DevOps Platform Updates
scanned 108d ago7Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitLab Patches 15 Security Vulnerabilities Including Critical XSS
GitLab released versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 vulnerabilities. The most severe is CVE-2026-1090, a high-severity XSS flaw (CVSS 8.7) in Markdown placeholder processing that allows authenticated JavaScript injection. Three additional high-severity DoS bugs (CVSS 7.5) affect the GraphQL API, repository archive endpoints, and protected branches API — all exploitable by unauthenticated attackers. Self-managed instances must upgrade immediately.
Azure DevOps Blocks Global PAT Creation Starting Today
As of March 15, 2026, Azure DevOps blocks creation and regeneration of global Personal Access Tokens. All existing global PATs will be fully decommissioned on December 1, 2026. Global PATs grant access across all organizations a user belongs to, creating overly broad credentials. Any Veeam integration using Azure DevOps global PATs must transition to organization-scoped PATs or Microsoft Entra-based authentication before December.
Atlassian OAuth 1.0 and Implicit Grant Flows Permanently Disabled
After the brownout schedule completed on March 14, 2026, Atlassian has permanently disabled OAuth 1.0 and implicit grant flows. Existing access tokens created via these flows will no longer work. All integrations with Jira, Confluence, and Bitbucket Cloud must use supported OAuth 2.0 flows. This is a breaking change for any legacy Veeam connectors still using OAuth 1.0 authentication against Atlassian Cloud APIs.
GitHub REST API Version 2026-03-10 Now Available
GitHub released REST API version 2026-03-10 with potential breaking changes. Integrators must update the X-GitHub-Api-Version header and verify their integrations work with the new version. Any Veeam integrations consuming GitHub REST APIs for repository backup or metadata protection should review the version documentation for breaking changes before upgrading.
GitHub Secret Scanning Adds 28 New Provider Detectors
GitHub's March 2026 secret scanning update adds 28 new secret detectors covering 15 providers including Lark, Vercel, Snowflake, and Supabase. Additionally, 39 detectors now have push protection enabled by default, covering Airtable, Databricks, Heroku, PostHog, and Shopify. This expands the surface of secrets GitHub can detect in repositories — relevant for DevOps data protection posture monitoring.
GitHub Actions Self-Hosted Runner Version Enforcement Paused
GitHub temporarily paused enforcement of the v2.329.0 minimum version requirement for self-hosted runners, originally scheduled for March 16, 2026. Runners below v2.329.0 can still register during this period. An updated timeline will be published in coming weeks. Teams should still upgrade runners to v2.329.0 or later, as enforcement will resume.
Azure DevOps Adds Push Protection Bypass Audit Logging
Azure DevOps Sprint 270 introduces audit log entries when developers bypass push protection to push detected secrets. The audit log records the repository, secret type, and bypassing user identity. This gives security teams a complete record of bypass activity for incident investigation and policy enforcement — useful context for compliance and data protection auditing.