DevOps Platform Updates
scanned 62d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
Critical GitHub RCE Vulnerability CVE-2026-3854 Disclosed
Wiz researchers discovered a critical remote code execution vulnerability in GitHub's git infrastructure that could be exploited with a single git push command. The flaw (CVSS 8.7) affects GitHub.com and GitHub Enterprise Server, potentially compromising millions of repositories. GitHub patched github.com within 2 hours of disclosure on March 4, 2026. Enterprise customers must upgrade to GHES 3.19.3+ immediately as 88% of instances remain vulnerable.
GitLab 18.11 Extends AI Agent Platform with Security Analytics
GitLab released version 18.11 expanding agentic AI across the software lifecycle with automated security remediation, pipeline setup, and delivery analytics. The Duo Agent Platform reached general availability in January 2026, enabling multi-agent workflow orchestration and custom agents for Enterprise customers. This positions GitLab as an AI orchestration plane where humans and agents share delivery responsibility.
Azure DevOps Server Critical Group Membership Bug Patched
Microsoft released patches for Azure DevOps Server after identifying an issue that could cause group memberships to become deactivated in certain scenarios. The bug affected installations prior to March 13, 2026 re-published release. A mitigation SQL script was provided for affected environments while Microsoft worked on permanent fixes. Migration tools for Azure DevOps Server 25H2 remain unpublished.
Bitbucket API Deprecation Breaks Azure DevOps Integration
Bitbucket deprecated APIs (CHANGE-2770) causing Microsoft Azure DevOps integrations to fail with 403 errors. Users cannot set up new Bitbucket connections in Azure DevOps due to Microsoft using deprecated APIs. Microsoft deployed a hotfix for App Service Bitbucket integration on April 8, but broader Azure DevOps pipeline integration issues persist. Organizations may need to move away from Azure DevOps if not resolved.
Atlassian Jira Backup Manager API Deprecated March 30
Atlassian deprecated the v1 Backup Manager APIs effective March 30, 2026, removing automated backup creation capabilities for Standard plan customers. The enhanced backup and restore system is limited to Enterprise plans during rollout. Standard customers can only create manual backups through the UI, forcing many to upgrade or seek alternative backup solutions for compliance requirements.
Black Duck Polaris Platform Enhances DevSecOps SCM Integration
Black Duck announced enhanced Polaris Platform integrations across GitHub, GitLab, Azure DevOps, and Bitbucket for unified application security. New features include automated repository onboarding, continuous monitoring, event-based scanning, and AI-powered security insights through Black Duck Signal. The platform addresses the explosion of AI-generated code and distributed development environments requiring better security coverage.
Atlassian SCIM API Keys to Expire Between May 2026-2027
Atlassian will set expiry dates for existing SCIM API keys generated before January 1, 2025, with expiration between May 1, 2026 and May 1, 2027. The change encourages key rotation to reduce security risks of leaked or stolen keys. Organizations using identity providers for user provisioning to Atlassian must monitor for expiration notifications and plan key renewal processes.
GitHub Actions Introduces Agentic Workflows Preview
GitHub announced Agentic Workflows in technical preview for February 2026, allowing developers to describe automation goals in natural language Markdown files instead of writing YAML. AI agents like GitHub Copilot execute workflows in sandboxed containers for automated issue triage, PR review, CI failure diagnosis, and repository maintenance. This represents a significant shift toward AI-native DevOps automation.