DevOps Pulse

Azure DevOps suffered a critical CVE-2026-42826 with

CVSS 10.0 allowing unauthenticated remote data disclosure while GitLab patched an identity resolution vulnerability in Duo AI workflows. Microsoft cancels Claude Code licenses across E+D division by June 30, steering thousands of engineers to Copilot CLI as enterprise AI costs reshape tool budgets. Malicious npm packages now execute code before security scanners activate, with Mini Shai-Hulud attack demonstrating preinstall hook vulnerabilities that bypass build security.

Signals
35
Sections
5/5
Threats
10
Fresh
14
Updated
30d ago
Show

DevOps Platform Updates

scanned 31d ago8

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitLab Duo AI Identity Resolution Vulnerability

GitLab patched a vulnerability allowing authenticated users to trigger Duo AI workflows under another user's identity due to improper user identity resolution. This affects Duo AI workflow runners across GitLab instances and poses significant risk for AI-driven development environments where identity confusion could compromise secure code review and automated processes.

gitlabGitLab Docs·27 MayNEW

Azure DevOps Critical Information Disclosure Vulnerability

Microsoft's May 2026 Patch Tuesday includes CVE-2026-42826, a critical vulnerability in Azure DevOps with CVSS score 10.0 allowing unauthenticated remote attackers to disclose sensitive information. This represents maximum severity for DevOps data protection as it could expose code repositories, pipeline secrets, and project configurations without authentication.

azure-devopsCrowdStrike·14 MayRecent

GitHub Security Lab Taskflow Agent Release

GitHub released the Security Lab Taskflow Agent, an open-source AI-powered framework for automated vulnerability discovery. The agent excels at finding authentication bypasses, IDORs, and token leaks in Actions and JavaScript projects, representing a significant advancement in AI-assisted security research and positioning GitHub ahead in the AI security convergence space.

githubGitHub Blog·26 MayRecent

NHS Closes Public GitHub Repositories Over AI Security

The UK's National Health Service ordered all technology leaders to convert public GitHub repositories to private by May 11, 2026, citing risks from advanced AI models like Anthropic's Mythos that can perform large-scale code ingestion and inference. This demonstrates growing enterprise concern about AI-powered code analysis threatening organizational security.

githubThe Register·5 MayRecent

GitLab 19.0 Adds Duo Agent Platform Network Controls

GitLab 19.0 introduces centralized network policies for Duo Agent Platform remote flows, allowing administrators to configure organization-wide domain denylists and allowlists. This enables consistent governance for AI agent network egress across all remote flows, addressing security team concerns about autonomous AI system network access in enterprise environments.

gitlabGitLab Docs·21 MayRecent

Atlassian May Security Bulletin Addresses 42 Vulnerabilities

Atlassian's May 19, 2026 security bulletin includes 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities fixed across Jira, Confluence, and Bitbucket Data Center products. While assessed as non-critical risk, the volume suggests ongoing security maintenance needs for organizations using Atlassian's DevOps toolchain.

confluenceAtlassian Security·19 MayRecent

Bitbucket OAuth 1.0 Deprecation Complete

Bitbucket Cloud completed full deprecation of OAuth 1.0 and implicit grant flows on March 14, 2026, after controlled brownouts. All teams must migrate to OAuth 2.0 for continued API access. This authentication modernization improves security but requires immediate attention for any legacy integrations or automation tools still using deprecated flows.

bitbucketBitbucket Changelog·15 MayRecent

GitHub Actions 2026 Security Roadmap for Agentic Workflows

GitHub published its Actions 2026 security roadmap focusing on agentic and automation-heavy setups, emphasizing explicit mutation boundaries between observation and high-impact actions. The roadmap addresses execution protections, richer security signals, and better audit streams to answer 'what authority became reachable, and under what conditions' for AI-driven workflows.

githubGitHub Community·10 May