best practices

GitLab Duo Best Practices - When and How to Use AI Effectively

Overview

This guide provides best practices for using GitLab Duo effectively, including when to use AI, when not to, cost management, privacy considerations, and prompt engineering techniques.

When to Use AI

Excellent Use Cases

1. Boilerplate Code Generation

Use AI for:

CRUD operations
API endpoint scaffolding
Database models
Standard configurations
Test file templates

Example:

Prompt: "Create a FastAPI endpoint for user CRUD operations with SQLAlchemy models"

Result: Complete, production-ready code in seconds

2. Code Explanation and Documentation

Use AI for:

Understanding unfamiliar codebases
Explaining complex algorithms
Generating documentation
Creating API references
Writing docstrings

Example:

Prompt: "Explain this recursive function and add comprehensive docstring"

Result: Clear explanation + well-formatted documentation

3. Test Generation

Use AI for:

Unit test generation
Test case ideation
Edge case identification
Mock data creation
Test fixtures

Example:

Prompt: "/tests using pytest with fixtures and edge cases"

Result: Comprehensive test suite with 90%+ coverage

4. Code Review and Quality

Use AI for:

Initial code review pass
Security vulnerability detection
Best practice verification
Performance issue identification
Code complexity analysis

Example:

Result: Identifies 5 potential issues before human review

5. Refactoring Assistance

Use AI for:

Breaking down large functions
Extracting common patterns
Applying design patterns
Improving code organization
Modernizing legacy code

Example:

Prompt: "Refactor this 200-line function into smaller, testable units"

Result: Well-organized, maintainable code

6. Bug Investigation

Use AI for:

Root cause analysis
Error message interpretation
Stack trace analysis
Historical issue correlation
Fix suggestions

Example:

Result: "Bug caused by race condition in async code. Fix: Add lock."

7. Migration and Conversion

Use AI for:

CI/CD configuration conversion
Framework migrations
Language translations
API version upgrades
Dependency updates

Example:

Prompt: "Convert this GitHub Actions workflow to GitLab CI"

Result: Correct .gitlab-ci.yml with best practices

Good Use Cases (With Caution)

1. Algorithm Implementation

Use AI, but:

Verify correctness
Check complexity
Add comprehensive tests
Review edge cases

Example:

Prompt: "Implement a balanced binary search tree"

Action: Review and test thoroughly

2. Complex Business Logic

Use AI, but:

Provide detailed context
Verify against requirements
Have domain expert review
Add extensive documentation

3. Security-Sensitive Code

Use AI, but:

Security team review required
Additional security scanning
Penetration testing
Compliance verification

When NOT to Use AI

1. Mission-Critical Code

Avoid AI for:

Payment processing
Authentication/authorization
Encryption implementation
Safety-critical systems
Medical/financial algorithms

Reason: Requires expert human review and validation

2. Novel Algorithms

Avoid AI for:

Cutting-edge research implementations
Custom optimization algorithms
Novel data structures
Proprietary algorithms

Reason: AI trained on existing patterns, not novel solutions

3. Highly Regulated Compliance

Avoid AI for:

HIPAA-compliant code (without review)
PCI-DSS implementations
SOC 2 controls
Industry-specific regulations

Reason: Legal and compliance requirements

4. Complex State Management

Use caution with:

Multi-threaded synchronization
Distributed systems coordination
Complex state machines
Real-time systems

Reason: Subtle bugs can be introduced

5. Performance-Critical Code

Use caution with:

High-frequency trading systems
Real-time video processing
Game engines
Low-latency networking

Reason: Requires performance analysis and optimization

Prompt Engineering

Effective Prompts

1. Be Specific

Poor:

"Add authentication"

Good:

"Implement JWT-based authentication for a FastAPI application using:
- RS256 algorithm
- 1-hour token expiration
- Refresh token support
- Role-based access control
- Rate limiting on auth endpoints"

2. Provide Context

Poor:

"Fix this bug"

Good:

"This function occasionally returns None when it should return a User object.
Context:
- Occurs ~5% of the time
- Only with concurrent requests
- Started after adding caching
- Error log: [attach log]
- Related code: [attach related functions]"

3. Specify Constraints

Poor:

"Write a function to process payments"

Good:

"Write a payment processing function with:
- Language: Python 3.11
- Framework: Stripe API
- Requirements:
  - Idempotent operations
  - Comprehensive error handling
  - Transaction logging
  - PCI-DSS compliant
  - Async/await
- Return: Payment object or raise PaymentError"

4. Include Examples

Good:

"Generate tests for this authentication function.
Similar to existing tests in tests/test_auth.py:
- Use pytest fixtures
- Test happy path + 5 error cases
- Mock external API calls
- Check for security vulnerabilities"

5. Iterative Refinement

First Prompt:

"Create a user registration API endpoint"

Refine:

"Add email validation and password strength requirements"

Refine:

"Add rate limiting (5 requests/minute) and CAPTCHA verification"

Prompt Patterns

The Persona Pattern

"You are a senior Python security engineer specializing in OAuth2.
Review this authentication code for security vulnerabilities,
focusing on token handling and session management."

