GitLab Duo CLI: managing AI agents in CI/CD pipelines

GitHub recently added support for bring-your-own-key (BYOK) and local models to Copilot CLI. Developers can route requests through their own provider or run a model completely offline. But model selection is only the beginning. Real complexity starts when AI begins taking actions across your entire software delivery pipeline: running builds, changing CI/CD configuration. This is where architectural decisions underlying the CLI tool become critical.

Two Approaches to CLI-AI

Copilot operates at the level of an individual developer's workstation. GitHub didn't plan for organizational management — there's no control over which model the team uses, and no audit of what the agent did and why. GitLab Duo CLI is structured differently. It's built on the GitLab Duo Agent Platform and designed for both developers with a terminal and teams where agents automate security, verification, compliance, and deployment across dozens of projects with different release cycles. GitLab Duo CLI supports headless mode — non-interactive, scriptable, embedded in CI/CD pipelines. Governance management works all the way through the pipeline.

Why Model Selection Is Not the Same as Governance

The first generation of AI coding optimized for interactive sessions: a developer asks a question, sees a suggestion, approves or rejects it. Security here is simple — a human at each step. When an AI agent works in an automated workflow, everything is different. The agent can run tests, change configuration, perform multi-step actions across the entire software delivery lifecycle without a human checking each step. Security requirements change. The important questions are no longer "what model is this?", but quite different ones:

• What does this agent have access to?
• What is it allowed to do?
• What actions did it perform and can I prove it?
• Can the agent be hijacked through prompt injection?

GitLab Duo CLI solves this at the platform level. In interactive mode, no action is performed without human approval. Prompt injection detection is built into the GitLab Duo Agent Platform and blocks attempts to hijack the agent with malicious commands. Composite identity limits the agent's access only to what it is explicitly authorized for. Every AI action becomes auditable. Files like AGENTS.md and SKILL.md allow the team to precisely define what tasks and actions are permitted for the agent.

Key Scenario: CI/CD Automation

CLI-AI creates maximum value when debugging a broken pipeline at the end of a sprint and for multi-step development tasks. But this is also the scenario where per-developer configuration and platform-level governance diverge most sharply. When an agent works inside a pipeline, there's no developer nearby — they won't be able to notice a prompt injection attempt or unexpected model behavior. Security controls must be embedded in the platform and work consistently across all workflows and environments.

What This Means

For engineering leaders, this means asking the right questions: does the tool require enterprise-level controls? Will the security model work when no one is watching? Model flexibility and offline support matter, but it's precisely the governance architecture underneath that determines whether you can run such a tool in production.