News and Tech Update

A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI/CD infrastructure to run arbitrary code in the repository and gain access to secrets, according to researchers with cybersecurity firm Tenable. In an advisory issued April 21, Rémy Marot, staff research engineer at Tenable, wrote that “by exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository.” The security flaw can be easily exploited, and illustrates the growing security risks as CI/CD pipelines play an increasingly central role in the software development field, according to Marot. He found that the Microsoft GitHub repository was using a vulnerable GitHub workflow that allowed any GitHub user to set off remote code execution (RCE) in the GitHub runner. Through this, the bad actor could gain access to a token that l...

Agentic AI is rapidly entering DevOps pipelines, platform engineering platforms and cloud-native infrastructure. DevOps Experience 2026 brings the community together to decide which tools matter, how they should be governed and what comes next. The DevOps ecosystem is entering one of its most consequential transitions since the rise of CI/CD. Across the industry, vendors are racing to introduce agentic AI systems designed to automate DevOps workflows. These systems promise to assist with everything from pipeline orchestration and incident response to infrastructure management and security remediation. The promise is compelling: faster delivery, less operational toil and smarter automation. But alongside that promise comes a new set of questions DevOps teams are now actively trying to answer. Which agentic AI tools should we trust in our pipelines? What decisions should those agents actually be allowed to make? How do we monitor and govern systems that can operate autonomousl...

The Eclipse Foundation today announced it will make available a managed instance of the Open VSX Registry available to industry partners for a fee. Thabang Mashologu, chief marketing officer and head of products at the Eclipse Foundation, said the Open VSX Managed Registry provides an economically sustainable approach to providing access to a registry that is now widely invoked within application development workflows that incorporate tools based on open source VS Code. Initial customers of the Open VSX Managed Registry include Amazon Web Services (AWS), Google, and Cursor, which will continue to incorporate the registry in the services they provide application developers. That approach provides a means to support application development teams using those tools without requiring them to sign up for an additional service provided by the Eclipse Foundation. That registry maintained by the Eclipse Foundation has been consuming significant infrastructure resources as more AI coding to...

Grafana Labs today at its GrafanaCON 2026 conference revealed it has extended its artificial intelligence (AI) agent to its cloud-based observability platform while at the same time previewing a platform for observing AI applications and an open source framework for evaluating AI agents. At the same time, the company announced it has developed an instance of the OpenTelemetry tools for collecting telemetry data that in addition to improving support for Kubernetes clusters, can be installed with a single command in Linux environments. Additionally, the company also unfurled Grafana 13, an update to the company’s core visualization software that adds pre-built and suggested dashboards that dynamically adapt to different use cases, layout templates, guided onboarding to reduce setup time, improved programmability through redesigned dashboard schema, an updated application programming interface (API) for managing dashboards at scale, and support for Git-based workflows, team folders, ...

DevOps.com is now providing a weekly DevOps jobs report through which opportunities for DevOps professionals will be highlighted as part of an effort to better serve our audience. Our goal in these challenging economic times is to make it just that much easier for DevOps professionals to advance their careers. Of course, the pool of available DevOps talent is still relatively constrained, so when one DevOps professional takes on a new role, it tends to create opportunities for others. The 10 job postings shared this week are selected based on the company looking to hire, the vertical industry segment and naturally, the pay scale being offered. We’re also committed to providing additional insights into the state of the DevOps job market. In the meantime, for your consideration. Dice Johnson & Johnson Santa Clara, California DevOps Engineer $106,000 to $170,200 McKesson Corporation Atlanta, Georgia DevOps Engineer $101,000 to $168,400 Booz Allen Hamilton Huntsville, ...

A deployment goes out late at night. Everything seems fine at first. The dashboards are green, there are no alerts, and the release looks clean. A few hours later, the latency starts to increase. Nothing is critical. No alerts go off. By the time users notice, the system is already stressed. In a typical case, someone gets paged, checks the logs, reviews recent changes, and the team starts to connect the dots manually. It works, but it is slow and reactive. Now think of a different setup. The same pattern starts. Instead of waiting for things to break, an AI agent notices something is off. It connects it with a deployment, finds a likely cause, and takes action before users feel the impact. This is where modern DevOps is headed. With the rise of tools like Claude agents, the conversation is shifting from automation to autonomy. The question is no longer if AI can help DevOps. The question is whether it can take over a lot of it.   From Defined Pipelines to Adaptive Systems ...

