DevOps Platform Updates
scanned 54d ago7Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
Critical GitHub RCE Vulnerability CVE-2026-3854 Patched
<cite index="6-1,6-12">GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) in May 2026 that allowed authenticated users with push access to trigger arbitrary code execution through crafted git push operations</cite>. <cite index="6-3,6-4,6-5">The vulnerability highlighted security risks for startups and enterprises as GitHub repositories contain product logic, API keys, internal documentation, and deployment scripts critical for business operations</cite>.
GitHub Actions 2026 Security Roadmap: Secure by Default
<cite index="9-3,9-14,9-16">GitHub announced its 2026 Actions security roadmap focusing on secure-by-default automation, verifiable workflows, and disrupting supply chain attacks without requiring teams to rebuild CI/CD from scratch</cite>. <cite index="9-22,9-24,9-29">New features include workflow execution protections via GitHub's ruleset framework, centralized policy controls, and enterprise-grade endpoint protections with Actions Data Stream visibility and native egress firewall controls</cite>.
Azure DevOps GitHub Security Products Go Standalone
<cite index="1-18,1-19,1-20">Microsoft made GitHub Secret Protection and GitHub Code Security available as standalone products in Azure DevOps, providing separate access to secret scanning, push protection, dependency scanning, and code scanning capabilities</cite>. <cite index="1-4,1-5">Azure DevOps also introduced a new organization-level policy to restrict personal access token (PAT) creation, allowing Project Collection Administrators to control token generation and reduce token sprawl</cite>.
GitLab 18.11 Expands Agentic AI for Security Remediation
<cite index="17-1,17-6">GitLab released version 18.11 with expanded agentic AI capabilities across the software lifecycle, making Agentic SAST Vulnerability Resolution generally available for Ultimate customers using GitLab Duo Agent Platform</cite>. <cite index="17-3,17-4,17-5">The release addresses the AI Paradox where AI-generated code moves faster than security and operations can keep up, with platform-native agents having access to code, pipelines, issues, and security findings already in GitLab</cite>.
GitLab Security Update Patches High-Severity CVE-2026-5173
<cite index="15-20,15-21,15-22">GitLab issued a security update addressing high-severity vulnerability CVE-2026-5173 (CVSS 8.5) affecting websocket connections, which could allow authenticated attackers to bypass access controls and invoke unintended server-side methods</cite>. <cite index="15-1,15-2,15-3,15-4">The update also fixed multiple medium-severity vulnerabilities including incorrect authorization in the vulnerability flags AI detection API and information disclosure through CSV exports</cite>.
Bitbucket OAuth Security Changes Take Effect
<cite index="31-1,31-14">Bitbucket implemented security changes on May 4th, 2026, restricting client_credentials grants for OAuth consumers owned by personal workspaces to only access data within the owning workspace, eliminating previous user-level authentication</cite>. <cite index="31-5,31-6,31-7,31-8">The platform also stopped issuing refresh tokens for client credentials grant flow to address security risks, with existing refresh tokens set to expire and no longer returned in access token responses</cite>.
Atlassian Introduces IP Allowlist Country-Based Controls
<cite index="24-37,24-38">Atlassian introduced new IP allowlist policies that restrict access to apps by approved countries in addition to IP addresses, helping organizations strengthen security and support compliance needs across Jira, Confluence, Analytics, Compass, and Rovo</cite>. <cite index="24-7,24-8">The platform also made System Health generally available, providing organization admins with a personalized dashboard showing app status, site-level incidents, email alerts, and postmortems for free across all cloud plans</cite>.