## Summary This epic defines how GitLab Duo will be integrated into the Artifact Management product experience — making setup, governance, troubleshooting, and optimization dramatically simpler while delivering capabilities that standalone artifact management tools cannot replicate. The market has moved. Artifact management is no longer a storage problem — it is a governance, security, and automation problem, and every major competitor is now marketing AI as the answer. Our advantage is not that we have AI. It is that Duo has native context across the entire DevSecOps lifecycle — code, CI/CD, security, and deployment — that JFrog, Sonatype, and Harness can only simulate by ingesting metadata from external systems. --- ## Background and Opportunity GitLab manages the full software lifecycle. When a developer opens a merge request, Duo already knows the code change, the pipeline result, the security scan, and the deployment target. No standalone artifact management tool has that context natively. JFrog's new "agentic repository" (Fly) is explicitly built to reconstruct this context by pulling in GitHub commit, PR, and issue metadata. We have it by default. This creates a meaningful, defensible differentiation if we act on it: Duo can reason across the full lifecycle to provide artifact intelligence that is impossible from a point solution. Governance decisions, cleanup recommendations, security remediations, and provenance attestations can all be grounded in real delivery context — not just repository metadata. The second major shift is the emergence of AI artifacts (ML models, datasets, agents, prompts) as first-class managed objects. Organizations are now asking the same governance questions about a Hugging Face model as they ask about a Maven dependency: Where did it come from? Is it safe? Who approved it? How do I govern its lifecycle? Our epic must address this. --- ## Strategic Framing Our mission remains to eliminate artifact management complexity and become customers' single source of truth for artifact management. AI is how we deliver on that mission at scale. The specific GitLab advantage: * **Lifecycle-native context**: Duo knows about the MR, the pipeline, the CVE scan result, and the production deployment. Recommendations are grounded in real delivery data. * **Unified governance**: One policy model across code, CI/CD, and artifacts — not a separate system bolted on. * **Attestation-native**: GitLab already captures the evidence trail (who wrote it, what tests ran, what was scanned). Duo can surface and act on that for supply chain compliance without additional tooling. --- ## User Personas and Pain Points ### Platform Engineers * Spend significant time on registry architecture, configuration, and maintenance across teams * Lack visibility into cross-project dependency relationships and risks * Struggle to enforce consistent governance policies at scale ### Software Developers * Friction setting up new projects and debugging dependency issues * Limited insight into what artifacts are used in production and whether they are safe * Context-switching between CI/CD tools and separate artifact registries ### GitLab Administrators * Reactive to storage growth and compliance incidents rather than proactive * Require domain expertise to configure and optimize registries across formats * Need to govern both traditional software packages and emerging AI/ML model artifacts --- ## Capabilities Vision ### 1. AI-Powered Setup and Configuration * Conversational registry setup with configuration generation based on team size, format, and security requirements * Smart defaults for virtual registry upstreams, cleanup policies, and access control * CI/CD template generation for artifact publishing and consumption * Bulk configuration management across groups and projects ### 2. Agentic Governance and Policy Enforcement This is the highest-value, most differentiated capability area. * **Automated policy recommendations** based on observed usage patterns — not generic best practices * **Evidence-based promotion gates**: Duo can evaluate whether an artifact has the required attestations (security scan passed, MR approved, SBOM generated) before allowing promotion to staging or production * **AI-driven cleanup**: Proactive identification of unused, outdated, or risky artifacts with one-click remediation and impact preview * **Dependency firewall assistance**: Recommend allow/deny rules grounded in actual scan results and project-specific risk posture ### 3. Intelligent Troubleshooting and Remediation * Pipeline log analysis to identify artifact-related failures with specific resolution steps * Dependency conflict resolution with compatible version suggestions * Agentic remediation: where appropriate, Duo generates and proposes the fix rather than just describing it * IDE-level artifact context (roadmap): surface artifact lineage, vulnerabilities, and policy status without leaving the development environment ### 4. AI Artifact Management This is a new, required capability area given market direction and customer demand. * Policy enforcement for AI-generated code artifacts entering the supply chain * Compliance and provenance for AI/ML components in regulated environments ### 5. Lifecycle Intelligence and Analytics * Natural language queries against artifact usage data: "What container images haven't been used in 60 days and are deployed in production?" * Cross-project dependency visualization with vulnerability overlays * Capacity planning and storage optimization recommendations grounded in historical growth patterns * Version consolidation recommendations across projects Here's a standalone section you can drop in — fits naturally after **Technical Requirements** or as a subsection of it. ### **6. GitLab Knowledge Graph Integration** The artifact intelligence capabilities