DevOps Pulse

Aqua Security's Trivy scanner was compromised in a supply chain attack that poisoned 76 of 77 version tags

forcing downstream CI/CD workflows to execute attacker code without visible changes. Microsoft patched a critical Azure DevOps privilege escalation vulnerability (CVE-2026-23658) requiring immediate action. GitProtect expanded DevOps backup coverage to Jira and Azure DevOps Artifacts while multiple analysts position specialized vendors as leaders in SaaS protection. The PM team should accelerate competitive response to GitProtect's expanding platform coverage and leverage the Trivy incident to demonstrate supply chain protection value.

Signals
29
Sections
5/5
Threats
7
Fresh
20
Updated
91d ago
Show

DevOps Platform Updates

scanned 92d ago7

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

Critical Supply Chain Attack Compromises Trivy Security Scanner

<cite index="43-2,43-3,43-4">On March 19, 2026, Aqua Security's Trivy vulnerability scanner was compromised in a sophisticated CI/CD-focused supply chain attack. The breach exposed CI/CD secrets, planted persistent backdoors on developer machines, and spread a self-propagating worm across dozens of npm packages.</cite> <cite index="46-13,46-14">The attacker force-pushed 76 of 77 version tags in trivy-action and all 7 tags in setup-trivy, redirecting existing trusted version references to malicious commits, causing downstream workflows to execute attacker-controlled code without any visible change to release metadata.</cite>

githubMicrosoft Security Blog·24 MarRecent

Azure DevOps Server Critical Privilege Escalation Vulnerability

<cite index="23-1,23-3,23-4">Microsoft has disclosed CVE-2026-23658, a high-severity elevation-of-privilege vulnerability affecting Azure DevOps Server that requires immediate patching. The vulnerability allows authenticated attackers to escalate privileges within on-premises deployments, potentially compromising sensitive development assets and intellectual property.</cite> <cite index="23-11,23-12,23-13">Microsoft has released security updates addressing CVE-2026-23658 for all supported versions of Azure DevOps Server through standard Microsoft Update channels for Azure DevOps Server 2020, 2022, and subsequent supported versions.</cite>

azure-devopsWindows News·17 MarRecent

GitHub Launches AI-Powered Security Detections in Code Security

<cite index="2-1,2-5,2-6">GitHub is introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. These detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone.</cite> <cite index="2-7">Public preview availability is planned for early Q2.</cite> This represents GitHub's strategy to become a single pane of glass for developer security through AI-enhanced vulnerability detection.

githubGitHub Blog·23 MarRecent

GitLab 18.10 Introduces Agentic AI Security Features

<cite index="11-1,11-2,11-3">GitLab Inc. released GitLab 18.10 on March 19, 2026, making it easier and more affordable to use agentic AI capabilities across the entire software development lifecycle. Agentic false positive detection for security scanning is now generally available, using AI to automatically score and help explain security findings, reduce alert fatigue, and accelerate remediation.</cite> <cite index="11-10,11-11">Agentic Code Review automatically reviews merge requests across all groups and projects at a flat cost of $0.25 per review, potentially meaning substantial savings as review volume grows.</cite>

gitlabGitLab Press Release·19 MarRecent

GitHub Actions 2026 Security Roadmap Emphasizes Supply Chain Protection

<cite index="7-1,7-2">The 2026 GitHub Actions roadmap responds directly to supply chain attacks by shifting the platform toward secure-by-default, verifiable automation with a focus on disrupting these attacks.</cite> <cite index="7-6">Over the past year, incidents targeting projects like tj-actions, Nx, and trivy-action show a clear pattern: attackers are targeting CI/CD automation itself, not just the software it builds.</cite> <cite index="7-17">The roadmap is designed to move Actions toward a secure by default, auditable automation platform without requiring every team to rebuild their CI/CD model from scratch.</cite>

githubGitHub Blog·26 MarRecent

Atlassian Security Bulletin Addresses 21 High-Severity Vulnerabilities

<cite index="32-2,32-9,32-10">The March 17, 2026 Atlassian Security Bulletin includes 21 high-severity vulnerabilities which have been fixed in new versions of their products, released in the last month. These vulnerabilities are discovered via their Bug Bounty program, pen-testing processes, and third-party library scans.</cite> <cite index="33-1,33-2">CVE-2025-64756 is a high-severity OS Command Injection vulnerability in Confluence Data Center and Server that allows an authenticated attacker to gain access and possibly execute arbitrary commands on the target system.</cite>

confluenceAtlassian Security·17 MarRecent

Atlassian Connect Platform Reaches End of Support December 2026

<cite index="35-21,35-22,35-24,35-25">Local installs of Atlassian Connect apps will be locked from March 2026. The Connect Inspector service was discontinued by the end of February 2026. Atlassian Connect will reach end of support in December 2026, with migration to Atlassian Forge required for a more robust Events model.</cite> <cite index="36-6,36-7">New baseline security requirements for Atlassian Government Cloud (AGC) apps take effect on March 31, 2026, including new provisions for AI security, data protection, and supply chain security.</cite>

confluenceAtlassian Developer·17 MarRecent