project menus

GitLab Ultimate Project-Level Menus - Complete Guide

Last Updated: 2026-01-08 GitLab Version: 18.x series Tier: Ultimate

Plan Menu
Code Menu
Build Menu
Secure Menu
Deploy Menu
Operate Menu
Monitor Menu
Analyze Menu
Manage Menu
Settings Menu

The Plan menu provides project management and planning tools.

Issues

Path: Plan > Issues

Purpose: Track work items, bugs, features, and tasks.

Key Features:

Create, edit, and organize issues
Assign to team members (multiple assignees in Premium/Ultimate)
Set labels, milestones, iterations, and due dates
Estimate weight and track time
Link related issues and merge requests
Add attachments and detailed descriptions
Use markdown and GitLab Flavored Markdown (GLFM)
Create issue templates for consistency
Confidential issues for sensitive information
Quick actions (slash commands) for fast updates

Views:

List view with filters and sorting
Board view (see Issue boards below)
Calendar view (when dates are set)

Best Practices:

Use issue templates for common types
Apply consistent labeling conventions
Link issues to epics for portfolio tracking
Enable issue weights for capacity planning
Use time tracking for velocity metrics

Common Pitfalls:

Not using templates leads to inconsistent information
Over-complicating label hierarchies
Not closing issues when work is complete
Creating issues without clear acceptance criteria

Integration Points:

Linked to merge requests automatically via branch names
Appear in issue boards and milestones
Tracked in value stream analytics
Can trigger CI/CD pipelines
Integrated with GitLab Duo for AI assistance

Issue Boards

Path: Plan > Issue boards

Purpose: Visual Kanban-style workflow management.

Key Features:

Multiple boards per project
Customizable lists based on labels, milestones, iterations, or assignees
Drag and drop to move issues between lists
WIP (work in progress) limits
Swimlanes by epic or iteration (Ultimate)
Board scopes (filter by milestone, iteration, label, etc.)
Focus mode to hide sidebar

Types of Lists:

Open list (all open issues)
Closed list (all closed issues)
Label lists (issues with specific label)
Assignee lists (issues assigned to user)
Milestone lists (issues in milestone)
Iteration lists (issues in iteration)

Best Practices:

Create separate boards for different workflows
Use WIP limits to prevent bottlenecks
Enable swimlanes for epic tracking
Regularly groom boards to keep them current
Use scoped boards for focused views

Common Pitfalls:

Too many lists makes boards unwieldy
Not setting WIP limits allows work to accumulate
Creating boards without clear purpose
Not communicating board workflow to team

Integration Points:

Syncs with issue data in real-time
Respects issue permissions and visibility
Supports quick actions via card interactions
Integrates with milestones and iterations

Milestones

Path: Plan > Milestones

Purpose: Group issues and merge requests to track progress toward goals.

Key Features:

Create project or group-level milestones
Set start and due dates
Track progress with burndown charts (Premium/Ultimate)
View completion percentage
Filter issues and MRs by milestone
Milestone roadmaps show timeline
Description supports markdown

Milestone Types:

Project milestones (project-specific)
Group milestones (shared across group projects)

Best Practices:

Align milestones with release branches
Use group milestones for cross-project work
Set realistic dates based on capacity
Review burndown charts in standup meetings
Close milestones when complete

Common Pitfalls:

Creating too many milestones
Not closing completed milestones
Misalignment with actual release dates
Using project milestones instead of group milestones

Integration Points:

Drive release planning and tracking
Feed into value stream analytics
Support issue board filtering
Link to CI/CD release pipelines

Iterations

Path: Plan > Iterations

Purpose: Time-boxed sprints for agile teams (Premium/Ultimate).

Key Features:

Grouped into iteration cadences
Fixed duration (1-4 weeks typical)
Start and end dates required
Track burnup/burndown charts
Calculate velocity and volatility
Assign issues to iterations
View iteration reports

Cadences:

Contain multiple iterations
Define regular sprint patterns
Automatic or manual iteration creation
Configure at group level

Best Practices:

Align iteration length with team capacity
Use automated cadences for consistency
Review burndown charts daily
Track velocity across iterations
Don't overcommit iteration capacity

Common Pitfalls:

Varying iteration lengths causes inconsistent metrics
Not using cadences for regular sprints
Moving too much work between iterations
Ignoring velocity trends

Integration Points:

Issue boards support iteration swimlanes
Value stream analytics track iteration metrics
Roadmaps display iteration timelines
Productivity analytics calculate velocity

Requirements

Path: Plan > Requirements (Ultimate only)

Purpose: Track and manage product requirements.

Key Features:

Create and manage requirements
Import requirements from CSV
Mark requirements as satisfied
Link to CI test results
Track requirement status
Requirements test reports

Requirement States:

Open (not yet satisfied)
Satisfied (requirements met)
Archived (no longer relevant)

Best Practices:

Write clear, testable requirements
Link requirements to issues for traceability
Use CI jobs to automatically satisfy requirements
Regular requirement reviews
Archive obsolete requirements

Common Pitfalls:

Writing vague or untestable requirements
Not linking requirements to implementations
Manual requirement management without CI integration
Not archiving old requirements

Integration Points:

CI/CD can mark requirements as satisfied
Link to issues and epics
Export requirements data
Requirements test reports in pipelines

Wiki

Path: Plan > Wiki

Purpose: Project documentation and knowledge base.