The XZ Utils backdoor was a wake-up call, but the underlying problem it exposed has not gone away. Sophisticated adversaries are playing the long game, spending months or years earning trust within open source projects before introducing malicious code into libraries that sit at the foundation of modern software infrastructure. Mike Vizard and Josh Bressers, VP of security at Anchore, dig into why the software supply chain remains dangerously vulnerable and what the industry is getting wrong in its response. Bressers points out that the vast majority of open source projects are maintained by a single person or a very small group of volunteers. These maintainers are often overworked and under-resourced, managing critical dependencies that thousands of organizations rely on in production. When an attacker targets one of these projects, the maintainer is the entire security perimeter. No amount of scanning or compliance tooling downstream can fully compensate for a compromise that h...

Software runs, but sometimes it doesn’t… and that’s often down to a lack of runtime visibility in relation to platform engineering teams being able to trust coding assistants and AI-powered site reliability engineering (SRE) services. It’s an assertion made by software reliability company Lightrun, in its State of AI-Powered Engineering Report 2026, based on an independent poll of 200 SREs and DevOps leaders at enterprises in the U.S., UK and EU.  “To keep pace with AI-driven velocity, we can no longer rely on reactive observability. We must shift runtime visibility left, giving AI tools and agents the live execution data they need to validate code before it ever fails in production,” said Lightrun CEO, Ilan Peleg. Runtime Visibility Fragility Peleg and team say that until AI-powered engineering tools have live visibility of how code behaves at runtime, they cannot be trusted to autonomously ensure reliable systems. But why is runtime visibility so flaky?  One of the m...

Every tech conference likes to say it is about the future. Most of them are really about product launches, roadmaps and a little carefully managed optimism. SUSECON feels different this year. Part of that is timing. Part of it is geography. And part of it is that SUSE happens to sit right in the middle of several conversations that are becoming more urgent by the day. The event runs April 20 through 23 in Prague , with more than 100 breakout sessions covering Linux, cloud native infrastructure, edge computing, AI, observability and digital sovereignty, along with keynotes, hands-on labs, certification exams and community gatherings. That is the official agenda. The real story sits just beneath it. SIGN UP FOR SPECIAL EDITION SUSECON NEWSLETTER FOR NEXT WEEK, ONLY 5 EDITIONS HERE   The deeper conversation is about control. For a long time, sovereignty sounded like the kind of topic that lived mostly in policy papers or conference panels in Brussels. It did not always feel con...

Waydev today revealed it has revamped its engineering intelligence platform to provide insights into how the adoption of artificial intelligence (AI) coding tools is impacting DevOps workflows. Company CEO Alex Circei said the overall goal is to make it easier for the leaders of software engineering teams to determine the return on investment (ROI) their AI coding tools are actually providing. While there is little doubt that AI tools are capable of generating code faster than humans, the percentage of that code making it into production environments is often unknown. DevOps engineers need to understand where AI code is being accepted, rejected or rewritten, and whether AI-assisted pull requests pass CI at the same rate as those authored by a human. The Waydev platform, now at every checkpoint in a DevOps workflow, captures which AI agent wrote the code across all commits, repositories, teams, and tools, along with insights into usage costs. A Waydev AI agent then provides a natur...

GitHub’s new Stacked Pull Requests feature restructures how developers submit and review changes by allowing large code updates to be broken into smaller, interdependent units. With Stacked PRs, each unit can be reviewed and merged individually while still contributing to the overall feature set. The approach helps developers shift away from monolithic pull requests, which have become increasingly difficult to manage as development continues to move faster. The release of Stacked PRs is a response to the rise of AI-assisted coding tools, which have greatly increased the volume and scale of code submissions, placing new pressure on review workflows. While large pull requests spanning dozens of files used to be merely inconvenient, they are sometimes now a systemic issue. There is a widening gap between code generation and code review, with reviewers dealing with reduced visibility and slower turnaround times. With the layered workflow of Stacked PRs, developers can sequence related...

If you work in DevOps, you’ve probably had this experience:   You ship something. It works. Performance looks good. Deployment is clean.   A few weeks later, someone from finance shows up asking why costs spiked 30%.   Now you’re digging through logs, trying to reconstruct decisions you made weeks ago, in a completely different context.   That’s not a FinOps problem.   That’s a workflow problem.   The Real Issue: Cost Lives Outside the Pipeline   Most DevOps teams have spent years tightening feedback loops:   Code quality → caught in PRs   Security → caught in CI   Performance → caught in testing   Cost is the outlier.   It typically shows up:   After deployment   In a separate dashboard   Owned by a different team   Which means it’s not actionable when it matters.   You can’t fix what you can’t see *in context*.   Why DevOps Teams End Up Owning Cloud Cost Anyway ...