DevOps Platform Updates
scanned 48d ago6Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
CVE-2026-41109: Critical Copilot Security Feature Bypass
Microsoft disclosed a high-severity vulnerability in GitHub Copilot and VS Code that allows local attackers to bypass AI content filters and consent mechanisms. The vulnerability enables automatic injection of malicious code suggestions and suppresses user consent prompts, compromising the human-AI collaboration boundary.
GitHub Agentic Workflows Security Architecture
GitHub detailed a comprehensive defense-in-depth security architecture for autonomous AI agents in CI/CD pipelines. The design emphasizes isolation, constrained execution, and full auditability to mitigate risks like prompt injection and privilege escalation in AI-driven automation.
GitLab 18.11 Agentic SAST Vulnerability Resolution
GitLab released general availability of Agentic SAST Vulnerability Resolution, enabling autonomous remediation of security vulnerabilities. The update includes AI-powered false positive detection and new GitLab Duo Agent Platform foundational agents for CI and analytics workflows.
NHS Closes Public GitHub Repos Over AI Security Concerns
UK's National Health Service ordered all technology leaders to make GitHub repositories private by May 11, citing risks from advanced AI models like Anthropic's Mythos capable of large-scale code ingestion and vulnerability discovery. The move highlights growing concerns about AI-assisted security reconnaissance.
Microsoft Agent 365 Runtime Protection Released
Microsoft unveiled Agent 365 Runtime Protection for AI agents, AI Security Posture Management in Defender for Cloud, and enhanced AI-code scanning in GitHub Advanced Security. The April 30 update addresses new threats from autonomous software agents and supports AI compliance requirements.
Atlassian Cloud IP Allowlist and Country-Based Access Control
Atlassian introduced country-based IP allowlist policies for enhanced security and compliance across Jira, Confluence, and other apps. Organizations can now restrict access by approved countries in addition to IP addresses, strengthening security posture for regulated industries.