Key Features:

Markdown, AsciiDoc, RDoc, or Org format
Wiki-specific link syntax
File uploads and attachments
Version history (Git-backed)
Clone wiki repository locally
Sidebar navigation
Search within wiki
Access control by project role

Wiki Features:

Each wiki is a separate Git repository
Edit directly in GitLab UI or clone and edit locally
Support for diagrams and images
Table of contents generation
Cross-linking between pages

Best Practices:

Use consistent page naming conventions
Create table of contents for navigation
Link related pages together
Regular documentation reviews
Use GitLab Pages for published docs

Common Pitfalls:

Duplicate information with README files
Outdated documentation
No clear structure or organization
Using wiki instead of GitLab Pages for public docs

Integration Points:

Separate from main repository
Access controlled by project permissions
Can be exported/imported
Searchable via global search

The Code menu provides access to source code, collaboration, and review tools.

Merge Requests

Path: Code > Merge requests

Purpose: Code review, collaboration, and integration workflow.

Key Features:

Create MRs from branches or commits
Code review with inline comments
Approval workflows (Premium/Ultimate)
Multiple assignees and reviewers (Premium/Ultimate)
Code quality reports
Security scanning results
Test coverage visualization
Draft MRs for work in progress
Merge request templates
Conflict resolution in UI
Merge options (merge commit, squash, rebase)

Approval Features (Premium/Ultimate):

Required number of approvals
Code owner approvals
Approval rules by file patterns
Prevent self-approval
Remove all approvals on new pushes
Require approval from specific users

GitLab Duo Features:

AI-powered code review suggestions
Automatic review comments
Code explanation and suggestions
Security vulnerability explanations

Best Practices:

Use MR templates for consistency
Keep MRs small and focused
Review promptly to avoid blocking
Use draft MRs for early feedback
Enable merge trains for main branches (Premium/Ultimate)
Require code owner approval for sensitive code

Common Pitfalls:

Large MRs that are hard to review
Not using approval rules
Merging without pipeline success
Ignoring security scan results
Not resolving all discussions

Integration Points:

Triggers CI/CD pipelines automatically
Links to related issues via branch names
Shows deployment status
Displays security and quality reports
Tracks in analytics and metrics

Repository

Path: Code > Repository

Purpose: Browse and manage source code.

Sub-sections:

Files

Browse repository file tree
View file contents with syntax highlighting
Edit files directly in web IDE
Upload files via UI
Create new files and directories
View file history and blame
Download files and folders
Open in Web IDE or Gitpod

Commits

View commit history
Filter by branch, author, time period
View commit diff
Cherry-pick commits
Revert commits
GPG signature verification
Commit signatures display

Branches

List all branches
Create new branches
Delete branches
Compare branches
Set default branch
Protected branches (see Settings)
Branch rules and protection

Contributors

View contributor statistics
Commits per contributor
Lines added/removed per author
Contribution graphs

Graph

Visualize repository history
Network graph of branches and merges
Commit flow visualization

Best Practices:

Use protected branches for main/release branches
Require GPG signatures for important branches
Regular branch cleanup
Tag releases consistently
Use semantic versioning for tags

Common Pitfalls:

Not protecting production branches
Too many stale branches
Inconsistent tagging conventions
Not using branch naming conventions

Integration Points:

Drives merge request workflows
Triggers CI/CD on branch/tag events
Links commits to issues automatically
Feeds repository analytics

Snippets

Path: Code > Snippets

Purpose: Share code fragments and scripts.

Key Features:

Create public, internal, or private snippets
Multiple files per snippet
Version control for snippets
Clone snippets as Git repositories
Embed snippets in other pages
Syntax highlighting
Comments and discussions

Snippet Types:

Project snippets (tied to project)
Personal snippets (user-owned)

Best Practices:

Use snippets for reusable code templates
Share common scripts across team
Version control important snippets
Use clear naming and descriptions

Common Pitfalls:

Using snippets instead of proper files in repo
Not organizing snippets effectively
Creating private snippets that should be shared

Integration Points:

Can be referenced in issues and MRs
Embeddable in wikis and documentation
Searchable via global search

Code Owners

Path: Code > Code owners (Premium/Ultimate)

Purpose: Define ownership of code paths for automatic review assignment.

Key Features:

Define owners in CODEOWNERS file
Automatic reviewer assignment
Required approvals from code owners
Multiple owners per path
Group and user ownership
Pattern matching for paths

CODEOWNERS Syntax:

# Default owners
*       @default-team

# Directory owners
/docs/  @docs-team
/api/   @backend-team @api-lead

# File pattern owners
*.js    @frontend-team
*.rb    @backend-team

# Specific file owners
/config/database.yml @dba-team

Best Practices:

Start with broad patterns, refine as needed
Use teams/groups instead of individual users
Require code owner approval on protected branches
Regular review of CODEOWNERS accuracy
Document ownership decisions

Common Pitfalls:

Too granular ownership slows reviews
Not keeping CODEOWNERS updated
Ownership conflicts between patterns
Single points of failure with individual owners

Integration Points:

Automatic reviewer assignment on MRs
Approval rules in merge requests
Security policies and compliance
Branch protection rules

The Build menu manages CI/CD pipelines and automation.

