Weekly Security Roundup - CI/CD approvals, agent evals, and perimeters

by TechHub

This week in security, the focus shifted to tightening defaults and making controls easier to enforce across code, agents, and cloud boundaries. GitHub reduced credential sprawl and raised CI/CD gates with built-in tokens, bot PR workflow approvals, stronger validation for agent-generated PRs, and faster CodeQL scanning (including coverage for dormant repos). On the AI side, the story was operational guardrails: Foundry governance controls, ASSERT for turning specs into repeatable evals, and practical MCP patterns for exposing and scanning tools safely. Rounding out the week were concrete enterprise hardening moves like Azure Network Security Perimeter for Service Bus, IP allow lists for EMU namespaces, passkey adoption campaigns, centralized platform log collection, and LAPS policy enforcement for Azure Arc.

This Week's Overview

GitHub platform security: tightening CI/CD gates and reducing credential sprawl

GitHub rolled out several changes that make automated contributions and AI-assisted workflows safer by default, and they build on last week's supply-chain reminders that CI defaults (like what can run, with what permissions) often decide whether an attacker can turn a small foothold into secret access. The common theme is shifting from long-lived credentials and implicit trust to explicit approvals, built-in tokens, and automated validations that apply even when code is authored by agents.

Agentic Workflows can now use GitHub Actions' built-in GITHUB_TOKEN instead of requiring a personal access token (PAT), which reduces the blast radius of leaked credentials and simplifies secret management in repos. The same update adds a cleaner billing path for enterprises: org-owned repositories can bill Copilot CLI usage directly to the organization when Copilot policy and workflow permissions are configured (including copilot-requests: write), which matters if you track spend via cost centers.

On the CI/CD side, pull requests opened by github-actions[bot] can now run GitHub Actions workflows only after approval by a user with write access. That aligns bot PRs with the existing approval model for Copilot-generated PRs and helps prevent unreviewed workflow executions from accessing secrets or elevated permissions. Meanwhile, GitHub made security validation for third-party coding agents generally available, applying CodeQL scanning, dependency checks against the GitHub Advisory Database, and secret scanning to agent-generated pull requests (enabled by default via Copilot settings).

Two more updates target coverage and speed. Code scanning can now run scheduled scans every 30 days for repositories that have been inactive for 6+ months, which helps large orgs keep dormant services from silently rotting with known issues. And incremental CodeQL analysis arrived for Go and C/C++ pull request scans, plus CodeQL CLI v2.25.5 support for incremental analysis in third-party CI (with incremental enabled by default when using build mode none extraction), cutting analysis time without dropping the default query suite coverage.

AI and agent security: guardrails, evals, and new “agent ops” building blocks

This week showed a clear push toward making agentic systems auditable and controllable in real deployments, not just demos, continuing last week's shift from “agent security as guidance” into frameworks, tests, and governance packages teams can actually operationalize. The announcements span platform guardrails, evaluation tooling, and practical patterns for putting security checks in front of agent behavior.

Claude Fable 5 in Microsoft Foundry and agent governance controls

Claude Fable 5 is now available in Microsoft Foundry, positioned for long-running autonomous agent workflows through Foundry Agent Service and GitHub Copilot integrations, and it lands in the same moment we highlighted last week where agent governance is becoming a platform feature rather than a per-app add-on. For security teams, the key detail is Foundry's emphasis on enterprise guardrails and observability through the Foundry Control Plane, which is where policy enforcement and monitoring can become enforceable defaults rather than per-team conventions.

Token-based pricing is also part of the story because cost controls often become an operational guardrail for agent systems. If your agents can run for long durations, you will likely want usage visibility tied to identities, policies, and budgets alongside technical controls like tool access restrictions.

ASSERT: turning natural-language specs into executable eval pipelines

Microsoft announced ASSERT, an open-source framework that converts natural-language behavior specifications into evaluation pipelines for models and agents, extending last week's theme that agent risk needs CI-friendly tests (not just one-time red-teams) by making evals easier to generate and keep current. It focuses on generating a behavior taxonomy, producing stratified test cases, capturing traces, and scoring outcomes with policy-cited judgments, which directly targets a common gap in agent security: you cannot reliably secure what you cannot repeatedly test.

Because ASSERT is built around trace capture and structured scoring, it fits into CI/CD gates for agent changes (prompt updates, tool list changes, retrieval configuration, and orchestration logic). The fact that it explicitly covers areas like prompt injection and agent tracing makes it relevant for teams trying to formalize “AgentOps” beyond ad hoc red-teaming.

