DevOps Platform Updates
scanned 36d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitHub Actions 2026 Security Roadmap
<cite index="4-6,4-19">GitHub released its 2026 Actions security roadmap to address recent supply chain incidents and make secure behavior the default</cite>. <cite index="4-34,4-7">The roadmap introduces dependency locking, workflow execution protections, and an egress firewall for GitHub-hosted runners</cite>. <cite index="4-18,4-21">This shift toward secure-by-default automation responds directly to attacks targeting CI/CD systems without requiring teams to rebuild their entire CI/CD model</cite>.
Atlassian AI Data Training Policy Change
<cite index="28-8,28-9">Starting August 17, 2026, Atlassian will use data from Jira, Confluence, and other cloud products to train AI offerings including Rovo and Rovo Dev, affecting approximately 300,000 customers</cite>. <cite index="28-3,28-4">Every customer on every plan can turn off in-app data collection, but metadata opt-out is limited to Enterprise customers</cite>. <cite index="28-22,28-23,28-24">All customers should go to Administration → Security → Data contribution and disable in-app data collection before August 17</cite>.
GitLab 19.0 Adds AI Workflows and Secrets Management
<cite index="11-2,11-15,11-16">GitLab 19.0 was released with expanded secrets management, agentic merge request workflows, and new security capabilities including dependency scanning with SBOM for Ultimate tier users</cite>. <cite index="11-11,11-12,11-13">The platform now runs agents on four additional open source models for air-gapped or regulated environments that cannot send source code to external APIs</cite>. <cite index="11-19,11-5">The release addresses the AI paradox where AI made code generation faster but didn't make it easier to trust or secure at scale</cite>.
Azure DevOps GitHub Advanced Security Standalone Products
<cite index="2-16,2-17,2-18">Azure DevOps now offers GitHub Secret Protection and GitHub Code Security as standalone products, with Secret Protection providing access to secret scanning and push protection, while Code Security provides dependency scanning and code scanning</cite>. <cite index="2-3,2-4">A new organization-level policy in public preview restricts personal access token creation to help reduce token sprawl and improve security</cite>. <cite index="2-11,2-12,2-13">Two new Microsoft Entra OAuth scopes for PAT lifecycle management replace the broad user_impersonation scope to enable app owners to reduce permissions</cite>.
Critical CVE-2026-42826 in Azure DevOps
<cite index="50-9,50-10">CVE-2026-42826 is a Critical information disclosure vulnerability affecting Azure DevOps with a CVSS score of 10, allowing unauthenticated remote attackers to disclose sensitive information over a network</cite>. <cite index="37-2,37-3">The May 2026 Microsoft security updates impact Azure DevOps along with other enterprise services, with successful exploitation potentially allowing remote code execution and privilege escalation</cite>. <cite index="37-11,37-12">Infrastructure teams should urgently apply patches as rapid patching remains the most effective method for reducing exploitation risk</cite>.
Atlassian Security Bulletin May 2026
<cite index="22-3,22-7">Atlassian's May 19, 2026 Security Bulletin reports 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities fixed in recent product releases</cite>. <cite index="25-6,25-7">A notable issue is CVE-2025-64756, a high-severity OS Command Injection vulnerability affecting Confluence Data Center and Server that allows authenticated attackers to execute arbitrary commands</cite>. <cite index="22-15,22-16">Atlassian recommends upgrading to the latest versions as listed in the vulnerability release notes</cite>.
GitHub npm Supply Chain Security Updates
<cite index="5-13,5-16,5-17">GitHub shipped npm supply-chain security updates with staged publishing now generally available and new install source controls, requiring a maintainer to explicitly approve packages before they become installable</cite>. <cite index="5-5,5-6,5-7,5-8">Starting in npm 11.15.0, new --allow-file, --allow-remote, and --allow-directory flags complement existing --allow-git to give teams control over non-registry install sources</cite>. <cite index="5-18,5-19">The --allow-git flag will change its default from 'all' to 'none' in CLI v12, requiring teams to opt into stricter behavior today</cite>.
DevOps Threats Report 2026 Highlights
<cite index="41-15,41-16">The DevOps Threats Unwrapped Report 2026 concludes that trusted Git hosting platforms became a playground for cybercriminals in 2025</cite>. <cite index="48-15,48-16,48-17">The report highlights 2024 as a wake-up call with the CrowdStrike-Microsoft incident causing $5.4 billion in damages and affecting 8.5 million Windows devices worldwide</cite>. <cite index="48-1,48-2">GitHub, GitLab, Atlassian, and Microsoft all inform customers about mandatory DevOps data backup responsibilities, but need greater education on user security obligations</cite>.