Pipelines

Path: Build > Pipelines

Purpose: View and manage CI/CD pipeline execution.

Key Features:

View pipeline status and history
Filter by status, branch, tag, source
Retry failed pipelines
Cancel running pipelines
Manual job triggering
Pipeline visualization
Downstream pipelines
Pipeline success rate charts

Pipeline Views:

List view with status and timing
Graph view showing job dependencies
Stage visualization
Needs relationships displayed

Pipeline Types:

Branch pipelines
Tag pipelines
Merge request pipelines
Scheduled pipelines
Parent-child pipelines
Multi-project pipelines

Best Practices:

Monitor pipeline success rates
Optimize slow stages
Use pipeline caching effectively
Fail fast for quick feedback
Use parallel jobs for speed
Implement pipeline efficiency features

Common Pitfalls:

Overly complex pipelines
Not using caching
Sequential jobs that could be parallel
Ignoring failed pipeline notifications
Not cleaning up old artifacts

Integration Points:

Triggered by commits, MRs, schedules
Produces artifacts and reports
Updates merge request status
Feeds CI/CD analytics
Deployment tracking

Jobs

Path: Build > Jobs

Purpose: View individual job execution within pipelines.

Key Features:

View job logs
Download job artifacts
Retry failed jobs
Cancel running jobs
View job dependencies (needs)
Job artifacts browser
Job trace viewer with ANSI color support

Job States:

Pending (waiting for runner)
Running (currently executing)
Success (completed successfully)
Failed (exited with error)
Canceled (manually stopped)
Skipped (not executed)
Manual (waiting for manual trigger)

Best Practices:

Monitor job failure patterns
Use artifacts for inter-job communication
Set appropriate job timeouts
Use cache for faster execution
Parallelize independent jobs

Common Pitfalls:

Jobs running longer than necessary
Not using job artifacts effectively
Insufficient logging for debugging
Not setting job resource limits

Integration Points:

Execute pipeline stages
Generate artifacts and reports
Mark requirements as satisfied
Update deployment status

Artifacts

Path: Build > Artifacts

Purpose: Store and manage build outputs and test results.

Key Features:

Browse all project artifacts
Download individual artifacts
Bulk delete artifacts
Artifact expiration settings
Browse artifact contents
Link artifacts between jobs

Artifact Types:

Build artifacts (binaries, packages)
Test reports (JUnit, etc.)
Coverage reports
Code quality reports
Security scan results
Performance test results

Best Practices:

Set appropriate expiration times
Use artifact dependencies for pipeline efficiency
Compress large artifacts
Regular artifact cleanup
Use package registry for final artifacts

Common Pitfalls:

No expiration leads to storage issues
Artifacts too large
Not compressing artifacts
Storing artifacts that should be in package registry

Integration Points:

Passed between pipeline jobs
Displayed in merge requests
Used for deployment
Available via API

Pipeline Editor

Path: Build > Pipeline editor

Purpose: Edit and validate .gitlab-ci.yml configuration.

Key Features:

Syntax highlighting
Real-time validation
Visual pipeline graph
Include file expansion
Full configuration view
Commit changes directly
Create new branches
Lint configuration before commit

Editor Features:

Validates YAML syntax
Validates GitLab CI keywords
Shows included configuration
Displays job dependencies
Error messages with line numbers

Tabs:

Edit (YAML editor)
Visualize (pipeline graph)
Lint (validation)
Merged YAML (expanded includes)

Best Practices:

Use include for reusable configuration
Validate before committing
Review merged YAML for includes
Test changes in feature branches
Use extends for DRY configuration

Common Pitfalls:

Not validating before commit
Overly complex nested includes
Not testing CI changes
Ignoring validation warnings

Integration Points:

Edits .gitlab-ci.yml file
Triggers pipeline on commit
Shows validation errors
Supports CI/CD components

Pipeline Schedules

Path: Build > Pipeline schedules

Purpose: Run pipelines on a recurring schedule.

Key Features:

Cron-based scheduling
Custom variables per schedule
Active/inactive toggle
Timezone selection
Branch/tag targeting
Schedule history
Take ownership of schedules

Schedule Configuration:

Cron expression for timing
Target branch or tag
Custom CI/CD variables
Active/inactive status
Next run time displayed

Best Practices:

Use schedules for nightly builds
Run security scans on schedule
Clean up resources periodically
Avoid overlapping schedules
Use meaningful schedule descriptions

Common Pitfalls:

Too frequent schedules waste resources
Not considering timezone
Schedules running on wrong branch
No cleanup of failed scheduled pipelines

Integration Points:

Creates scheduled pipelines
Uses project runners
Can trigger downstream pipelines
Sends pipeline notifications

The Secure menu provides security scanning and vulnerability management (Ultimate tier).

Vulnerability Report

Path: Secure > Vulnerability report (Ultimate)

Purpose: Consolidated view of all security vulnerabilities.