Blueprint and landing zone guidance for production agentic systems

Microsoft published guidance framing agentic AI as a multi-layer system (interaction, orchestration, integration, data, and model layers) where governance needs to be consistent end-to-end, reinforcing last week's message that “agent security” is really system security with clearer policy boundaries and audit trails. The emphasis is governance-first: apply shared controls and quality checks across each layer rather than treating “model safety” as the only control point.

In parallel, Azure AI Landing Zones content highlighted how to move from experimentation to production with guardrails across networking, identity, security, and cost control, aligning with Cloud Adoption Framework and Azure Well-Architected Framework patterns. Taken together, these pieces push teams toward repeatable architecture and policy baselines before agents get access to real systems.

Copilot CLI: making security checks and repeatable agent workflows more practical

GitHub Copilot CLI added an experimental /security-review command that analyzes local code changes and returns severity- and confidence-scored findings with actionable suggestions in the terminal, a natural next step after last week's emphasis on making security checks enforceable earlier than CI. This is a workflow-level security feature: it aims to catch issues before code even becomes a pull request, and it fits teams that want developer-local guardrails without waiting for centralized scanners.

GitHub also shared a guide on custom agents in Copilot CLI, where agent profiles live as Markdown files in a repository (for example under .github/agents). That makes workflows reviewable and shareable (security audits, IaC compliance reviews, incident response runbooks), and it reduces the “prompt drift” problem by putting agent instructions under version control.

MCP security patterns: exposing tools safely and scanning for unsafe ones

Azure App Service introduced a preview for built-in Model Context Protocol (MCP), letting you expose an existing REST API as an MCP server directly from an OpenAPI 3.x spec, building on last week's MCP governance thread by showing how platform-managed auth can become part of the tool surface area agents discover. App Service generates one MCP tool per operation and serves it over streamable HTTP, and the security-critical detail is that App Service Authentication and OAuth protected-resource metadata carry through to MCP clients, so your existing auth model becomes part of the tool interface.

Separately, a .NET tutorial demonstrated building an MCP server that scans for unsafe tools on startup using Microsoft.AgentGovernance.Extensions.ModelContextProtocol. This pattern matters because MCP expands the set of actions an agent can take, and “tool allowlisting” becomes a first-class security control when agents can dynamically discover capabilities.

Preparing teams for production: AgentOps webinar series

Microsoft announced a “Path to Production for Agents” webinar series (July 27-28) focused on governance, landing-zone architecture, evaluation gates, monitoring, security risks (including prompt injection and RAG risks), and cost/latency optimization, which follows last week's drumbeat that agent security is becoming a repeatable operating model with playbooks, gates, and audit evidence. It reads like an acknowledgement that agent deployments now need the same discipline as other production systems: CI/CD checks, telemetry, and policy enforcement, not just good prompts.

Enterprise cloud and identity controls: network perimeters, IP restrictions, and passwordless nudges

Azure and GitHub both shipped updates that reinforce “tighten access by default” patterns, especially for large organizations where identity and network boundaries are part of the security baseline, continuing last week's emphasis on hardening identity and making enforcement more consistent across access paths.

Azure Network Security Perimeter (NSP) reached GA for Azure Service Bus and is now available in Azure Government regions. NSP's default-deny behavior and its inbound/outbound rule model aim to make Service Bus access enforceable through a perimeter rather than scattered firewall rules and per-resource exceptions, with Private Link behavior and diagnostic logging called out for audit and compliance workflows.

On GitHub Enterprise Cloud, IP allow list enforcement for Enterprise Managed Users (EMU) namespaces is now generally available, extending native allow list coverage to ensure repositories can only be accessed from approved IPs across the web UI, Git protocol, and APIs. For orgs that rely on EMU for identity control, this closes a practical gap where policy and network enforcement need to apply consistently across every access path.

Microsoft Entra ID passkey registration campaigns also got attention, with walkthrough content explaining prerequisites in Authentication methods policy and how campaigns nudge users toward passkey registration. The key operational takeaway is that adoption features (nudges and campaigns) can be as important as the underlying tech when migrating large user populations off passwords.

Threat intel: AI-themed social engineering campaigns are getting more operational

Microsoft Threat Intelligence reported multiple campaigns using popular AI brands as social-engineering lures, and after last week's supply-chain and trusted-tooling incidents this is another reminder that attackers keep targeting developer trust cues (like “GitHub releases”) as a delivery channel. The campaigns include phishing flows, malvertising, and GitHub-hosted fake installers delivered through release-asset abuse. The payloads include infostealers like Vidar, and the detail about GitHub distribution is especially relevant for developer orgs because it targets software download habits and trust in “GitHub releases” as a channel.

