DevOps Platform Updates
scanned 105d ago6Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitLab Patches 15 Security Vulnerabilities Including Critical XSS
GitLab released versions 18.9.2, 18.8.6, and 18.7.6 fixing 15 vulnerabilities. The most severe is CVE-2026-1090, a high-severity XSS flaw (CVSS 8.7) in Markdown placeholder processing, plus three DoS bugs (CVSS 7.5) affecting GraphQL API, repository archives, and protected branches API. Self-managed instances require immediate upgrade; GitLab.com and Dedicated are already patched.
GitHub Actions OIDC Tokens Support Repository Custom Properties
GitHub Actions OIDC tokens now include repository custom properties as claims (public preview). Admins can select properties that automatically appear in tokens prefixed with repo_property_, enabling attribute-based access control (ABAC) in AWS, Azure, and GCP without per-repo workflow changes. This eliminates hard-coded allow lists and reduces configuration drift across large organizations.
GitHub REST API Version 2026-03-10 Now Available
GitHub released REST API version 2026-03-10 with breaking changes. Integrations must update the X-GitHub-Api-Version header and verify compatibility. Veeam integrations using GitHub REST APIs should review the version documentation for any changes to backup-relevant endpoints before upgrading.
GitHub Adds 28 New Secret Scanning Detectors for March
GitHub's March 2026 secret scanning update adds 28 new detectors from 15 providers including Lark, Vercel, Snowflake, and Supabase. Additionally, 39 detectors now have push protection enabled by default, covering Airtable, Databricks, Heroku, PostHog, and Shopify. This broadens the scope of secrets automatically blocked before they reach repositories.
GitHub Pauses Self-Hosted Runner Version Enforcement
GitHub temporarily paused enforcement of the minimum self-hosted runner version requirement (v2.329.0) that was scheduled for March 16, 2026. Runners below v2.329.0 can still register during the pause. An updated enforcement timeline will follow. Organizations should continue upgrading runners proactively as older versions will eventually be blocked.
Azure DevOps Adds Push Protection Bypass Audit Logging
Azure DevOps Sprint 270 introduces audit log entries when developers bypass push protection to push detected secrets. Entries include the repository, secret type, and bypassing user's identity. This gives security teams a complete record for incident investigation and policy enforcement across Azure DevOps organizations.