A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI/CD infrastructure to run arbitrary code in the repository and gain access to secrets, according to researchers with cybersecurity firm Tenable. In an advisory issued April 21, Rémy Marot, staff research engineer at Tenable, wrote that “by exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository.” The security flaw can be easily exploited, and illustrates the growing security risks as CI/CD pipelines play an increasingly central role in the software development field, according to Marot. He found that the Microsoft GitHub repository was using a vulnerable GitHub workflow that allowed any GitHub user to set off remote code execution (RCE) in the GitHub runner. Through this, the bad actor could gain access to a token that l...
Agentic AI is rapidly entering DevOps pipelines, platform engineering platforms and cloud-native infrastructure. DevOps Experience 2026 brings the community together to decide which tools matter, how they should be governed and what comes next. The DevOps ecosystem is entering one of its most consequential transitions since the rise of CI/CD. Across the industry, vendors are racing to introduce agentic AI systems designed to automate DevOps workflows. These systems promise to assist with everything from pipeline orchestration and incident response to infrastructure management and security remediation. The promise is compelling: faster delivery, less operational toil and smarter automation. But alongside that promise comes a new set of questions DevOps teams are now actively trying to answer. Which agentic AI tools should we trust in our pipelines? What decisions should those agents actually be allowed to make? How do we monitor and govern systems that can operate autonomousl...