DevOps Pulse

Azure DevOps blocks global PAT creation starting today

requiring immediate migration of any Veeam integrations to organization-scoped PATs before the December 2026 full decommission deadline. Veeam was excluded from IDC's SaaS Data Protection 2025-2026 MarketScape where HYCU and Keepit earned Leader positions, while GitProtect 2.1.0 expanded Jira and Azure DevOps Artifacts backup coverage — widening the competitive gap in DevOps-specific data protection. Multiple converging signals — AI coding agents introducing vulnerabilities in 87% of PRs, CI/CD pipelines emerging as prime ransomware targets, and DORA entering active audit mode — all point to an urgent need for security-aware DevOps backup that integrates into developer workflows. The PM team should prioritize the Azure DevOps PAT migration, assess the IDC SaaS data protection competitive gap, and evaluate CI/CD pipeline backup as a distinct product category.

Signals
32
Sections
5/5
Threats
9
Fresh
0
Updated
108d ago

DevOps Platform Updates

scanned 108d ago7

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitLab Patches 15 Security Vulnerabilities Including Critical XSS

GitLab released versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 vulnerabilities. The most severe is CVE-2026-1090, a high-severity XSS flaw (CVSS 8.7) in Markdown placeholder processing that allows authenticated JavaScript injection. Three additional high-severity DoS bugs (CVSS 7.5) affect the GraphQL API, repository archive endpoints, and protected branches API — all exploitable by unauthenticated attackers. Self-managed instances must upgrade immediately.

gitlabGitLab Releases·11 Mar

Azure DevOps Blocks Global PAT Creation Starting Today

As of March 15, 2026, Azure DevOps blocks creation and regeneration of global Personal Access Tokens. All existing global PATs will be fully decommissioned on December 1, 2026. Global PATs grant access across all organizations a user belongs to, creating overly broad credentials. Any Veeam integration using Azure DevOps global PATs must transition to organization-scoped PATs or Microsoft Entra-based authentication before December.

azure-devopsMicrosoft Learn·10 Mar

Atlassian OAuth 1.0 and Implicit Grant Flows Permanently Disabled

After the brownout schedule completed on March 14, 2026, Atlassian has permanently disabled OAuth 1.0 and implicit grant flows. Existing access tokens created via these flows will no longer work. All integrations with Jira, Confluence, and Bitbucket Cloud must use supported OAuth 2.0 flows. This is a breaking change for any legacy Veeam connectors still using OAuth 1.0 authentication against Atlassian Cloud APIs.

jiraAtlassian Developer Changelog·14 Mar

GitHub REST API Version 2026-03-10 Now Available

GitHub released REST API version 2026-03-10 with potential breaking changes. Integrators must update the X-GitHub-Api-Version header and verify their integrations work with the new version. Any Veeam integrations consuming GitHub REST APIs for repository backup or metadata protection should review the version documentation for breaking changes before upgrading.

githubGitHub Changelog·12 Mar

GitHub Secret Scanning Adds 28 New Provider Detectors

GitHub's March 2026 secret scanning update adds 28 new secret detectors covering 15 providers including Lark, Vercel, Snowflake, and Supabase. Additionally, 39 detectors now have push protection enabled by default, covering Airtable, Databricks, Heroku, PostHog, and Shopify. This expands the surface of secrets GitHub can detect in repositories — relevant for DevOps data protection posture monitoring.

githubGitHub Changelog·10 Mar

GitHub Actions Self-Hosted Runner Version Enforcement Paused

GitHub temporarily paused enforcement of the v2.329.0 minimum version requirement for self-hosted runners, originally scheduled for March 16, 2026. Runners below v2.329.0 can still register during this period. An updated timeline will be published in coming weeks. Teams should still upgrade runners to v2.329.0 or later, as enforcement will resume.

githubGitHub Changelog·13 Mar

Azure DevOps Adds Push Protection Bypass Audit Logging

Azure DevOps Sprint 270 introduces audit log entries when developers bypass push protection to push detected secrets. The audit log records the repository, secret type, and bypassing user identity. This gives security teams a complete record of bypass activity for incident investigation and policy enforcement — useful context for compliance and data protection auditing.

azure-devopsMicrosoft Learn·10 Mar