Key Features:

All vulnerabilities from default branch
Filter by severity, status, scanner, activity
Sort by various attributes
Bulk dismiss vulnerabilities
Create issues from vulnerabilities
Dismiss with reason
Track remediation status

Vulnerability Severities:

Critical
High
Medium
Low
Info
Unknown

Vulnerability States:

Detected
Confirmed
Dismissed
Resolved

Scanner Types:

SAST (Static Application Security Testing)
DAST (Dynamic Application Security Testing)
Dependency Scanning
Container Scanning
Coverage Fuzzing
API Fuzzing
Secret Detection

Best Practices:

Review vulnerabilities regularly
Prioritize by severity and exploitability
Create issues for remediation
Document dismissal reasons
Track time to resolve

Common Pitfalls:

Dismissing without investigation
Not prioritizing critical vulnerabilities
Ignoring dependency updates
No process for vulnerability triage

Integration Points:

Populated by security scanners in pipelines
Creates issues automatically or manually
Feeds security dashboard
Tracks in compliance reports

Dependency List

Path: Secure > Dependency list (Ultimate)

Purpose: Software Bill of Materials (SBOM) and dependency tracking.

Key Features:

List all project dependencies
View dependency licenses
See known vulnerabilities per dependency
Filter by license type
Search dependencies
Export dependency data
CycloneDX format support

Dependency Information:

Package name and version
Direct vs transitive dependencies
License information
Known vulnerabilities
Package manager (npm, pip, maven, etc.)

Best Practices:

Regular dependency audits
Update vulnerable dependencies
Track license compliance
Use dependency scanning in CI/CD
Maintain allowed license list

Common Pitfalls:

Not reviewing transitive dependencies
Ignoring license compliance
Outdated dependencies
No process for dependency updates

Integration Points:

Generated by dependency scanning jobs
Linked to vulnerability report
Supports license compliance
Exports to compliance tools

License Compliance

Path: Secure > License compliance (Ultimate)

Purpose: Track and manage open source licenses.

Key Features:

Detect licenses from dependencies
Approve/deny license policies
Set default license policy
View license dependencies
Export license reports
CycloneDX SBOM integration

License Status:

Allowed (approved for use)
Denied (not permitted)
Unclassified (needs review)

Best Practices:

Define clear license policies
Review new licenses promptly
Document approval decisions
Regular license audits
Fail pipelines on denied licenses

Common Pitfalls:

No defined license policy
Allowing incompatible licenses
Not reviewing license changes
Manual license tracking

Integration Points:

Uses dependency scanning results
Analyzes CycloneDX SBOMs
Can block merge requests
Compliance reporting

Policies

Path: Secure > Policies (Ultimate)

Purpose: Define and enforce security policies.

Policy Types:

Scan Execution Policy

Enforce security scans in pipelines
Require specific scanners
Apply to projects or groups
Schedule recurring scans

Merge Request Approval Policy

Require approvals based on security findings
Automatic approval rules
Prevent merging with vulnerabilities

Pipeline Execution Policy

Control CI/CD execution
Enforce compliance requirements

Vulnerability Management Policy

Auto-remediation workflows
Notification rules

Best Practices:

Start with scan execution policies
Gradually add approval requirements
Test policies in test projects first
Document policy requirements
Regular policy reviews

Common Pitfalls:

Overly strict policies block work
Policies without clear ownership
Not communicating policy changes
No process for policy exceptions

Integration Points:

Enforces security scanning
Controls merge request approvals
Compliance framework integration
Audit event tracking

Audit Events

Path: Secure > Audit events (Premium/Ultimate)

Purpose: Track all security-relevant changes.

Key Features:

Comprehensive audit log
Filter by user, date, event type
Export audit logs
Stream to external systems (Ultimate)
Retained indefinitely

Tracked Events:

User additions/removals
Permission changes
Settings modifications
Protected branch changes
Approval rule changes
Many more security events

Best Practices:

Regular audit log reviews
Set up audit streaming for SIEM
Monitor for suspicious activity
Document investigation findings
Compliance reporting from audits

Common Pitfalls:

Not reviewing audit logs
No alerting on critical events
Audit logs not integrated with SIEM
No retention policy documented

Integration Points:

Records all security events
Streams to external systems
Compliance reporting
Security investigation

The Deploy menu manages releases and package distribution.

Releases

Path: Deploy > Releases

Purpose: Create and manage software releases.

Key Features:

Create releases from tags
Release descriptions (markdown)
Link to milestones
Attach release assets
Release evidence (audit trail)
Release API for automation

Release Components:

Tag (required)
Title and description
Release assets (links to artifacts)
Milestones (track released issues)
Release notes (auto-generated or manual)

Best Practices:

Semantic versioning for tags
Comprehensive release notes
Link related milestones
Generate changelogs automatically
Store release artifacts properly

Common Pitfalls:

Inconsistent version numbering
Missing release notes
Not linking milestones
Manual release process

Integration Points:

Created from CI/CD pipelines
Links to tags and commits
Closes milestone issues
Deployment tracking

Package Registry

Path: Deploy > Package registry

Purpose: Host and manage software packages.

