DevOps Pulse

GitHub shipped AI-assisted supply chain attacks targeting misconfigured workflows

affecting 475 repositories with fewer than 10% successful, while releasing comprehensive security roadmap with dependency locking and egress firewalls. GitLab's AI Gateway exposed API tokens to unauthenticated users via CVE-2026-1724, and Atlassian patched critical RCE vulnerability CVE-2025-64756 allowing OS command injection. GitProtect strengthens DevOps backup dominance with unlimited retention and cross-platform recovery as Veeam completes $1.7B Securiti AI acquisition creating unified Data Command Center. CI/CD pipeline breach costs spike to $5.1M average with 45% increase in supply chain attacks targeting build environments containing deployment credentials.

Signals
36
Sections
5/5
Threats
10
Fresh
13
Updated
81d ago
Show

DevOps Platform Updates

scanned 81d ago7

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitHub Actions 2026 Security Roadmap Released

GitHub published comprehensive security roadmap addressing supply chain attacks through dependency locking, native egress firewalls, and centralized policy controls. New features include workflow dependency sections with SHA locks, Layer 7 immutable firewalls for runners, and Actions Data Stream for real-time CI/CD observability. This represents the most substantial security evolution since Actions launch.

githubGitHub Blog·27 MarRecent

GitLab Duo Agent Platform Generally Available

GitLab announced general availability of GitLab Duo Agent Platform on January 15, 2026, delivering agentic AI and orchestration across the software lifecycle. The platform is available to Premium and Ultimate customers on GitLab.com and Self-Managed deployments, expanding AI-native DevSecOps capabilities with purpose-built AI agents and integration with external agents like Claude Code and OpenAI Codex.

gitlabStockTitan·15 Jan

Azure DevOps Server Group Membership Issue Resolved

Microsoft resolved a critical issue affecting Azure DevOps Server that could cause group memberships to become deactivated. A patch was released March 13, 2026, after temporarily removing download links to prevent further impact. This issue affected authentication and access control for on-premises deployments.

azure-devopsAzure DevOps Blog·13 Mar

Atlassian Confluence Critical RCE Vulnerability (CVE-2025-64756)

Berkeley Information Security Office reported a high-severity OS Command Injection vulnerability in Confluence Data Center and Server. CVE-2025-64756 allows authenticated attackers to execute arbitrary commands on target systems. Patches available in versions 11.3.3 (LTS) and 10.3.18 (LTS) for Data Center deployments.

confluenceBerkeley Security Office·17 Mar

AWS DevOps Agent and Security Agent GA Launch

Amazon Web Services announced general availability of AWS DevOps Agent and AWS Security Agent after preview phase. These 'frontier agents' work autonomously across multiple steps for cloud operations, incident investigation, and issue prevention. Early customers include United Airlines, Western Governors University, and T-Mobile for accelerated incident response.

awsAWS News Blog·6 AprNEW

Atlassian Data Export Rule Extended to Block File Downloads

Atlassian extended data security policies to block downloading of attached files in Confluence and Jira, not just data exports. This affects existing policies with data export rules configured to block exports. The change requires Atlassian Guard Standard and reflects overlap between export and download security concerns for enterprise customers.

confluenceAtlassian Documentation·15 Dec

Supply Chain Attacks Target CI/CD Infrastructure in 2026

Multiple supply chain attacks have targeted GitHub Actions and CI/CD pipelines, including tag poisoning of aquasecurity/trivy-action and backdoored axios versions. Attacks demonstrate vulnerability of mutable version tags and global npm installs bypassing project manifests. Short-lived GitHub tokens helped limit blast radius of compromised runners.

githubDev Journal·4 AprRecent