The mitigation guidance centers on tightening identity and endpoint controls: Microsoft Defender XDR for detection and response, Microsoft Entra ID Protection plus Conditional Access to reduce adversary-in-the-middle (AiTM) impact, and related controls to reduce credential theft and session hijacking. For teams rolling out agent tools internally, this is a reminder to treat “AI tooling” as a phishing theme that users will see in the wild, and to harden download and installer verification paths.

Secure-by-default monitoring and hybrid admin hygiene

Azure introduced a preview that simplifies platform log collection at scale by letting you use Azure Monitor Data Collection Rules (DCRs) to collect Azure resource platform logs centrally, which echoes last week's theme of reducing operational friction so teams actually turn on the controls they need. This reduces the operational burden of per-resource diagnostic settings and makes it easier to apply consistent filtering, routing to multiple destinations, and governance via Azure Policy.

For hybrid and regulated environments, LAPS for Azure Arc entered public preview, using Azure Policy and Machine Configuration to audit and enforce Windows LAPS settings across Azure VMs and Arc-enabled servers. That gives security teams a cloud-governed way to rotate and protect local admin passwords across on-prem and multi-cloud servers, with compliance reporting that fits existing policy workflows.

GitHub Enterprise Server 3.21: security governance and API change management

GitHub Enterprise Server 3.21 is now generally available, and alongside productivity features it includes changes that security and platform teams will feel in day-to-day operations, complementing last week's note about small-but-breaking API shifts by underscoring the need to version and test integrations as part of security governance. A new REST API version (2026-03-10) ships with breaking changes, which means integrations (including internal security automation and compliance reporting) may need explicit testing and pinning to avoid drift during upgrades.

Security governance also gets attention through secret scanning governance updates, while GitHub Actions workflow page performance improvements help teams operating large CI estates diagnose and review workflow history more effectively. On the infrastructure side, multi-disk storage configuration can matter for performance and operational resiliency in self-managed environments, especially where Actions artifacts, audit logs, and security scan outputs are heavy.

Security engineering deep dives: fewer false positives, safer secret delivery, and Windows packaging realities

Secret scanning trust is often limited by alert fatigue, and GitHub shared concrete work to reduce false positives at scale, building on last week's secure-by-default push (like NuGet pruning to cut vulnerability noise) by improving the signal quality that actually reaches engineers. The approach adds LLM-based contextual reasoning in the verification step, using focused file-level signals instead of sending large code contexts, and GitHub reports a 75.76% reduction on customer-confirmed false positive alerts while maintaining detection coverage. For security program owners, that type of reduction can translate directly into higher triage throughput and better developer cooperation because alerts feel more credible.

On the “secrets in pipelines” front, a practical AKS guide walked through moving secrets out of YAML by using Azure Key Vault with the Secrets Store CSI Driver and AKS Workload Identity. The runtime pattern reduces accidental secret exposure in repos and CI logs, and the troubleshooting notes (federation subject mismatches, missing labels, incorrect mounts) match the failure modes teams often hit when onboarding workloads to federated identity and SecretProviderClass-based mounts.

A Windows packaging guide rounded out the week with a reminder that distribution and trust signals are part of application security. Packaging a static website into a single Windows EXE (unpacking to a temp folder and rendering offline via WPF WebView2 without running a local HTTP server) avoids opening a listening port, but it runs into SmartScreen reputation and signing realities. The write-up covers Authenticode constraints and how embedding/extracting native WebView2 loader dependencies affects the final artifact, which is useful if you're shipping internal tools that need to pass enterprise endpoint controls.

Other Security News

Microsoft's Build 2026 recaps and Azure's weekly update both reinforced that identity and agent governance are now showing up as first-class platform concerns alongside the usual service updates, which lines up with last week's broader throughline that governance and enforceability are catching up to where data and automation are actually happening. If you're tracking security posture across Azure and GitHub, these roundups are useful for spotting upcoming licensing, feature availability, and deployment prerequisites that will affect rollout plans.

Copilot Autofix entered limited private preview for GitHub Advanced Security for Azure DevOps, bringing AI-suggested fixes for supported CodeQL alerts into PR-based workflows. The billing model (token-based via GitHub AI credits charged to Azure) is a practical detail to settle early if you want Autofix to be a standard part of triage without surprise costs.

Microsoft Fabric also shipped governance-relevant updates: OneLake Shortcuts to SharePoint/OneDrive are now generally available with Service Principal/Workspace Identity auth via Microsoft Entra ID, and OneLake catalog role management is in preview for cross-workspace bulk updates. These features change how data access is granted and audited when Fabric becomes part of your analytics security boundary, especially if teams treat Microsoft 365 content as source data.