Supported Formats:

npm (Node.js)
Maven (Java)
PyPI (Python)
NuGet (.NET)
Composer (PHP)
Conan (C/C++)
Gem (Ruby)
Terraform modules
Generic packages

Key Features:

Project and group-level registries
Public and private packages
Package versions and dependencies
Delete packages
Package metadata
Download statistics
Virtual registry (caching/proxy)

Best Practices:

Use group registry for shared packages
Version packages semantically
Clean up old package versions
Use CI/CD to publish packages
Document package usage

Common Pitfalls:

Publishing to wrong registry
Not cleaning up old versions
Hardcoding package registry URLs
Not using authentication tokens

Integration Points:

Published from CI/CD
Consumed by downstream projects
Dependency scanning
License compliance tracking

Container Registry

Path: Deploy > Container registry

Purpose: Store and manage container images.

Key Features:

Docker V2 and OCI format support
Project-level registries
Tag management
Delete images and tags
Cleanup policies
Pull/push via Docker CLI
Vulnerability scanning integration

Container Features:

Multi-architecture support
Image signatures
Retention policies
Cleanup rules (automatic deletion)
Storage usage tracking

Best Practices:

Use cleanup policies to manage storage
Tag images with commit SHA
Scan images for vulnerabilities
Use multi-stage builds
Implement image signing

Common Pitfalls:

No cleanup policy leads to storage issues
Using :latest tag in production
Not scanning images
Large image sizes

Integration Points:

Built in CI/CD pipelines
Scanned by container scanning
Deployed to Kubernetes
Tracked in deployments

Model Registry

Path: Deploy > Model registry

Purpose: Store and manage ML models.

Key Features:

Version ML models
Store model artifacts
Track model metadata
Model lineage tracking
Deploy models to inference

Best Practices:

Version models consistently
Store model training metadata
Track model performance metrics
Document model usage

Common Pitfalls:

Not versioning models
Missing model documentation
No model validation

Integration Points:

MLOps pipelines
Model deployment
Experiment tracking

The Operate menu manages infrastructure and operations.

Environments

Path: Operate > Environments

Purpose: Track deployments across environments.

Key Features:

View all environments
Deployment history per environment
Rollback deployments
Stop environments
Protected environments (Premium/Ultimate)
Auto-stop environments
Environment tiers (production, staging, etc.)

Environment Types:

Static (production, staging, dev)
Dynamic (review apps, ephemeral)
Kubernetes integration

Best Practices:

Use protected environments for production
Auto-stop review apps
Track deployment frequency
Monitor environment health
Clear naming conventions

Common Pitfalls:

Too many manual environments
Not auto-stopping unused environments
Inconsistent environment names
No environment protection

Integration Points:

Populated by deployment jobs
Kubernetes cluster integration
Feature flags per environment
Monitoring integration

Feature Flags

Path: Operate > Feature flags (Premium/Ultimate)

Purpose: Control feature rollouts without redeployment.

Key Features:

Create feature flags
Environment-specific flags
Percentage-based rollouts
User targeting
Based on Unleash
API access for applications

Feature Flag Strategies:

All users (on/off)
Percentage of users
User targeting
Environment-specific

Best Practices:

Use for gradual rollouts
Test in non-production first
Monitor flag usage
Clean up old flags
Document flag purpose

Common Pitfalls:

Too many feature flags
Not removing old flags
No documentation
Feature flags in code forever

Integration Points:

Accessed via Unleash API
Application integration required
Deployment strategy
Progressive delivery

Terraform States

Path: Operate > Terraform states (Premium/Ultimate)

Purpose: Manage Terraform state files.

Key Features:

Store Terraform state remotely
State locking
State versioning
State history
Remove states
Custom roles can restrict access (Ultimate)

Best Practices:

Use GitLab for state backend
Lock state during operations
Regular state backups
Restrict state access
Document infrastructure changes

Common Pitfalls:

Not using remote state
Committing state to repository
No state locking
Overly permissive access

Integration Points:

Terraform backend configuration
CI/CD for infrastructure
Audit state changes
Access control

Kubernetes

Path: Operate > Kubernetes (Premium/Ultimate)

Purpose: Manage Kubernetes cluster connections.

Key Features:

Connect Kubernetes clusters
GitLab Agent for Kubernetes
View cluster information
Deploy to clusters
GitOps deployments

Agent Features:

Secure cluster connection
No exposed credentials
Pull-based deployments
Real-time synchronization

Best Practices:

Use GitLab Agent (not certificates)
One agent per cluster
GitOps for deployments
Monitor agent status
Regular agent updates

Common Pitfalls:

Using deprecated certificate method
Exposing cluster credentials
Not monitoring agent health
Manual deployments

Integration Points:

CI/CD deployments
Environment tracking
Auto DevOps
GitOps workflows

The Monitor menu provides observability and incident management.

Incidents

Path: Monitor > Incidents

Purpose: Track and manage production incidents.

Key Features:

Create incident issues
Incident templates
Link to alerts
Incident timeline
Escalation policies
On-call scheduling integration

Incident Workflow:

Alert triggers incident
Team responds and troubleshoots
Document in incident timeline
Resolve incident
Post-incident review

Best Practices:

Use incident templates
Document timeline thoroughly
Conduct blameless post-mortems
Track MTTR metrics
Automate incident creation

Common Pitfalls:

Not documenting incidents
Missing post-incident reviews
Manual incident creation
No escalation process

Integration Points:

Created from alerts
Links to monitoring data
Tracks in DORA metrics
Audit trail

Error Tracking

Path: Monitor > Error tracking

Purpose: Aggregate and manage application errors.

