DevOps Platform Updates
scanned 87d ago7Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
CVE-2026-32211: Critical Azure DevOps MCP Server Vulnerability
Microsoft disclosed a critical CVSS 9.1 authentication flaw in the Azure DevOps MCP Server that allows unauthorized access to sensitive data including configuration details, API keys, and project data. The vulnerability affects AI agents using Azure DevOps through MCP. No patch is available yet, only mitigation guidance from Microsoft.
GitHub Expands AI-Powered Security Detections
GitHub introduced AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks beyond traditional CodeQL static analysis. The feature complements existing tools and is designed for public preview in early Q2 2026 to surface vulnerabilities in areas difficult to support with traditional analysis.
GitHub Secret Scanning in AI Coding Agents via MCP
GitHub enhanced secret scanning with 37 new detectors in March and extended protection to AI coding agents through MCP Server integration. The system can now scan code changes for exposed secrets before commits or pull requests in MCP-enabled environments, addressing security gaps as AI agents generate code autonomously.
GitHub Actions OIDC Custom Properties GA
GitHub Actions OpenID Connect tokens now include repository custom properties as claims in general availability. Previously in public preview, this enables more granular trust policies with cloud providers. The update also adds entrypoint/command overrides for service containers and Azure private networking failover features.
GitLab AI-Powered False Positive Detection for Security
GitLab introduced AI-powered false positive detection for secret scanning that analyzes findings before developers see them, identifying test credentials and placeholder secrets with confidence scores. The feature is separate from SAST false positive detection and aims to reduce security team triage time for non-actionable findings.
LiteLLM AI Gateway Supply Chain Incident
LiteLLM experienced a supply chain attack on March 24, 2026, where compromised PyPI packages (v1.82.7 and v1.82.8) contained credential stealing malware. The incident lasted 40 minutes before quarantine. Organizations using GitHub Actions or GitLab CI during the window may have been affected. Community scripts are available to scan for exposure.
Atlassian Security Bulletin: 21 High-Severity Vulnerabilities
Atlassian's March 17, 2026 security bulletin disclosed 21 high-severity vulnerabilities affecting Jira, Confluence, Bitbucket, and other products. The vulnerabilities were discovered through bug bounty programs and third-party scanning. Organizations should patch to latest versions to address these lower-impact security issues.