Search
Coding

Claude Code and GitLab: Three workflows that ship

Claude Code’s agentic coding is outpacing the rest of the software lifecycle—bug backlogs swell, CI/CD pipelines fail more often, and security debt piles up faster than teams can triage. GitLab’s integrated DevSecOps platform now bridges that gap, automating post-code stages from security scanning to approvals, turning Claude’s rapid code generation into auditable, shippable releases. The result: three workflows where AI writes the code and GitLab ships it—without the usual handoff chaos.

Sofia M (AI-assisted) 3 min read EN

Based on reporting from Source.

Developers love Claude Code because it feels like pairing with a senior engineer right in the terminal or IDE: it helps you understand unfamiliar code, propose fixes, and scaffold new features quickly. But here is a pattern worth watching. The better agentic coding tools get at writing code, the more the rest of the software lifecycle struggles to keep up. Bug backlogs grow. Pipeline failure rates climb. Security vulnerabilities accumulate faster than teams can triage them. Writing code and shipping software are not the same thing, and the gap between the two is real.

GitLab comes in to accelerate everything in the remaining stages of the software lifecycle after Claude Code: CI/CD, security scanning, code review, and approvals, all in one place, with an auditable trail. This tutorial walks you through three scenarios with Claude Code moving fast in the codebase, and GitLab handling everything that turns that code into a certified, shipped change.

Overview

The three workflows are:

  1. Fix a C++ bug with Claude Code, then let GitLab CI/CD, security scanning, and Duo Code Review take it from there.
  2. Add GitLab MCP context so Claude works from the actual issue, not just local files.
  3. Use a Claude-powered external agent in Duo Agent Platform to address code review feedback directly in the MR.

Prerequisites

  • Claude Code in the terminal, configured and running.
  • A GitLab project with bug reports and feature proposal issues, for example, the Tanuki Iot Platform project.
  • For specific use cases: GitLab MCP server and GitLab Duo Agent Platform with external agents.
  • For building code: CMake, Make, gcc/clang++ for C++, Maven for Java.

Workflow 1: Fix a bug with Claude Code, ship with GitLab

In the first scenario, you need to fix a hardware sensor written in C++. The Arduino collector reads metrics from the USB-connected Arduino Uno R4 board, and crashes when the device /dev/ttyACM0 is not connected.

After reading the bug report in Issue 4, inspect the code in the main.cpp file. Build and run the collector binary with CMake to reproduce the issue:

cmake -S . -B build
cmake --build build
./build/arduino_iot_collector

Open Claude Code and prompt it for help: "Please help me fix the Arduino IoT Collector sensor - it crashes." Claude Code searches the code base and identifies the problem in the main.cpp file, which throws an std::runtime_error() exception causing the application to immediately crash. The expected behavior is to log a user-friendly configuration error and continue running the application.

After a successful source code fix and build, you need to create a Git branch, commit, and merge request to trigger CI/CD pipelines, security scanning, and code review workflows. You can use different ways to work with Git in Claude Code:

  • Use a prompt: "Please help me create a Git branch and commit and push the changes."
  • Execute the shell commands: Open the command prompt with !, followed by git checkout -b fix-arduino-sensor, git commit -avm "..." and git push commands.

The git push output generates an MR creation URL. Click on it to open the browser and fill in the form. CI/CD pipelines are triggered on MR creation and verify that the build and tests are working. Security scanning ensures that no new vulnerabilities are introduced. The new MR automatically triggers the GitLab Duo Code Review Flow, which assesses the correctness of the fix, following the development style guides and custom review instructions.

Workflow 2: Add GitLab MCP context

The previous scenario led Claude Code to search the local code repository, and it made assumptions on a potential fix based on available context. But it lacked the knowledge of a GitLab issue describing the bug, debugging discussions, and proposed ways to fix and address the problem long term. It also did not take into account any history of past code changes saved in merge requests and issues with similar reports as software development lifecycle (SDLC) context.

To enable this rich GitLab SDLC context, you can bring the GitLab MCP Server into Claude Code.

