« Blog Home

How LiteLLM Helps GitLab Users Standardize, Secure and Control AI Usage

GitLab is rapidly adding AI features such as GitLab Duo, AI Gateway and AI‑powered CI/CD flows, but many organizations still struggle with fragmented model usage, unclear costs and compliance concerns.

LiteLLM can act as the missing “AI gateway” layer for GitLab, giving you a single place to standardize LLM access, enforce security and track spend across all teams.

What Is LiteLLM and Why GitLab Users Should Care

LiteLLM is an open‑source AI gateway and proxy that exposes a single OpenAI‑compatible API in front of 100+ LLM providers and self‑hosted backends such as OpenAI, Azure OpenAI, Anthropic, Amazon Bedrock, Gemini, vLLM and others.
Instead of wiring each GitLab integration directly to a specific vendor SDK, you route everything through LiteLLM and let it handle provider differences, routing, logging and cost calculation.

For GitLab users, this means you can treat LiteLLM as the “control plane” for all AI usage coming from GitLab Duo, AI Gateway and GitLab CI/CD pipelines.
You gain a single point to enforce policies, observe traffic and change underlying models without touching your GitLab jobs or Duo configuration.

Architecture: LiteLLM as AI Gateway for GitLab

GitLab Duo Self‑Hosted and “bring your own model” (BYOM) scenarios rely on an AI Gateway component that talks to LLM providers through an OpenAI‑style API, including self‑hosted or private models exposed via compatible endpoints.
GitLab’s documentation explicitly notes that the AI Gateway can support multiple LLM platforms through LiteLLM, which makes LiteLLM a natural fit as the gateway behind Duo for self‑managed and air‑gapped environments.

At a high level, the architecture looks like this:

  • GitLab (Duo features, Chat, Code Suggestions, Workflows) sends AI requests to the AI Gateway.
  • The AI Gateway forwards these calls to LiteLLM via an OpenAI‑compatible endpoint.
  • LiteLLM routes the call to your chosen provider or self‑hosted model, logs usage and cost, and returns the response back to GitLab.

The same LiteLLM endpoint can also be called from GitLab CI jobs, internal tools and other services, so you standardize AI access across your whole GitLab‑centric toolchain.

Use Case 1: Bring Your Own Models for GitLab Duo

GitLab Duo Self‑Hosted allows you to connect GitLab to self‑managed models (for example on‑premises or private‑cloud deployments) via the AI Gateway and “self‑hosted models” configuration.
These models must be exposed via an OpenAI‑compatible API, which is exactly what LiteLLM provides on top of different backends such as vLLM, Ollama or cloud providers

A common pattern for GitLab customers is:

  • Run LiteLLM as a proxy inside Kubernetes or on a VM next to GitLab.
  • Configure several backends in litellm_config.yaml – for example, a powerful cloud model for chat, a fast local code‑model for completions, and a smaller model for highly regulated data
  • Expose each backend as an OpenAI‑compatible “model” name via LiteLLM.
  • Register these models in GitLab as self‑hosted or compatible models and assign them to Duo features (Chat, Code Suggestions, Explain this code and so on).

The advantage: GitLab only needs to know about LiteLLM’s endpoint and model names, while your platform team remains free to change providers, move workloads between clusters, or add new models behind LiteLLM without changing Duo settings or application code.

Use Case 2: Cost and Usage Tracking for GitLab AI

One of LiteLLM’s strongest features is built‑in usage and cost tracking, using a PostgreSQL database and a web UI to analyze spend by provider, model, user, API key or custom tags.
LiteLLM calculates per‑request cost using token usage returned by providers and stores it with rich metadata in its LiteLLM_SpendLogs and related tables.

For GitLab, this enables practical FinOps scenarios:

  • Tag every request from GitLab with metadata such as group, project, CI job name or environment.
    This lets you answer questions like “which GitLab groups are generating the most Duo spend?” or “how much do our AI‑powered CI jobs cost per month?”.
  • Use LiteLLM’s virtual API keys, organizations and budgets to set hard or soft spending limits per team, per environment, or per integration (for example separate keys for staging vs production GitLab Runners).
  • Explore usage in the LiteLLM web UI at /ui or via its APIs (for example /user/daily/activity) to track trends over time and detect anomalies or cost spikes.

Combined with GitLab’s own usage insights and audit event streaming, LiteLLM gives you a much clearer picture of real AI costs across GitLab than provider dashboards alone.

Use Case 3: AI‑Powered CI/CD Pipelines Without Lock‑In

Because LiteLLM exposes an OpenAI‑compatible API, any CI job that knows how to call the OpenAI API can immediately work with whatever models you route through LiteLLM, including self‑hosted vLLM or cloud providers.
In practice this means a single reusable .gitlab-ci.yml template can survive provider changes for years – you only update LiteLLM configuration, not all your pipelines.