The Template Pattern

"Using this template:
[paste template]

Create a similar implementation for:
[describe requirements]"

The Constraint Pattern

"Implement user search with these constraints:
- Response time < 100ms
- Handle 1000 concurrent requests
- Support fuzzy matching
- Database: PostgreSQL
- Cache: Redis
- Budget: 2GB memory"

The Example Pattern

"Here's how we handle database connections:
[paste example]

Create similar code for:
[new requirement]"

Code Review with AI

Review Workflow

1. AI First Pass

# Automated AI review on MR creation
mr:ai-review:
  script:
    - gitlab-duo review-mr $CI_MERGE_REQUEST_IID
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: always

2. Address AI Feedback

Review AI suggestions:

Security issues: Address immediately
Best practices: Consider and apply
Style: Follow team standards
Complexity: Refactor if valid

3. Human Review

Human reviewers focus on:

Business logic correctness
Architecture decisions
API design
User experience
Performance implications

Review Checklist

What AI Checks:

Syntax errors
Common bugs
Security vulnerabilities
Code style
Test coverage
Documentation

What Humans Check:

Requirements fulfillment
Design patterns appropriateness
API usability
Performance implications
Maintainability
Team conventions

Security Best Practices

1. Never Trust AI-Generated Security Code

Always:

Security team review required
Additional security scanning
Penetration testing
Manual code review

Example:

# AI-generated encryption code
#  REQUIRE SECURITY TEAM REVIEW

def encrypt_data(data: str, key: str) -> str:
    """Encrypt sensitive data"""
    # Even if this looks correct, have security team verify
    ...

2. Scan AI-Generated Dependencies

# Always scan for vulnerabilities
security:scan:
  script:
    - npm audit
    - safety check
  after_script:
    - echo "AI suggested these packages - verify each"

3. Review Credential Handling

Check AI code for:

Hardcoded credentials
Exposed secrets
Insecure storage
Logging sensitive data

4. Validate Input Handling

Verify AI code:

Input validation
SQL injection prevention
XSS prevention
CSRF protection

5. Use AI for Security Analysis

Leverage AI to:

Identify vulnerabilities
Suggest remediation
Explain security issues
Review security patterns

Performance Considerations

1. Profile AI-Generated Code

import cProfile

# Profile AI-generated function
cProfile.run('ai_generated_function()')

# Check for:
# - Unnecessary loops
# - N+1 queries
# - Memory leaks
# - Blocking operations

2. Optimize Algorithms

AI may generate:

O(nÂ²) when O(n log n) possible
Redundant database queries
Inefficient data structures

Always:

Analyze complexity
Review database queries
Check memory usage
Load test

3. Use AI for Optimization

Good use of AI:

Prompt: "This function takes 5 seconds for 10,000 items.
Optimize for better performance.

Current implementation:
[paste code]

Requirements:
- Same output
- Better than O(nÂ²)
- Consider caching"

Cost Management

1. Monitor Usage

Track metrics:

Tokens per month
Cost per feature
Most expensive operations
Team-wide usage

Dashboard example:

January 2026 Usage:

Code Suggestions: $234 (2.4M tokens)
Chat: $156 (1.6M tokens)
Flows: $256 (2.1M tokens)

Total: $646

Trends:
- Up 12% from December
- Software Dev Flow most used
- Chat usage growing

Recommendations:
- Optimize prompts (save ~10%)
- Cache common queries (save ~15%)

2. Optimize Token Usage

Reduce costs by:

Caching responses
Batching requests
Using smaller models when appropriate
Limiting context size
Setting usage limits

Example:

# Cache expensive operations
@lru_cache(maxsize=1000)
def get_code_explanation(code_hash: str):
    return duo.chat.send(f"Explain: {code}")

# Use smaller model for simple tasks
if task == "simple_formatting":
    model = "claude-haiku"  # Cheaper
else:
    model = "claude-sonnet-4"  # More capable