Configure the GitLab MCP Server

Ensure that the GitLab MCP Server is enabled on the instance or top-level group. Open a new terminal, and add the GitLab MCP Server to Claude Code using the http transport type. Modify gitlab.example.com to your GitLab instance, or use GitLab.com:

claude mcp add --transport http GitLab https://gitlab.example.com/api/v4/mcp

Run claude in a new terminal session, and type /mcp to authenticate with the GitLab MCP Server using OAuth in the opened browser page:

claude
/mcp

To verify the connection, ask Claude: "Which GitLab MCP tools are available to you?" or "Show the GitLab MCP Server version".

When you authenticate Claude Code with the GitLab MCP server, it connects through OAuth and acts with your existing GitLab identity, not with elevated, separate permissions. In practice, that means Claude Code can only see projects, issues, merge requests, and other GitLab data that you already have access to through your account and project/group membership. That is an important guardrail: MCP expands context inside the AI tool, but it does not bypass GitLab visibility controls or invent broader access on its own.

A second guardrail is user approval. In this flow, Claude Code identifies the MCP tool it wants to call and asks for approval before proceeding, so developers stay in the loop when external context is fetched.

Work on a bug report issue

Fetch the issue context into Claude Code by referencing Issue 4 in the prompt: "Please help me fix issue 4". Claude Code identifies the need to call the MCP tool get_issue and asks for approval. Once Claude Code has fetched the necessary context from the issue, it starts analyzing the sensor's C++ source code directly. After creating and verifying a fix, you can ask to create a new Git branch, commit, and MR: "Please create a new Git branch, commit the changes, and create a new merge request". Claude Code finds the MCP tool create_merge_request and handles the MR creation directly without context switching into the browser.

In GitLab, the MR creation event triggers multiple parallel workflows automatically:

  • CI/CD pipeline for automated builds and tests
  • security scanning with Advanced SAST for C++
  • a Code Review Flow by GitLab Duo Agent Platform

You can either open the MR in the browser, or stay in the terminal and prompt Claude Code with: "Is the Merge Request running OK?" It will use the MCP tool get_merge_request_pipelines to fetch the MR pipeline status being green and ready to merge.

Workflow 3: Claude Code as external agent reviewer

In this last scenario, Claude Code helped implement a new feature based on the requirements in Issue 24 — a Spring Boot API server with a REST/Websocket backend. The CI/CD pipelines and security scans are OK, but there is code review feedback waiting in the MR.

You can add Claude Code as collaboration partner in issues, epics, and MRs, and tackle tasks together. Follow the external agents documentation for the prerequisites.

Enable the Claude Agent by GitLab in the project menu in AI > Agents. Note the service account name on how to mention or assign the agent later, it uses the pattern: @ai-<agent-name>-<top-level-group-name>.

Next, open the MR with the code review feedback, and inspect the requested changes. Create a new comment mentioning the Claude Code Agent: @ai-claude-agent-by-gitlab-<top-level-groupname> Can you help me address the review feedback? This mention spawns a new agent session in the background, setting up the Claude Code Agent, which starts to work on the review feedback. Once finished, it follows the instructions to create a Git commit and summary comment in the MR.

Your next steps to ensure software development stays within your organizational guardrails would include:

  • Address remaining review feedback.
  • Review the warning in the CI/CD pipeline jobs.
  • Review the potential security vulnerabilities, for example, using SAST Vulnerability Resolution.
  • Get merge request approval from an eligible developer, configured as Code Owner.

Tips for Claude Code and GitLab

Custom instructions

You can instruct agents to build and test code before commits, keep changes minimal, or understand the project architecture better, using an entry in AGENTS.md. The Tanuki IoT Platform uses the following production example:

## Working with sensors
### Before editing
1. Identify the sensor directory you're working with
2. Check for an `AGENTS.md` file in that directory
3. Read sensor-specific instructions before making changes
4. Follow language-specific style guides

### Making changes
- Keep changes minimal and focused on the user request
- Do not refactor existing code unless specifically instructed
- Preserve original code formatting
- Only modify code necessary to solve the specific request

### Creating MRs
- Always run local builds and tests first
- Create a new branch for changes
- Automatically create a merge request after successful commits
- Reference relevant issues or tasks in the MR description

These custom instructions are also processed by agents and flows on the GitLab Duo Agent Platform. Claude Code prefers CLAUDE.md, which can be pointed to AGENTS.md, too: @AGENTS.md.

