Your trusted scanner was the attack vector

Attackers hijacked Trivy's mutable GitHub Actions tags during March 19–23, 2026, giving any pipeline that ran the scanner in that window full credential-exfiltration exposure — GitHub tokens, cloud keys, registry passwords, and Kubernetes tokens were all in scope, per a detailed incident breakdown. Workflow YAML files appeared unchanged; only the underlying code was malicious.
A European Commission cloud environment was compromised via this vector, attributed by CERT-EU. StepSecurity documented the malicious v0.69.4 release timeline — the identical root cause as the 2025 tj-actions breach (pinning to tags instead of immutable commit SHAs): tag mutability lets attackers swap code without touching a single workflow file.

GitHub Actions now hard-caps reruns at 50 per workflow run, covering both full reruns and partial job reruns; exceeding it produces a failed check suite with an annotation rather than silent degradation. The cap is a direct response to retry automations that were generating hundreds of reruns per workflow and loading the platform.
Teams using flaky-test retry bots or automated rerun scripts need to audit their tooling now — this surfaces as a pipeline failure, not a warning.
Endor Labs now raises a critical finding when a pinned commit SHA cannot be verified in the action's upstream GitHub repository, catching the attack vector where an attacker reuses a SHA that doesn't exist in the claimed source. SHA pinning proves immutability; this adds the provenance verification it was missing.

CircleCI's 2026 State of Software Delivery report — 28M workflows across 22K organizations — shows daily CI runs jumped 59% year-over-year, the largest single-year increase in the dataset's history. CI success rates fell to a five-year low in the same period.
The top 5% of teams nearly doubled throughput while holding quality; the median team improved only 4%. Cortex's synthesis: AI accelerated code writing — already the fastest step in the delivery chain — without improving testing, review, deployment safety, or observability, widening the gap between elite and median teams.
GitLab's 2026 Global DevSecOps Survey, cited in the same analysis, finds tool sprawl from disconnected AI tooling costs teams nearly a full workday per week; 85% say agentic AI delivers value on top of platform engineering, not alongside it.

A cross-strategy rollback comparison gives concrete time ranges: Feature Flags <2 minutes (automated kill switch), Canary 1–15 min (canary percentage only), Blue-Green 2–10 min (traffic switch), Rolling 7–40 min, Recreate 4–20 min. Database migrations that rename, drop, or change column types require expand-contract patterns for every strategy except Recreate.
Infrastructure cost multipliers from the same benchmark: Blue-Green at 2.0× baseline (full environment duplication), Rolling 1.0–1.25×, Canary 1.01–1.10×, Feature Flags ≈1.0×. Decision heuristic: multiple deploys/day → Canary + Feature Flags; daily → Blue-Green or Canary; fewer than weekly → Rolling.

AWS DevOps Agent hit GA on March 31 with integrations for GitHub, GitLab, Azure DevOps, CloudWatch, Datadog, Dynatrace, New Relic, Splunk, Grafana, and PagerDuty — the first AWS-native tool that correlates CI/CD deployment events with incident telemetry to autonomously triage root cause. GA additions include on-premises and Azure support, custom agent skills via MCP, and automatic ticket deduplication.
Preview metrics: 75% MTTR reduction, 94% root cause accuracy; Western Governors University resolved a 2-hour incident in 28 minutes using the Dynatrace integration. Pricing is per second of agent usage with no upfront commitment.

Get CI/CD & Release Engineering Briefing in your inbox