DevOps Platform Updates
scanned 45d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
Critical GitLab Vulnerabilities Enable XSS and DoS Attacks
<cite index="12-1,12-2">On May 13, 2026, GitLab rolled out emergency security updates to address multiple high-severity flaws. These bugs could allow attackers to hijack browser sessions or completely crash essential CI/CD pipelines.</cite> <cite index="12-9">Administrators must immediately upgrade their systems to versions 18.11.3, 18.10.6, or 18.9.7 to secure their infrastructure.</cite>
GitHub Secret Scanning MCP Server Generally Available
<cite index="5-3,5-4">GitHub secret scanning in the GitHub MCP (Model Context Protocol) server is now generally available. When you use an MCP-compatible AI coding agent or IDE (like GitHub Copilot CLI or Visual Studio Code), you can scan your code for exposed secrets before you commit or open a pull request, so leaked credentials don't make it into your repository in the first place.</cite> <cite index="5-6">Secret scanning tools in the MCP server now honor your existing push protection customization, so detections and bypass behavior stay consistent with what you've already set up at the repository or organization level.</cite>
GitHub RCE Vulnerability Allows Repository Access
<cite index="4-8,4-9">CVE-2026-3854, a high-severity remote code execution flaw tied to crafted git push requests, and the business meaning is bigger than the security jargon. Reports from BleepingComputer's coverage of the GitHub RCE flaw, iTnews reporting on GitHub's git push vulnerability, CSO Online's analysis of the GitHub repository exposure risk, SecurityWeek's report on CVE-2026-3854, and Dark Reading's article on the AI-assisted discovery of the bug all point to the same fact pattern.</cite> <cite index="4-13">An authenticated user with push access could have reached arbitrary code execution, and on GitHub.com that raised the possibility of access to repositories belonging to other users and organizations on affected shared storage nodes.</cite>
Azure DevOps Fixes PAT Security Gap and Adds MCP Server
<cite index="22-3,22-4,22-5">We've closed a discovered gap in Personal Access Token (PAT) behavior that allowed certain expired PATs to be altered or extended after their expiration date. Going forward, expired PATs cannot be modified or extended via either the Azure DevOps UI or PAT APIs at all in the Azure DevOps Services product. This change enforces true token lifetimes, reduces risk from leaked or forgotten credentials, and makes PAT behavior simpler and more predictable.</cite> <cite index="22-12,22-13">We're excited to introduce the Remote Azure DevOps MCP Server, now available in public preview. This hosted endpoint enables seamless integration with Azure DevOps without the need to manage a local server.</cite>
Atlassian Outage Affects Multiple Cloud Products
<cite index="31-3,31-4">On May 8, 2026, some customers utilizing Atlassian products experienced elevated error rates and degraded performance. The issue has now been resolved, and the service is operating normally for all affected customers.</cite> <cite index="31-20,31-21">Our team has implemented a mitigation for this issue and we are now seeing recovery across Atlassian products. We will continue to monitor this issue for any ongoing concerns, and provide further updates here within an hour as we are able to confirm a full recovery has taken place.</cite>
GitHub Dependabot Alerts Now Assignable to AI Agents
<cite index="3-1,3-2">Some dependency vulnerabilities require more than a version bump—they need code changes across your project. You can now assign Dependabot alerts to AI coding agents, including Copilot, Claude, and Codex.</cite> <cite index="3-12">You can now assign Dependabot alerts to AI coding agents, including Copilot, Claude, and Codex, to analyze the vulnerability and open a draft pull request with a proposed fix.</cite> <cite index="3-3,3-4,3-5">AI-generated fixes are not always correct. Coding agents can produce incomplete patches, miss edge cases, or suggest changes that introduce new issues. Always review the pull request, verify that tests pass, and confirm the fix is appropriate before merging.</cite>
GitHub CodeQL 2.25.4 Improves Security Analysis
<cite index="2-8">GitHub releases CodeQL 2.25.4 with Swift 6.3.1 support, stronger C# and Java analysis, new Vercel serverless function coverage, and broader data flow barriers to help cut false positives and improve security scanning accuracy.</cite> <cite index="2-9">We've removed false positive injection sink models for the context input of docker/build-push-action and the allowed-endpoints input of step-security/harden-runner.</cite>
Microsoft Defender for Cloud Expands DevOps Protection
<cite index="44-5,44-6,44-7">Defender for Cloud is updating its GitHub connector to request a new permission: artifact_metadata:write. This enables new capabilities that support artifact attestations - providing verifiable build provenance and strengthening your software supply chain security. The permission is narrowly scoped, aligning with least privilege principles to support faster and easier security approvals.</cite> <cite index="45-12">Streamline collaboration between development and security teams to fix security issues at the source—helping prevent vulnerabilities, misconfigurations, and secrets from reaching production with unified DevOps security across multicloud and multi-pipeline environments.</cite>