DevOps Pulse

GitHub secured CI/CD pipelines with 2026 Actions roadmap

featuring deterministic dependency locking and centralized policies while GitLab patched high-severity WebSocket vulnerabilities (CVSS 8.5). GitProtect dominated DevOps backup coverage comparison against Keepit and Rewind with superior GitHub Actions workflows and LFS support, positioning as Veeam's most direct threat. DORA enforcement accelerated across EU with first NIS2 penalties issued and 9-month compliance deadline approaching, creating urgent demand for automated DevOps backup solutions.

Signals
27
Sections
5/5
Threats
6
Fresh
11
Updated
28d ago
Show

DevOps Platform Updates

scanned 28d ago8

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitHub Actions 2026 Security Roadmap

<cite index="5-12,5-17">GitHub announced its 2026 Actions security roadmap, shifting the platform toward secure-by-default, verifiable automation with deterministic dependency locking and centralized policy controls.</cite> <cite index="5-27,5-39">The roadmap includes a dependencies section for workflow YAML that locks all dependencies with commit SHAs, and centralized policies that control actor rules and event permissions.</cite> <cite index="7-1,7-25">This makes CI/CD security more explicit, policy-driven, and infrastructure-aware with deterministic workflow dependencies and tighter secret scoping.</cite>

githubGitHub Blog·30 Mar

GitHub Advanced Security Hard Budget Limits

<cite index="2-13,2-18">GitHub introduced hard budget limits for GitHub Advanced Security (GHAS) SKUs, allowing enterprise administrators to set license count caps that prevent new assignments once reached.</cite> <cite index="2-19,2-21">The feature provides real-time license-to-cost estimates and maintains email notifications at 75%, 90%, and 100% thresholds alongside hard limits.</cite> <cite index="2-22">Organizations can allocate license budgets scoped to cost centers and limit spending for assigned organizations.</cite>

githubReleasebot·1 JunNEW

GitHub Enterprise Server Critical Vulnerabilities

<cite index="3-23,3-24">GitHub patched CVE-2026-3854, a high-severity vulnerability where attackers with push access could execute arbitrary code by injecting malicious values into Git push options.</cite> <cite index="3-14,3-15">Another high-severity issue, CVE-2026-8606, involved a Server-Side Request Forgery (SSRF) vulnerability in the Packages URL endpoint that could be exploited without authentication when private mode was disabled.</cite> <cite index="3-9,3-10">GitHub also revoked the signing key for GHES release packages and requires administrators to rotate GPG public keys before updating to new patches.</cite>

githubGitHub Enterprise Server Docs·13 Mar

GitLab High-Severity WebSocket Vulnerability

<cite index="15-6,15-7">GitLab released a security update addressing CVE-2026-5173, a high-severity vulnerability in websocket connections that could allow authenticated attackers to bypass access controls and invoke unintended server-side methods.</cite> <cite index="15-8">The vulnerability has a CVSS score of 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), representing a serious risk to affected environments.</cite> <cite index="15-17,15-18">GitLab.com and GitLab Dedicated services are already protected, and the update resolves a total of twelve vulnerabilities ranging from high to low severity.</cite>

gitlabThe Cyber Express·10 Apr

GitLab Secrets Manager and Security Manager Role

<cite index="11-3,11-6">GitLab 19.0 introduced Secrets Manager for managing CI/CD credentials inside GitLab and enhanced security configuration profiles for faster scanner rollouts.</cite> <cite index="12-20,12-21">A new Security Manager role is available as a beta feature, providing permissions designed specifically for security professionals without requiring Developer or Maintainer roles.</cite> <cite index="12-22,12-26">Security Manager role includes vulnerability management, security inventory access, configuration profiles, compliance tools, and secret push protection capabilities.</cite>

gitlabGitLab Releases·21 MayRecent

Bitbucket App Passwords Deprecated

<cite index="42-1,42-2">Bitbucket Cloud will fully deprecate app passwords on July 28, 2026, with controlled brownouts starting June 9, 2026 to help identify and migrate remaining usage.</cite> <cite index="44-4,44-8">The transition to API tokens provides more secure authentication, increased admin flexibility, and additional expiry controls, with Atlassian recommending immediate migration.</cite> <cite index="44-26,44-28">After June 9, 2026, Bitbucket will no longer allow creation of new app passwords, and all integrations must switch to API tokens to authenticate.</cite>

bitbucketBitbucket Cloud Changelog·10 Jun

Atlassian Security Bulletin Critical Vulnerabilities

<cite index="35-3,35-7">Atlassian's May 19, 2026 security bulletin reported 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities fixed in new product versions.</cite> <cite index="39-6,39-7">CVE-2025-64756 is a high-severity OS Command Injection vulnerability affecting Confluence Data Center and Server that allows authenticated attackers to execute arbitrary commands on the target system.</cite> <cite index="39-8">Recommended upgrades include Jira Data Center and Server 11.3.3 (LTS) and 10.3.18 (LTS) for Data Center Only deployments.</cite>

confluenceAtlassian Security Bulletins·19 MayRecent

Azure DevOps Server Security Patches Released

<cite index="27-29,27-33">Microsoft released multiple patches for Azure DevOps Server, including fixes for high-volume TF400734 errors, null reference exceptions during pull request completion, and malicious redirect prevention during sign out.</cite> <cite index="28-1,28-2">Microsoft strongly recommends that all customers stay up to date with the latest, most secure version of Azure DevOps Server.</cite> <cite index="30-10,30-11">A supply chain attack on March 31, 2026 involving malicious Axios library versions 1.14.1 and 0.30.4 highlighted ongoing security risks in the JavaScript ecosystem.</cite>

azure-devopsAzure DevOps Blog·14 Apr