Key Features:

Error grouping and deduplication
Error frequency and trends
Stack traces and context
Assign errors to users
Resolve/ignore errors
Sentry integration or GitLab backend

Error Information:

Error message and type
Stack trace
Occurrence count
First and last seen
Affected users

Best Practices:

Integrate with error tracking SDK
Triage errors by frequency
Set up error alerts
Track error resolution
Release correlation

Common Pitfalls:

Not integrating error tracking
Ignoring low-frequency errors
No error alerting
Missing error context

Integration Points:

Sentry SDK integration
Links to commits and releases
Creates issues from errors
Tracks in monitoring

Observability

Path: Monitor > Observability

Purpose: Unified observability platform (traces, metrics, logs).

Sub-sections:

Dashboards

Create custom dashboards
Visualize metrics
PromQL queries
Share dashboards

Explore

Query observability data
Trace analysis
Log exploration
Metric queries

Logs

Centralized log aggregation
Log search and filtering
ClickHouse backend
Correlation with traces

Traces

Distributed tracing
OpenTelemetry integration
Trace visualization
Service dependencies
Performance analysis

Metrics

Application metrics
Infrastructure metrics
Custom metrics
Prometheus integration

Best Practices:

Enable OpenTelemetry in applications
Create dashboards for key metrics
Set up alerts on SLOs
Correlate logs, traces, metrics
Track golden signals

Common Pitfalls:

Not instrumenting applications
Too many metrics
No log retention policy
Ignoring trace data

Integration Points:

OpenTelemetry SDK
Prometheus exporters
Log forwarders
Alert manager

Alerts

Path: Monitor > Alerts

Purpose: Configure and manage alerting rules.

Key Features:

Prometheus-based alerts
Alert rules configuration
Alert notifications
Integration with incident management
Silence alerts
Alert history

Best Practices:

Alert on symptoms, not causes
Avoid alert fatigue
Clear alert descriptions
Escalation policies
Regular alert review

Common Pitfalls:

Too many alerts
Unclear alert messages
No escalation
Alerts without runbooks

Integration Points:

Creates incidents
Sends notifications
DORA metrics
On-call integrations

The Analyze menu provides metrics and analytics for continuous improvement.

Value Stream Analytics

Path: Analyze > Value stream analytics (Premium/Ultimate)

Purpose: Measure and optimize software delivery performance.

Key Features:

DORA metrics
Custom value streams
Stage time analysis
Filter by label, author, milestone
Historical trends
Bottleneck identification

DORA Metrics:

Deployment frequency
Lead time for changes
Change failure rate
Time to restore service

Value Stream Stages:

Issue Commit
Commit Merge
Merge Deploy
Deploy Production
Custom stages

Best Practices:

Track DORA metrics weekly
Identify and address bottlenecks
Set improvement goals
Share metrics with team
Continuous optimization

Common Pitfalls:

Not acting on insights
Comparing teams unfairly
Gaming metrics
No baseline measurement

Integration Points:

Aggregates data from issues, MRs, deployments
Feeds dashboards
API access for reporting
Executive visibility

CI/CD Analytics

Path: Analyze > CI/CD analytics

Purpose: Track pipeline performance and reliability.

Key Features:

Pipeline success rate
Pipeline duration trends
Failed pipeline analysis
Filter by branch, date range
95th percentile timing
Median duration

Metrics:

Success vs failure rate
Duration over time
Most frequent failures
Pipeline efficiency

Best Practices:

Monitor success rate weekly
Investigate failure patterns
Optimize slow pipelines
Track improvement over time

Common Pitfalls:

Ignoring failed pipelines
Not optimizing slow stages
No baseline metrics
Accepting poor success rates

Integration Points:

Pipeline execution data
Job timing information
Feeds executive dashboards

Code Review Analytics

Path: Analyze > Code review analytics (Premium/Ultimate)

Purpose: Measure code review efficiency.

Key Features:

Open MR with at least one comment
Comments per MR
Time to first comment
Time to merge
Commits per MR
Identify slow reviews

Use Cases:

Identify complex code
Training needs
Process bottlenecks
Team capacity

Best Practices:

Regular review of metrics
Address slow review times
Balance workload
Improve MR size

Common Pitfalls:

Not addressing long review times
Ignoring MR complexity
No review SLAs
Gaming metrics

Integration Points:

Merge request data
Comment history
Productivity analytics

Repository Analytics

Path: Analyze > Repository analytics

Purpose: Track repository activity and growth.

Key Features:

Commit count over time
Code coverage trends
Programming language breakdown
Commit activity by hour/day
Top contributors

Best Practices:

Monitor coverage trends
Celebrate contributions
Identify inactive periods

Common Pitfalls:

Focusing only on commit count
Ignoring test coverage
Not recognizing contributors

Integration Points:

Commit history
Coverage reports
Contributor statistics

Merge Request Analytics

Path: Analyze > Merge request analytics (Premium/Ultimate)

Purpose: Track merge request metrics.