described in this epic depend on Duo's ability to traverse relationships across the GitLab data model — not just read artifact metadata in isolation. This requires formal integration with the GitLab knowledge graph: the connected representation of projects, MRs, pipelines, packages, deployments, users, and security findings that already exists across the platform. Specifically, Duo needs to resolve and traverse the following entity relationships to power lifecycle-native recommendations: * **Artifact → Pipeline**: Which pipeline produced this artifact, what tests ran, what scan results were emitted, and what was the final job status * **Artifact → MR**: What code change introduced or updated this artifact, who authored it, and what review and approval events occurred * **Artifact → Deployment**: Where is this artifact currently running — which environment, which project, which Kubernetes cluster or deployment target * **Artifact → Vulnerability**: What CVEs or policy violations are associated with this artifact, sourced from GitLab Security scans rather than external enrichment * **Artifact → Project / Group**: Ownership, access control policy, and downstream consumers across the namespace hierarchy * **Artifact → Artifact**: Upstream/downstream dependency relationships across virtual registries, including transitive dependencies where resolvable ### 7. Administrative Self-Service * Natural language access to system health metrics and performance data * Guided configuration for complex scenarios (Geo replication, Cells topology, multi-region virtual registries) * Proactive capacity and infrastructure recommendations --- ## UX Principles AI-powered interactions must be designed for trust and adoption: * **Preview before apply**: Users review AI-suggested changes before execution, especially for policy and cleanup actions * **Explain this suggestion**: Every recommendation includes why it was made and what data it is based on * **Undo support**: Recoverable actions for configuration changes and cleanup operations * **Optionality**: Users can choose to apply suggestions manually or automate with oversight — particularly for security and policy changes * **Feedback mechanisms**: Lightweight thumbs up/down on suggestions to improve quality over time --- ## Implementation Phasing ### Phase 1: Foundation * Integrate Duo with Artifact Management documentation and registry configuration context * Enable basic conversational setup guidance and troubleshooting for common errors * Deliver natural language artifact queries for usage and storage analytics ### Phase 2: Agentic Governance * AI-driven cleanup policy recommendations with one-click application * Evidence-based promotion gate recommendations grounded in pipeline and scan data * Dependency firewall rule recommendations based on scan results and risk profile * Initial ML model artifact support with basic governance ### Phase 3: Proactive Intelligence * Agentic remediation: Duo proposes and applies fixes, not just describes them * IDE-level artifact context integration * Full AI artifact lifecycle management (models, datasets, agents) * Cross-project dependency analysis and consolidation recommendations * Predictive capacity planning --- ## Technical Requirements For Duo to deliver on this vision, it needs access to: * Registry configurations, access control policies, cleanup and lifecycle policies * Artifact storage metrics, download/upload statistics, and system health data * Package version metadata, project dependency graphs, and artifact ownership * Pipeline and CI/CD execution data — including scan results, test outcomes, and deployment history * MR and code change context for lifecycle-native recommendations * Build provenance and attestation data (SLSA, SBOM) --- ## Success Metrics * Reduction in time to set up and configure new registries * Reduction in support issues related to artifact management configuration * Adoption rate of virtual registry and governance features * Storage efficiency improvement attributed to AI-driven cleanup recommendations * Mean time to remediate artifact-related pipeline failures * Adoption of ML model artifact management capabilities --- ## Competitive Context The artifact management market has consolidated around AI as the primary competitive dimension. Key movements: **JFrog** is the most aggressive mover. JFrog Fly positions as an "agentic repository" that reconstructs lifecycle context by ingesting GitHub metadata. Their DevGovOps framework makes Artifactory the system of record for release evidence and attestations, not just binaries. They have an MCP Server for agentic remediation in the IDE. The tell: they are spending significant engineering effort simulating what GitLab has natively. **Sonatype** launched Nexus One in November 2025 — an agentic platform with ML-driven OSS vulnerability analysis across 270M+ components. Their differentiation is OSS intelligence depth (they maintain Maven Central). Their SaaS launch (Nexus Repository Cloud) is explicitly positioned for the gen AI SDLC. They are not a DevSecOps platform; they are a deep intelligence layer. **Harness** went GA on Artifact Registry in February 2026. Their positioning is platform integration — the same governance model across CI/CD and artifacts if you are already a Harness customer. They have a Policy Agent for AI-driven governance and a Dependency Firewall. They are explicitly targeting JFrog displacement within their customer base. Harness is the most similar model to GitLab's integrated approach, which makes them the most relevant competitor to watch. The real differentiator for GitLab is not that we have an AI assistant. It is that our AI has genuine, native context that no standalone tool can match. The goal of this epic is to build features that make that advantage visible and real to customers.