DevOps Pulse

GitHub launched Season 4 Secure Code Game exposing real-world AI agent vulnerabilities as production deployments surge

while security researchers disclosed 475+ malicious pull requests in 'prt-scan' supply chain attacks targeting GitHub repositories. Atlassian patched 12 critical vulnerabilities across Confluence and Jira with CVSS scores reaching 9.8, requiring immediate enterprise attention. Supply chain attacks accelerated with four major incidents targeting Trivy, LiteLLM, Telnyx, and Axios packages inside CI/CD pipelines, demonstrating coordinated campaigns against trusted developer tooling.

Signals
34
Sections
5/5
Threats
7
Fresh
14
Updated
76d ago
Show

DevOps Platform Updates

scanned 76d ago8

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitHub Secure Code Game Season 4: Hack AI Agents

<cite index="7-1,7-23,7-24">GitHub launched Season 4 of the Secure Code Game featuring ProdBot, a deliberately vulnerable agentic coding assistant that mirrors real-world AI security risks. The game teaches developers to exploit vulnerabilities in AI agents through five progressive challenges using natural language attacks. The patterns discovered in Season 4 are not theoretical but reflect actual security threats as organizations deploy autonomous AI systems into production.</cite>

githubGitHub Blog·14 AprNEW

GitHub Actions 2026 Security Roadmap: Deterministic Dependencies

<cite index="1-22,1-23,1-24">GitHub announced a new dependencies section for GitHub Actions workflows that locks all direct and transitive dependencies with commit SHA hashes, providing complete reproducibility and auditability. The feature enables deterministic runs where every workflow executes exactly what was reviewed, with dependency changes showing up as diffs in pull requests and hash mismatches stopping execution before jobs run.</cite>

githubGitHub Blog·1 Apr

AI-Powered Supply Chain Attack Targets GitHub via Pull Requests

<cite index="2-23,2-24">Security analysts reported an AI-assisted supply chain attack codenamed 'prt-scan' targeting misconfigured repositories on GitHub. Hackers deployed over 475 malicious pull requests containing payloads designed to steal credentials and compromise sensitive data, exploiting open-source projects through sophisticated automation techniques.</cite>

githubMean CEO Blog·9 AprRecent

GitHub AI-Powered Security Detections Enter Public Preview

<cite index="3-6,3-7,3-8">GitHub announced AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. These detections complement CodeQL by surfacing potential vulnerabilities in areas difficult to support with traditional static analysis, with public preview availability planned for early Q2 2026.</cite>

githubGitHub Blog·23 Mar

Trivy Security Scanner Supply Chain Attack Spreads to Multiple Tools

<cite index="36-1,36-2,36-3">Aqua Security's Trivy vulnerability scanner was compromised on March 19, 2026 in the most sophisticated supply chain attack on a security tool to date. The breach exposed CI/CD secrets, planted persistent backdoors, and spread a self-propagating worm across npm packages, affecting organizations using trusted security tooling for credential harvesting.</cite>

githubPalo Alto Networks·25 Mar

GitLab Duo Agent Platform Achieves General Availability

<cite index="41-27,41-28,41-29">GitLab announced general availability of the Duo Agent Platform, enabling teams to coordinate AI agents across every phase of development from planning to shipping. The platform addresses the AI paradox by extending AI-driven productivity beyond coding to the entire workflow, reducing bottlenecks like code review backlogs, security vulnerabilities, and compliance checks through agentic chat, task-specific agents, and enterprise-grade controls.</cite>

gitlabInfoQ·19 Jan

Azure DevOps Windows 365 Price Reduction and Platform Updates

<cite index="17-7,17-8,17-13">Microsoft announced a significant 20% price reduction for Windows 365 Business starting May 1, 2026, along with new on-demand start behavior and license mobility for Windows Server and SQL under the Microsoft Customer Agreement. The update also includes infrastructure improvements like ephemeral OS disk caching and new AI models including Grok 4.2.</cite>

azure-devopsHubSite365·13 AprRecent

Atlassian Critical Security Vulnerabilities Patched Across Products

<cite index="29-7,29-8,29-11">Atlassian released security patches for 12 critical and high-severity vulnerabilities across Bamboo, Bitbucket, Confluence, Crowd, and Jira. The most severe issues include CVE-2024-50379 (CVSS 9.8) for remote code execution in Confluence Data Center and CVE-2024-56337 (CVSS 9.8) for an Apache Tomcat vulnerability affecting Confluence deployments.</cite>

confluenceSecurity Affairs·9 AprRecent