DevOps Platform Updates
scanned 28d ago8Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
GitHub Actions 2026 Security Roadmap
<cite index="5-12,5-17">GitHub announced its 2026 Actions security roadmap, shifting the platform toward secure-by-default, verifiable automation with deterministic dependency locking and centralized policy controls.</cite> <cite index="5-27,5-39">The roadmap includes a dependencies section for workflow YAML that locks all dependencies with commit SHAs, and centralized policies that control actor rules and event permissions.</cite> <cite index="7-1,7-25">This makes CI/CD security more explicit, policy-driven, and infrastructure-aware with deterministic workflow dependencies and tighter secret scoping.</cite>
GitHub Advanced Security Hard Budget Limits
<cite index="2-13,2-18">GitHub introduced hard budget limits for GitHub Advanced Security (GHAS) SKUs, allowing enterprise administrators to set license count caps that prevent new assignments once reached.</cite> <cite index="2-19,2-21">The feature provides real-time license-to-cost estimates and maintains email notifications at 75%, 90%, and 100% thresholds alongside hard limits.</cite> <cite index="2-22">Organizations can allocate license budgets scoped to cost centers and limit spending for assigned organizations.</cite>
GitHub Enterprise Server Critical Vulnerabilities
<cite index="3-23,3-24">GitHub patched CVE-2026-3854, a high-severity vulnerability where attackers with push access could execute arbitrary code by injecting malicious values into Git push options.</cite> <cite index="3-14,3-15">Another high-severity issue, CVE-2026-8606, involved a Server-Side Request Forgery (SSRF) vulnerability in the Packages URL endpoint that could be exploited without authentication when private mode was disabled.</cite> <cite index="3-9,3-10">GitHub also revoked the signing key for GHES release packages and requires administrators to rotate GPG public keys before updating to new patches.</cite>
GitLab High-Severity WebSocket Vulnerability
<cite index="15-6,15-7">GitLab released a security update addressing CVE-2026-5173, a high-severity vulnerability in websocket connections that could allow authenticated attackers to bypass access controls and invoke unintended server-side methods.</cite> <cite index="15-8">The vulnerability has a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), representing a serious risk to affected environments.</cite> <cite index="15-17,15-18">GitLab.com and GitLab Dedicated services are already protected, and the update resolves a total of twelve vulnerabilities ranging from high to low severity.</cite>
GitLab Secrets Manager and Security Manager Role
<cite index="11-3,11-6">GitLab 19.0 introduced Secrets Manager for managing CI/CD credentials inside GitLab and enhanced security configuration profiles for faster scanner rollouts.</cite> <cite index="12-20,12-21">A new Security Manager role is available as a beta feature, providing permissions designed specifically for security professionals without requiring Developer or Maintainer roles.</cite> <cite index="12-22,12-26">Security Manager role includes vulnerability management, security inventory access, configuration profiles, compliance tools, and secret push protection capabilities.</cite>
Bitbucket App Passwords Deprecated
<cite index="42-1,42-2">Bitbucket Cloud will fully deprecate app passwords on July 28, 2026, with controlled brownouts starting June 9, 2026 to help identify and migrate remaining usage.</cite> <cite index="44-4,44-8">The transition to API tokens provides more secure authentication, increased admin flexibility, and additional expiry controls, with Atlassian recommending immediate migration.</cite> <cite index="44-26,44-28">After June 9, 2026, Bitbucket will no longer allow creation of new app passwords, and all integrations must switch to API tokens to authenticate.</cite>
Atlassian Security Bulletin Critical Vulnerabilities
<cite index="35-3,35-7">Atlassian's May 19, 2026 security bulletin reported 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities fixed in new product versions.</cite> <cite index="39-6,39-7">CVE-2025-64756 is a high-severity OS Command Injection vulnerability affecting Confluence Data Center and Server that allows authenticated attackers to execute arbitrary commands on the target system.</cite> <cite index="39-8">Recommended upgrades include Jira Data Center and Server 11.3.3 (LTS) and 10.3.18 (LTS) for Data Center Only deployments.</cite>
Azure DevOps Server Security Patches Released
<cite index="27-29,27-33">Microsoft released multiple patches for Azure DevOps Server, including fixes for high-volume TF400734 errors, null reference exceptions during pull request completion, and malicious redirect prevention during sign out.</cite> <cite index="28-1,28-2">Microsoft strongly recommends that all customers stay up to date with the latest, most secure version of Azure DevOps Server.</cite> <cite index="30-10,30-11">A supply chain attack on March 31, 2026 involving malicious Axios library versions 1.14.1 and 0.30.4 highlighted ongoing security risks in the JavaScript ecosystem.</cite>