3. Set Budget Alerts

# .gitlab/duo_config.yml
budget:
  monthly_limit: 1000  # USD
  alerts:
    - threshold: 70%
      notify: team-lead@company.com
    - threshold: 90%
      notify: director@company.com
  actions:
    at_100%: disable_non_critical_features

4. Choose Right Model for Task

Model Selection Strategy:

Task	Model	Cost	Rationale
Code completion	Claude Haiku	Low	Fast, simple task
Code explanation	Claude Sonnet	Medium	Balanced
Complex refactoring	Claude Sonnet 4	High	Worth the cost
Simple formatting	Claude Haiku	Low	Overkill otherwise
Security analysis	Claude Sonnet 4	High	Critical accuracy

Privacy and Compliance

1. Data Handling

What GitLab Duo accesses:

Code in current context
File structure
Commit history (limited)
Issue/MR descriptions

What it does NOT access:

Full repository history
Other projects
Secrets (unless committed)
User personal data

2. Self-Hosted for Sensitive Data

Use GitLab Duo Self-Hosted for:

Regulated industries (healthcare, finance)
Government projects
Proprietary algorithms
Customer data processing

Benefits:

Complete data control
No external API calls
Air-gapped deployments
Full audit logs

3. Compliance Considerations

GDPR:

duo:
  data_retention: 30_days
  pii_detection: enabled
  data_processing_agreement: signed

HIPAA:

duo:
  deployment: self_hosted
  audit_logging: comprehensive
  encryption: at_rest_and_transit
  access_controls: role_based

SOC 2:

duo:
  change_management: documented
  access_reviews: quarterly
  incident_response: defined
  vendor_assessment: completed

4. Code Ownership

Clarify:

AI-generated code ownership
License compatibility
Attribution requirements
Commercial use rights

Best practice:

"""
Module: user_authentication.py
Generated with: GitLab Duo (reviewed and modified)
License: MIT
Copyright: Your Company
"""

Team Adoption

1. Incremental Rollout

Phase 1: Limited Pilot (Week 1-2)

Team: 2-3 developers
Scope: Non-critical features
Goal: Learn and provide feedback

Phase 2: Team Expansion (Week 3-4)

Team: Full development team
Scope: Most development work
Goal: Establish patterns and practices

Phase 3: Organization-Wide (Week 5+)

Team: All technical staff
Scope: All suitable use cases
Goal: Maximize value and efficiency

2. Training and Guidelines

Provide:

Hands-on workshops
Documentation and examples
Best practices guide (this document)
Regular feedback sessions

Topics:

When to use AI
Effective prompting
Code review process
Security considerations
Cost awareness

3. Measure Impact

Track metrics:

Time saved per developer
Code quality improvements
Bug detection rate
Developer satisfaction
Productivity gains

Example metrics:

3-Month Impact Report:

Time Savings:
- Issue writing: 60% faster (20 min  8 min)
- Code generation: 40% faster
- Test creation: 70% faster
- Bug investigation: 50% faster

Quality:
- Code review issues: -25%
- Security vulnerabilities: -30%
- Test coverage: +15%

Satisfaction:
- Developer NPS: +22 points
- "Would recommend": 92%

4. Create Feedback Loop

Collect feedback on:

Suggestion accuracy
Chat helpfulness
Flow effectiveness
Pain points
Feature requests

Action on feedback:

feedback:
  collection:
    - In-IDE thumbs up/down
    - Weekly survey
    - Monthly retrospective

  actions:
    - Refine prompts
    - Adjust models
    - Update documentation
    - Report issues to GitLab

Testing AI-Generated Code

1. Always Test Thoroughly

Required tests:

# AI-generated function
def calculate_tax(amount: float, rate: float) -> float:
    """Calculate tax on amount"""
    return amount * rate

# Required tests (even for simple code)
def test_calculate_tax_standard():
    assert calculate_tax(100, 0.1) == 10

def test_calculate_tax_zero_amount():
    assert calculate_tax(0, 0.1) == 0

def test_calculate_tax_zero_rate():
    assert calculate_tax(100, 0) == 0

def test_calculate_tax_negative():
    # AI might not handle this
    with pytest.raises(ValueError):
        calculate_tax(-100, 0.1)

def test_calculate_tax_large_numbers():
    # Check for overflow
    result = calculate_tax(1e10, 0.1)
    assert result == 1e9

def test_calculate_tax_precision():
    # Floating point precision
    result = calculate_tax(0.1, 0.1)
    assert abs(result - 0.01) < 1e-10

