DevOps Pulse

GitLab AI Gateway patched a critical CVSS 9.9 vulnerability

in Duo Workflow Service that allows insecure template expansion of user data. Atlassian will force AI data contribution for 300,000 clients starting August 2026, with lower-tier customers unable to opt out of training programs. Vercel disclosed a supply chain attack where Context.ai employee compromise led to customer environment variable exposure through OAuth tokens. The PM team should prioritize GitProtect's competitive response after their GitHub Enterprise Cloud Data Residency launch directly targets Veeam's DevOps positioning.

Signals
28
Sections
5/5
Threats
8
Fresh
16
Updated
57d ago
Show

DevOps Platform Updates

scanned 57d ago8

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitLab AI Gateway Critical Vulnerability Patched

<cite index="11-3,11-4,11-8">On February 6, 2026, GitLab released emergency patches for versions 18.6.2, 18.7.1, and 18.8.1 of the GitLab AI Gateway to fix a critical security vulnerability in the Duo Workflow Service component. The vulnerability allows insecure template expansion of user-supplied data via crafted Duo Agent Platform Flow definitions.</cite> <cite index="11-10">The flaw received a CVSS score of 9.9, making it critical severity.</cite> This directly impacts organizations using GitLab Duo Self-Hosted AI Gateway for DevOps data protection.

gitlabGitLab Releases·6 Feb

GitHub Secret Scanning Expands to 37 New Detectors

<cite index="9-4,9-5">GitHub shipped 37 new secret detectors across 22 providers in March 2026, expanding push protection to 39 token types by default.</cite> <cite index="9-12,9-13">Most notably, GitHub embedded secret scanning into its MCP Server, allowing credential detection inside AI agent workflows before secrets reach repositories.</cite> This addresses a critical gap as AI-generated code introduces higher secret leakage rates than traditional development.

githubDevOps.com·1 Apr

Microsoft Agent 365 Runtime Protection Preview Launched

<cite index="4-10,4-11">Microsoft unveiled Agent 365 Runtime Protection on April 30, 2026, alongside AI Security Posture Management in Defender for Cloud and enhanced GitHub security features.</cite> <cite index="4-17,4-18">Microsoft's security chief described agents as 'the new endpoints' and announced these capabilities will be free for E5 and GitHub Enterprise subscribers through June 2027.</cite> This represents a major shift toward AI agent security in enterprise DevOps environments.

azure-devopsWindows News·30 AprNEW

Atlassian Mandatory AI Data Training Policy August 2026

<cite index="21-3,21-4">Atlassian announced that starting August 17, 2026, it will use customer metadata and application content from Jira, Confluence, and cloud offerings to train AI models, affecting approximately 300,000 clients.</cite> <cite index="21-5,21-6">Users on Free, Standard, and Premium tiers cannot opt out of certain data contribution programs, while Enterprise customers can manually withdraw.</cite> This policy change significantly impacts DevOps data governance and compliance strategies.

jiraSecurity Online·20 Apr

Bitbucket OAuth Security Changes Enforced May 2026

<cite index="31-1,31-2">Bitbucket is enforcing OAuth and token-authentication changes on May 4th, 2026, to improve security and align with OAuth standards.</cite> <cite index="31-8,31-9">The platform will stop issuing refresh tokens for client credentials grant flow and expire existing refresh tokens to strengthen security.</cite> <cite index="31-23,31-24">Personal workspace OAuth consumers will be restricted to accessing data only within the owning workspace.</cite> These changes affect API integrations and DevOps automation workflows.

bitbucketBitbucket Cloud Changelog·5 Mar

Atlassian Security Bulletin Reports 38 Critical Vulnerabilities

<cite index="30-3">The April 21, 2026 Atlassian Security Bulletin reported 31 high-severity vulnerabilities and 7 critical-severity third-party vulnerabilities affecting Jira, Confluence, and other products.</cite> <cite index="29-1,29-2">A notable vulnerability is CVE-2025-64756, a high-severity OS Command Injection flaw in Confluence Data Center and Server that allows authenticated attackers to execute arbitrary commands.</cite> This represents ongoing security challenges for Atlassian platform users.

confluenceAtlassian Security·21 Apr

DevOps Platform Threats Surge 21% in 2025

<cite index="46-2,46-4">GitProtect's DevOps Threats Unwrapped Report 2026 found that cyber incidents targeting DevOps environments grew 21% year-over-year in 2025, with platform downtime jumping almost 95% to 9,255 hours, costing over $740,000 in lost productivity.</cite> <cite index="46-9,46-10">Vendors reported 236 security flaws patched across DevOps services, including 14 critical vulnerabilities, with a 30% increase in patched vulnerabilities between the first and second halves of 2025.</cite> This highlights the escalating security challenges facing DevOps platforms.

githubDevOps.com·29 AprRecent

AI-Driven DevSecOps Tools Reduce False Positives to 5%

<cite index="45-1,45-14">Research from the State of DevOps and DevSecOps in 2026 shows that AI-enhanced security scanning tools can detect vulnerabilities in 2-3 minutes per scan, with false positive rates reduced to less than 5% through AI-powered context analysis.</cite> <cite index="45-11,45-13">Organizations using AI-enhanced CI/CD platforms report a 35% decrease in pipeline execution time, while tools like Snyk v3.2.1 and Dependabot v2.7.0 now integrate directly into workflows.</cite> This represents a significant advancement in DevSecOps automation and efficiency.

githubDasRoot Technical News·18 Apr