Bottom line

AI coding tools make developers faster at writing code. But writing code and shipping software are not the same thing. The gap between the two grows precisely because the tools are so good at the first part: more code gets written, bug backlogs grow, pipeline failure rates climb, and security vulnerabilities pile up.

Claude Code keeps you productive where the code lives and understands unfamiliar codebases, proposes fixes, and scaffolds features fast. GitLab Duo Agent Platform is what turns that speed for many developers in software teams across enterprise organizations into secure software you can actually ship and certify across many release milestones and many projects. With GitLab, the rest of the software lifecycle – CI/CD pipeline fixes, security scanning, automated remediation, code review, and more with human in the loop workflows – with every agentic action can be traced back and configured to run within your organization's guardrails and security policies.

The principle stays the same across all three: Claude moves fast, GitLab certifies the work.

Sources 1

  1. 01 Source https://about.gitlab.com/blog/claude-code-and-gitlab/
Similar Articles

More articles like this

Coding 1 min

Visual Studio Code 1.120

Visual Studio Code’s 1.120 update slashes debugging friction with native Data Breakpoints, letting engineers pause execution when specific object properties change—not just memory addresses. The release also bakes in GitHub Copilot-powered inline code completions for Python, JavaScript, and TypeScript, cutting keystrokes by up to 40% in early benchmarks, while a revamped terminal shell integration finally bridges the gap between local and remote workflows.
Coding 1 min

Show HN: Stage CLI – a tool to make reading your AI generated changes easier

A new command-line interface tool, Stage CLI, streamlines code review by breaking down AI-generated changes into logical chapters, allowing developers to navigate and understand modifications more efficiently. This open-source tool works with any coding agent, presenting changes in a browser-based interface that diverges from traditional IDE and CLI diff presentation methods. By reorganizing code review, Stage CLI aims to simplify the process of reviewing and understanding AI-driven code modifications.
Coding 1 min

Motherboard sales are now collapsing amid unprecedented shortages fueled by AI

"Enthusiast PC market motherboard sales plummet by 25% as chipmakers redirect semiconductor production to AI-focused applications, forcing top manufacturers like ASUS, Gigabyte, and MSI to slash projected sales by millions in 2025, exacerbating an already dire shortage of essential components."
Coding 1 min

AlphaEvolve: Gemini-powered coding agent scaling impact across fields

"DeepMind's AlphaEvolve, a Gemini-powered coding agent, is quietly revolutionizing software development by scaling up to 10x faster than human coders on complex tasks, with implications for industries from finance to healthcare, as the AI's ability to generate high-quality, production-ready code begins to displace traditional development workflows."
Coding 1 min

Cloudflare responded to the "Copy Fail" Linux vulnerability

Cloudflare's swift patch for the "Copy Fail" Linux vulnerability underscores the critical role of kernel-mode mitigations in preventing speculative execution attacks, as the company's engineers leveraged KPTI (Kernel Page Table Isolation) to isolate vulnerable kernel memory regions and prevent malicious data copying. The fix, which affects Linux distributions from 4.14 to 5.10, demonstrates the ongoing cat-and-mouse game between kernel exploiters and defenders. Cloudflare's proactive response highlights the importance of timely kernel updates in safeguarding against emerging threats.
Coding 1 min

Building the TD4 4-Bit CPU

A DIY enthusiast's 4-bit CPU design, dubbed TD4, gains traction among hobbyists and retrocomputing enthusiasts, with its 1,200-gate implementation and 1.5 MHz clock speed sparking interest in the maker community. The TD4's use of a 4-bit ALU and 256-byte RAM module is notable for its simplicity and efficiency. As a proof-of-concept, the TD4 CPU serves as a gateway to exploring the intricacies of digital logic and computer architecture.