DevOps Platform Updates
scanned 45d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitLab Critical Security Vulnerabilities Enable XSS and DoS Attacks
<cite index="12-1,12-8,12-9">On May 13, 2026, GitLab rolled out emergency security updates to address multiple high-severity flaws affecting self-managed Community and Enterprise Edition servers. Administrators must immediately upgrade to versions 18.11.3, 18.10.6, or 18.9.7 to secure their infrastructure.</cite> <cite index="12-3,12-4,12-5">CVE-2026-1659 and CVE-2025-14870 require no authentication and allow attackers to overwhelm CI/CD systems, paralyzing development teams' ability to push updates and manage workflows.</cite>
GitHub Actions 2026 Security Roadmap Introduces Deterministic Dependencies
<cite index="10-17,10-18,10-28">The 2026 GitHub Actions roadmap responds directly to supply chain attacks by introducing deterministic dependencies with commit SHA locks for all direct and transitive dependencies, similar to Go's go.mod + go.sum but for workflows.</cite> <cite index="10-29,10-30,10-31">This ensures deterministic runs where every workflow executes exactly what was reviewed, with dependency changes showing up as diffs in pull requests and hash mismatches stopping execution before jobs run.</cite>
GitHub Secret Scanning with MCP Server Now Generally Available
<cite index="1-1,1-4">GitHub's secret scanning with MCP Server became generally available after public preview since March 2026, honoring existing push protection customization for consistent detection and bypass behavior.</cite> <cite index="1-9,1-10">Developers can now ask agents to scan current changes for exposed secrets before committing, with examples like scanning staged files and showing specific lines to update.</cite>
Azure DevOps Fixes Expired PAT Extension Vulnerability
<cite index="22-3,22-4,22-5">Azure DevOps closed a discovered gap in Personal Access Token (PAT) behavior that allowed expired PATs to be altered or extended after expiration. Going forward, expired PATs cannot be modified via UI or APIs, enforcing true token lifetimes and reducing risk from leaked credentials.</cite> <cite index="22-6">This change helps customers meet internal security and compliance expectations by ensuring credentials cannot silently persist beyond their intended lifetime.</cite>
Atlassian Backup Manager API Deprecated, Replacement Paywalled
<cite index="41-1,42-1,42-3">On March 30, 2026, Atlassian deprecated the Jira Cloud Backup Manager API - the only way to automate project backups on Standard plan - with the replacement available only on Premium/Enterprise plans.</cite> <cite index="41-18">The new solution offers self-serve UI, public APIs, support for more products, and improved scalability, but changes backup limits, automation options, and access permissions.</cite>
Azure DevOps Remote MCP Server Public Preview
<cite index="22-12,22-13,22-14">Azure DevOps introduced the Remote MCP Server in public preview, enabling seamless integration without managing a local server. Support is currently available in Visual Studio and Visual Studio Code, with Microsoft Foundry and Copilot Studio coming soon.</cite> <cite index="22-15,22-16">Getting started requires only adding server information to mcp.json configuration.</cite>
GitLab Duo AI False Positive Detection for SAST
<cite index="11-4,11-5,11-6,11-7">When SAST security scans run, GitLab Duo automatically analyzes vulnerabilities to determine false positive likelihood, providing confidence scores, contextual reasoning about findings, and visual indicators in vulnerability reports.</cite> <cite index="11-9,11-10">Results are based on AI analysis requiring security professional review and need GitLab Duo with an active subscription.</cite>
GitHub Security Tab Renamed to Security & Quality
<cite index="8-1,8-3,8-4">The top-level Security tab across repositories, organizations, and enterprises has been renamed to Security & quality, restructuring navigation to colocate code quality findings alongside security alerts for easier issue triage.</cite> <cite index="8-9,8-10,8-21">All existing URLs and API endpoints remain unchanged, with this navigation update laying groundwork for upcoming GitHub Code Quality general availability launch.</cite>