2. Test Edge Cases

AI often misses:

Boundary conditions
Null/empty inputs
Concurrent access
Error conditions
Performance at scale

3. Integration Testing

Test AI code with:

Real database
External APIs
Production-like data
Concurrent users
Network failures

4. Property-Based Testing

from hypothesis import given, strategies as st

# Test AI-generated sorting function
@given(st.lists(st.integers()))
def test_sort_property(input_list):
    result = ai_generated_sort(input_list)

    # Properties that must hold
    assert len(result) == len(input_list)
    assert sorted(result) == result
    assert set(result) == set(input_list)

Maintenance and Evolution

1. Document AI Usage

"""
Module: user_service.py

AI Assistance:
- Initial implementation: GitLab Duo (2026-01-08)
- Refactoring: GitLab Duo (2026-01-15)
- Bug fixes: Manual (2026-01-20)

Last reviewed: 2026-01-20
Review required: Before major changes
"""

2. Regular Review

Schedule reviews:

AI-generated code: Every 3 months
Security-sensitive: Every month
Performance-critical: Every 2 months

3. Update as Patterns Emerge

When you notice:

Common AI mistakes
Better prompts
New patterns

Update:

Team documentation
Code templates
Custom agents
Flow definitions

4. Evolve with GitLab Duo

Stay current:

Review GitLab release notes
Test new AI features
Update practices
Share learnings

Common Pitfalls

1. Over-Reliance on AI

Symptom: Not reviewing AI suggestions

Solution:

Always review generated code
Understand what code does
Test thoroughly
Maintain critical thinking

2. Poor Prompts

Symptom: Irrelevant suggestions

Solution:

Be specific
Provide context
Iterate on prompts
Learn from good results

3. Ignoring Security

Symptom: Deploying AI code without review

Solution:

Security review required
Additional scanning
Penetration testing
Compliance verification

4. No Testing

Symptom: Trusting AI-generated code

Solution:

Write comprehensive tests
Test edge cases
Integration testing
Property-based testing

5. Cost Overruns

Symptom: Unexpected high bills

Solution:

Set budget alerts
Monitor usage
Optimize prompts
Choose appropriate models

Success Stories

Example 1: 70% Faster Feature Development

Scenario: Authentication system

AI generated boilerplate: 2 hours saved
AI created tests: 3 hours saved
AI documentation: 1 hour saved
Total: 6 hours saved (70% faster)

Keys to success:

Clear requirements
Good prompts
Thorough review
Comprehensive testing

Example 2: Security Vulnerability Prevention

Scenario: Payment processing

AI identified SQL injection risk
AI suggested parameterized queries
AI generated security tests
Vulnerability prevented before review

Keys to success:

Security-focused review
Additional scanning
Expert validation

Example 3: Legacy Code Modernization

Scenario: 10-year-old Python 2 codebase

AI migrated to Python 3
AI added type hints
AI modernized patterns
20,000 lines modernized in 2 weeks

Keys to success:

Incremental approach
Extensive testing
Manual review
Gradual rollout

Continuous Improvement

Create:

Internal blog posts
Team showcases
Pattern library
Prompt collection

2. Measure and Iterate

Track:

What works well
What doesn't work
Cost vs. value
Team satisfaction

3. Contribute Back

To GitLab:

Report bugs
Suggest features
Share use cases
Contribute to documentation

4. Stay Informed

Follow:

GitLab release notes
AI/ML research
Industry best practices
Security advisories

Conclusion

GitLab Duo is a powerful tool that can significantly accelerate development when used correctly. Key principles:

Use AI as Assistant, Not Replacement
- Review all generated code
- Maintain critical thinking
- Verify correctness
Prioritize Security and Quality
- Security review required
- Comprehensive testing
- Performance validation
Manage Costs
- Monitor usage
- Optimize prompts
- Choose appropriate models
Maintain Privacy
- Understand data handling
- Use self-hosted when needed
- Comply with regulations
Evolve Practices
- Learn from experience
- Share knowledge
- Stay current

Additional Resources

Overview - GitLab Duo features
Code Assistance - Code generation
CI/CD AI - Pipeline automation
Security AI - Security features
Planning AI - Project planning
Agents - Agent Platform
API - API integration

Feedback

Have questions or suggestions for these best practices? Contact the GitLab Duo team or your local AI champion.

Last Updated: 2026-01-08 Next Review: 2026-04-08