Example: AI Review Job in GitLab CI

Below is a simplified example of a GitLab CI job that sends diffs to LiteLLM for an “AI review” comment, using environment variables for the LiteLLM base URL and key:

ai_review:
  image: python:3.12-slim
  stage: test
  variables:
    OPENAI_API_BASE: "https://litellm.internal/v1"
    OPENAI_API_KEY: "${LITELLM_VIRTUAL_KEY}"
    MODEL_NAME: "gpt-4-enterprise"  # Logical model name exposed by LiteLLM
  script:
    - pip install openai==1.30.0
    - git diff HEAD~1 HEAD > diff.patch
    - python scripts/ai_review.py diff.patch
  rules:
    - if: '$CI_MERGE_REQUEST_IID'

In scripts/ai_review.py you use the standard OpenAI client, and you can later switch the underlying model (for example to a self‑hosted Codestral or Llama deployment) just by changing LiteLLM’s configuration, not this job.
The same pattern works for generating test data, summarizing release notes, refactoring code snippets and many other AI‑powered pipeline steps.

Use Case 4: Air‑Gapped and Regulated GitLab Environments

Many GitLab customers (especially in government, defense, healthcare and finance) run self‑managed GitLab in air‑gapped networks or under very strict data‑residency rules.
GitLab Duo Self‑Hosted and AI Gateway are designed to support these cases by talking only to internal or private endpoints that you control.

LiteLLM can be deployed entirely inside the same restricted network, routing to self‑hosted model servers and exposing a local OpenAI‑compatible endpoint that never reaches the public internet.
GitLab only sees the AI Gateway URL, which you point at LiteLLM; from there your platform team decides which models are allowed, where they run and which projects or groups can access them.

This architecture lets you:

  • Keep all prompts and completions on‑premises while still using GitLab Duo and AI‑enhanced CI/CD.
  • Restrict regulated projects to specific models and hardware that have been risk‑assessed and approved.
  • Integrate LiteLLM’s logs with your SIEM, so AI usage is auditable like any other critical service.

Use Case 5: Hardening Your AI Gateway and Supply Chain

Running an AI gateway inside your GitLab environment also introduces a new component into your software supply chain, so hardening it is essential.
LiteLLM’s recent CI/CD improvements include signed container images (for example using Cosign), more secure defaults and clearer guidance on what is stored in its PostgreSQL database.

For GitLab users, this aligns well with existing DevSecOps practices:

  • Verify LiteLLM container signatures in your GitLab CI deploy jobs before promoting to production.
  • Control which secrets LiteLLM can access, and store all API keys in GitLab’s secure variables or a dedicated secrets manager.
  • Monitor LiteLLM’s database tables such as budgets, organizations and spend logs as part of your regular security reviews.

Combined with GitLab’s own security scanners and audit capabilities, LiteLLM becomes a transparent and auditable part of your AI infrastructure rather than a black box.

How to Start Experimenting in Your GitLab Environment

If you want to experiment before committing to a full rollout, a practical starting path is:

  1. Deploy LiteLLM with PostgreSQL in a non‑production environment and enable its web UI for basic usage and cost dashboards.
  2. Expose a single test model via LiteLLM (for example one OpenAI or Azure OpenAI model) and connect it to GitLab’s AI Gateway in a test instance.
  3. Add a small AI‑powered CI job (for example generating release‑notes summaries) using LiteLLM’s endpoint and one virtual API key per project.
  4. Review usage and costs in LiteLLM’s UI, adjust budgets and tags, and then expand to more models and projects once you are comfortable.

This phased approach lets you build experience and governance practices around LiteLLM and GitLab together, instead of introducing AI in an ad‑hoc way across separate teams.

Summary: LiteLLM as the Control Plane for GitLab AI

For GitLab‑centric organizations, LiteLLM is much more than a convenience wrapper around different LLM providers.
It can become the control plane for all AI usage coming from GitLab Duo, AI Gateway, CI/CD pipelines and internal tools – giving you standardized APIs, cost visibility, stronger security and flexibility to change models without rewriting code.

If you are planning or already running GitLab Duo Self‑Hosted, or if you want to add AI safely into GitLab CI/CD, adding LiteLLM into your architecture is worth serious consideration.
It fits naturally into a DevSecOps mindset and can help you keep AI both under control and delivering measurable value to your teams.

If you need help evaluating LiteLLM, GitLab Duo or self‑hosted AI architectures for your organization, feel free to contact us at ALM Toolbox – we specialize in GitLab, DevOps, AI Infrastructures and DevSecOps solutions.

    * Full Name

    * Work Email

    * Are you using any AI tools today? What tools?

      * Full Name

      * Work Email

      Are you using any SCA solution? Which one?

        * Full Name

        * Work Email

        * Are you using OpenProject?

        Do you have any questions you'd like to ask before the webinar?

          * Full Name

          * Work Email

          * Are you using any Secrets Management solution? Which one?