DevOps Platform Updates
scanned 61d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitHub Critical RCE Vulnerability CVE-2026-3854
Critical vulnerability in GitHub.com and Enterprise Server allows remote code execution via git push commands. Affects millions of repositories and has been patched, but 88% of Enterprise Server instances remain unpatched. This vulnerability demonstrates the security risks of AI-augmented reverse engineering tools.
Microsoft Agent 365 Runtime Protection for AI
Microsoft announced Agent 365 Runtime Protection for AI agents, enhanced GitHub Advanced Security with AI-code scanning, and Purview AI Data Security Investigations. These tools address threats from autonomous software agents and support AI regulation compliance ahead of EU AI Act requirements.
GitLab 18.11 Agentic SAST Vulnerability Resolution GA
GitLab released version 18.11 with autonomous SAST vulnerability resolution generally available, two new foundational agents for CI and analytics, and budget guardrails for GitLab Duo Agent Platform. Features aim to reduce security bottlenecks through AI-powered remediation.
GitLab Security Update Fixes High-Severity CVE-2026-5173
GitLab patched CVE-2026-5173, a CVSS 8.5 websocket vulnerability allowing authenticated attackers to bypass access controls and invoke unintended server-side methods. The update also resolved 12 additional vulnerabilities ranging from high to low severity across versions 18.10.3, 18.9.5, and 18.8.9.
Azure DevOps Sprint 268 GitHub Copilot Integration GA
Azure DevOps Sprint 268 made GitHub Copilot integration generally available, enabling code generation directly from Azure Boards work items. Also introduced Advanced Security Alert Metadata API, CodeQL Node.js v24 alignment, and deprecated Autobuild task in favor of buildless scanning.
Azure DevOps Personal Access Token Security Fix
Microsoft closed security gap allowing expired Personal Access Tokens to be modified or extended beyond expiration. Change enforces true token lifetimes, reduces credential leak risks, and helps meet compliance expectations by preventing tokens from persisting beyond intended lifetime.
Atlassian Security Bulletin 31 High & 7 Critical Vulnerabilities
Atlassian's April 21 security bulletin addressed 31 high-severity and 7 critical third-party vulnerabilities across Jira, Confluence, and other Data Center products. Updates include fixes for session hijacking, storybook token access, and virtual registry credential issues.
Bitbucket OAuth Authentication Changes May 4th
Bitbucket enforced OAuth and token authentication security changes to align with standards and improve performance. Client credentials grants no longer issue refresh tokens, and personal workspace OAuth consumers are restricted to workspace data access only.