Key Features:

MRs merged per month
Average time to merge
Throughput trends
Filter by label, milestone

Best Practices:

Track monthly trends
Set time-to-merge goals
Improve throughput

Common Pitfalls:

Optimizing only speed
Ignoring quality
No baseline

Integration Points:

MR completion data
Value stream analytics

Productivity Analytics

Path: Analyze > Productivity analytics (Premium/Ultimate)

Purpose: Analyze team productivity and efficiency.

Key Features:

Days to merge distribution
Commit frequency
Lines of code changed
Comments per MR
File changes

Use Cases:

Identify slowdowns
Training opportunities
Process optimization
Capacity planning

Best Practices:

Use as conversation starters
Don't use for performance reviews
Look for patterns, not individuals
Combine with qualitative feedback

Common Pitfalls:

Using for individual assessment
Gaming metrics
Focusing on wrong metrics
No action on insights

Integration Points:

MR data
Commit data
Code review analytics

Insights

Path: Analyze > Insights (Ultimate)

Purpose: Custom analytics dashboards.

Key Features:

Custom YAML-defined dashboards
Charts and visualizations
Issue and MR data
Share across organization

Best Practices:

Create role-specific dashboards
Regular dashboard reviews
Share with stakeholders

Common Pitfalls:

Too complex dashboards
Not maintaining dashboards
No clear purpose

Integration Points:

Issue and MR data
Custom queries
Executive reporting

The Manage menu provides access and member management.

Members

Path: Manage > Members

Purpose: Manage project members and permissions.

Key Features:

Add users and groups
Assign roles (Guest, Reporter, Developer, Maintainer, Owner)
Set expiration dates
Invite via email
Pending invitations
Inherited members from groups

Roles and Permissions:

Guest: View issues and leave comments
Reporter: View code, create issues
Developer: Push code, manage issues
Maintainer: Manage project settings, merge to protected branches
Owner: Full project access including deletion

Best Practices:

Principle of least privilege
Regular access reviews
Use groups for team management
Set expiration for temporary access
Document permission decisions

Common Pitfalls:

Over-permissioning users
Not reviewing memberships
Individual instead of group management
No offboarding process

Integration Points:

Authentication system
Group membership
Audit logging
Compliance tracking

The Settings menu configures project behavior and integrations.

General

Path: Settings > General

Purpose: Core project configuration.

Sections:

Naming, topics, avatar

Project name and description
Project avatar
Topics for discovery

Visibility, project features, permissions

Project visibility (Private, Internal, Public)
Enable/disable features (issues, MRs, wiki, etc.)
Forking permissions
Analytics access level

Badges

Project badges (build status, coverage, etc.)
Link and image URLs

Service Desk

Enable email support
Custom email address
Templates

Compliance frameworks

Apply compliance frameworks (Ultimate)

Advanced

Transfer project
Archive project
Delete project
Change path

Best Practices:

Clear project description
Appropriate visibility level
Disable unused features
Regular settings review

Common Pitfalls:

Wrong visibility level
Leaving all features enabled
No compliance framework
Unclear project purpose

Integrations

Path: Settings > Integrations

Purpose: Connect external services.

Available Integrations:

Jira
Slack
Microsoft Teams
Prometheus
Datadog
PagerDuty
Jenkins
Asana
Custom webhooks
50+ more integrations

Integration Features:

Service-specific configuration
Test connection
Enable/disable per project
Inherited from group/instance

Best Practices:

Enable relevant integrations
Test before enabling
Document integration purpose
Regular integration review

Common Pitfalls:

Duplicate integrations
Not testing connections
Exposed credentials
Unused integrations

Webhooks

Path: Settings > Webhooks

Purpose: Send event notifications to external URLs.

Key Features:

Custom webhook URLs
Select trigger events
Secret tokens
SSL verification
Recent deliveries
Test webhooks

Trigger Events:

Push events
Tag events
Issues events
Merge requests events
Wiki page events
Deployment events
Release events
20+ more event types

Best Practices:

Use secret tokens
Enable SSL verification
Monitor webhook deliveries
Clear webhook descriptions
Test webhooks

Common Pitfalls:

Insecure webhooks
Too many webhooks
Not monitoring failures
Exposed endpoints

Access Tokens

Path: Settings > Access tokens

Purpose: Create project access tokens for API/Git access.

Key Features:

Create scoped tokens
Set expiration dates
Define permissions (read/write)
Revoke tokens
Audit token usage

Token Scopes:

api (full API access)
read_api (read-only API)
read_repository (clone, pull)
write_repository (push)
read_registry
write_registry

Best Practices:

Minimum required scopes
Set expiration dates
Rotate tokens regularly
Audit token usage
Revoke unused tokens

Common Pitfalls:

Overly permissive scopes
No expiration
Committed tokens in code
Shared tokens

Repository

Path: Settings > Repository

Purpose: Configure repository behavior.

