it backs the full set of source-control capabilities: repository onboarding, managed workflows, merge-request validation, automated remediation, webhooks, and keyless attestation. Nothing about GitLab is a second-class path. It is the same product, pointed at a different provider.

Onboard in the wizard. Once a connection is in place, pick a GitLab repository directly in the Create Project wizard, the same flow you already use for GitHub.

Managed workflows. Managed workflow delivery now covers GitLab-linked repositories, so scanning and evidence collection run without you wiring up a pipeline.

Multiple connections, trusted automatically. Register several GitLab connections at once, separate on-prem instances or distinct tokens for the same host. Each is independent, and OIDC trust is derived from your live connections, so a self-hosted instance becomes a trusted issuer without a redeploy.

Registering a GitLab connection in the Chainloop Integrations view

Findings That Keep Linear Honest

A finding is only useful if the person who can fix it knows about it, and knows when it changes. Vulnerability risk assessments can now be linked to Linear tickets, and Chainloop keeps those tickets in sync on its own.

When a linked finding changes, its status recalculated, an AI revision approved, or its remediation PR merged, Chainloop comments on the ticket and moves its state when the finding crosses a boundary. A fixed finding closes the ticket, a not-affected verdict cancels it, and reopening the finding reopens it. Your tracker stops drifting from reality without anyone updating it by hand.

A vulnerability risk assessment linked to a Linear ticket, with Chainloop keeping the ticket state in sync

A Slack Assistant That Knows When to Speak

The Ask Chainloop assistant in Slack now decides for itself when a reply is warranted. Direct messages and messages that clearly address it always get an answer. For the ambiguous cases, mid-text mentions and untagged thread follow-ups, an intent classifier gates the response, so the assistant stays useful without turning into noise.

Natural thread follow-ups. Once it is active in a thread, the assistant reads later untagged replies and keeps the conversation going, then backs off when the thread drifts off topic.

DM replies where you expect them. Direct-message replies now land in the main conversation window instead of a thread, matching how people actually read a DM.

The Chainloop assistant answering a question in a Slack thread

opencode Joins the Traced Providers

chainloop trace now captures opencode sessions, reaching parity with the Claude Code and Cursor providers. Add the --opencode flag to trace init and trace run, and each session is recorded as signed evidence: token usage, cost, tool counts, and conversation metrics. Those sessions land in your organization’s AI Coding metrics alongside every other provider, so code attribution, cost, and policy results stay in one view no matter which tool wrote the code.

Per-session detail for an opencode session showing AI versus human code attribution, cost, and policy results

Managed Scanning Got Sharper

Our managed sandbox scanners gained a new tool and a better engine, and both land without any change on your side.

GitHub Actions scanning. zizmor, a static analysis tool for GitHub Actions, joins the managed scanners alongside SAST, vulnerability, secrets, and IaC. When a repository is onboarded, rescanned, or dispatched, Chainloop runs zizmor against its Actions workflows and records the report as an attestation under a new github-actions-scan managed workflow. Misconfigured CI is a real attack surface, and now it is covered by default.

Modern secret scanning. Managed secret scanning swaps gitleaks for betterleaks, a drop-in successor from the original gitleaks authors. Report format and findings are unchanged, so nothing in your setup needs to move.

Full changelog at docs.chainloop.dev/changelog.

Let’s Talk

We will be at Black Hat USA 2026 in Las Vegas, at booth #5810 on Wednesday, August 5 and Thursday, August 6. If you want to see any of this live, or talk through what covering every repo actually looks like for your team, come find us there.

Next, we are taking these checks all the way into the pull request. We already run periodic scans and some PR checks, plus AI coding-session tracing, and soon IaC, vulnerability, and SAST scanning will run automatically on the code in every PR, before it merges.

; ---