Sections:

Branch defaults

Default branch
Auto-close referenced issues

Protected branches

Define protected branches
Merge/push permissions
Code owner approval
Allowed to merge/push

Protected tags

Define protected tags
Create permissions

Deploy keys

Add SSH keys for deployment
Read-only or read-write

Deploy tokens

Create tokens for deployment
Registry access

Branch rules (Premium/Ultimate)

Advanced protection rules
Status check requirements

Push rules (Premium/Ultimate)

Commit message format
Branch name patterns
File size limits
Author email verification

Best Practices:

Protect main/release branches
Require code owner approval
Use push rules for consistency
Regular deploy key rotation

Common Pitfalls:

Unprotected main branch
No push rules
Overly permissive protection
Stale deploy keys

Merge Requests

Path: Settings > Merge requests

Purpose: Configure merge request behavior.

Sections:

Merge method

Merge commit
Merge commit with semi-linear history
Fast-forward merge

Merge options

Enable "Delete source branch" option
Automatically resolve merge request diff discussions
Show link to create MR from push
Enable merged results pipelines

Squash commits

Allow, encourage, require, or forbid

Merge checks

Pipelines must succeed
All threads must be resolved
Status checks must pass

Merge suggestions

Commit message template

Merge request approvals (Premium/Ultimate)

Approval rules
Required approvals
Code owner approval
Prevent approval by author
Require re-approval on push

Best Practices:

Require pipeline success
Enable merge trains (Premium/Ultimate)
Squash commits for clean history
Code owner approval for critical paths
Clear merge commit messages

Common Pitfalls:

Allowing merge without pipeline
No approval requirements
Inconsistent merge strategy
Self-approval enabled

CI/CD

Path: Settings > CI/CD

Purpose: Configure CI/CD behavior.

Sections:

General pipelines

Pipeline visibility
Git strategy (fetch vs clone)
Pipeline triggers
Custom CI config path

Auto DevOps

Enable Auto DevOps
Deployment strategy
Domain configuration

Runners

Available runners
Enable/disable specific runners
Runner tags

Artifacts

Artifact expiration
Keep artifacts from most recent success
Maximum artifact size

Variables

CI/CD environment variables
Protected variables
Masked variables
Variable precedence

Pipeline schedules

(Manage schedules)

Deploy keys

Repository deploy keys

Deploy tokens

Registry deploy tokens

Token access

Limit job token scope

Best Practices:

Use variables for configuration
Protect sensitive variables
Set reasonable artifact expiration
Limit job token scope
Use specific runners for sensitive jobs

Common Pitfalls:

Exposed secrets in variables
No artifact expiration
Overly permissive job tokens
Using shared runners for sensitive code

Packages and Registries

Path: Settings > Packages and registries

Purpose: Configure package and container registry settings.

Sections:

Package registry

Enable/disable package types
Cleanup policies

Container registry

Container registry cleanup policies
Protection rules
Regex patterns for cleanup

Cleanup Policies:

Keep N most recent tags
Remove tags older than X days
Name regex patterns
Run cleanup on schedule

Best Practices:

Enable cleanup policies
Protect production images
Regular tag cleanup
Documented naming conventions

Common Pitfalls:

No cleanup policy
Accumulating storage
Deleting production images
Inconsistent tagging

Monitor

Path: Settings > Monitor

Purpose: Configure monitoring and alerting.

Sections:

Error tracking

Enable error tracking
Sentry configuration
API URL and auth token

Alerts

Alert integrations
Notification settings

Incidents

Incident settings
Templates

Best Practices:

Enable error tracking
Configure alerting
Set up incident templates
Test integrations

Common Pitfalls:

No error tracking
Alerts not configured
Missing incident templates
Untested integrations

Usage Quotas

Path: Settings > Usage quotas

Purpose: Monitor project resource usage.

Tracked Resources:

Storage usage
Repository size
LFS objects
Build artifacts
Packages
Wiki size
Container registry

Best Practices:

Monitor usage regularly
Clean up old artifacts
Use cleanup policies
Archive old data

Common Pitfalls:

Hitting storage limits
Not cleaning artifacts
Excessive LFS usage
No monitoring

Sources

This comprehensive documentation is compiled from official GitLab resources:

project menus

GitLab Ultimate Project-Level Menus - Complete Guide

Table of Contents

Plan Menu

Issues

Issue Boards

Milestones

Iterations

Requirements

Wiki

Code Menu

Merge Requests

Repository

Files

Commits

Branches

Tags

Contributors

Graph

Snippets

Code Owners

Build Menu

Pipelines

Jobs

Artifacts

Pipeline Editor

Pipeline Schedules

Secure Menu

Vulnerability Report

Dependency List

License Compliance

Policies

Scan Execution Policy

Merge Request Approval Policy

Pipeline Execution Policy

Vulnerability Management Policy

Audit Events

Deploy Menu

Releases

Package Registry

Container Registry

Model Registry

Operate Menu

Environments

Feature Flags

Terraform States

Kubernetes

Monitor Menu

Incidents

Error Tracking

Observability

Dashboards

Explore

Logs

Traces

Metrics

Alerts

Analyze Menu

Value Stream Analytics

CI/CD Analytics

Code Review Analytics

Repository Analytics

Merge Request Analytics

Productivity Analytics

Insights

Manage Menu

Members

Settings Menu

General

Naming, topics, avatar

Visibility, project features, permissions

Badges

Service Desk

Compliance frameworks

Advanced

Integrations

Webhooks

Access Tokens

Repository

Branch defaults