docs: add comprehensive gh-aw three-layer security architecture to WORKFLOWS.md and SECURITY_ARCHITECTURE.md#2868
Merged
Merged
Conversation
…expand democratic threats, improve diagrams - Add comprehensive GitHub Agentic Workflows (gh-aw) 5-layer defense-in-depth security section - Add gh-aw SafeOutputs data flow diagram, AWF architecture diagram, security mindmap - Expand Democratic Threat Catalog with 12 categories, advanced scenarios, foreign influence operations - Add AI-enabled threat scenarios (prompt injection, data poisoning, model compromise) - Add gh-aw trust boundaries (TB-AW-1 through TB-AW-6) - Add 8 gh-aw-specific STRIDE threats with mitigations - Add Hack23 AI Policy alignment mindmap (OWASP LLM + EU AI Act + gh-aw controls) - Add compilation-time security controls table - Enhance icons and visual presentation throughout - Update version to 2.0, effective date to 2026-06-02 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pethers
June 2, 2026 08:30
View session
github-actions
Bot
added
documentation
Contributor
🏷️ Automatic Labeling SummaryThis PR has been automatically labeled based on the files changed and PR metadata. Applied Labels: documentation,security,isms,size-l Label Categories
For more information, see |
Contributor
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
…, supply chain, geopolitical threats - Add Democratic Integrity & Accountability Threats (F13–F16) - Add GDPR/Privacy threats (F17–F18) - Add Supply Chain & AI Governance threats (F19–F21) - Add Geopolitical & FIMI section with language-tier analysis - Extend security controls FUT-023 to FUT-032 - Add extended STRIDE→Control mapping for new categories - Add risk heat map (quadrant chart) - Add timeline mermaid diagram for threat evolution - Add 5 new mermaid flowchart diagrams - Bump version to 2.1, update revision history - Add coverage dimensions table to Purpose & Scope - Add shields.io badges for threat count and control count Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot
AI
changed the title
feat: Update THREAT_MODEL.md v2.0 — gh-aw Security Architecture, Enhanced Democratic Threats & AI Policy Alignment
feat: expand FUTURE_THREAT_MODEL.md v2.1 — democratic integrity, GDPR, supply chain & geopolitical threats
Jun 2, 2026
Contributor
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
…LOWS.md and SECURITY_ARCHITECTURE.md - Add new "gh-aw Security Architecture" section to WORKFLOWS.md with three-layer trust model (Substrate, Configuration, Plan-Level), Mermaid diagrams, and detailed component tables mapping gh-aw controls to Riksdagsmonitor usage - Add "gh-aw Platform Security Architecture" section to SECURITY_ARCHITECTURE.md with infrastructure isolation diagrams, compile-time enforcement, runtime controls (SafeOutputs, threat detection, content sanitisation, integrity filtering, secret redaction), and combined security posture mapping - Update SECURITY_ARCHITECTURE.md TOC with new section links - Add gh-aw architecture to policy references table - Update cross-references between both documents and external gh-aw docs - Improve existing Five-Layer section to note it extends gh-aw Layer 3 - Bump document versions (WORKFLOWS 7.5→7.6, SECURITY_ARCHITECTURE 2.4→2.5) Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot
AI
changed the title
feat: expand FUTURE_THREAT_MODEL.md v2.1 — democratic integrity, GDPR, supply chain & geopolitical threats
docs: add comprehensive gh-aw three-layer security architecture to WORKFLOWS.md and SECURITY_ARCHITECTURE.md
Jun 2, 2026
github-actions
Bot
added
iso-27001
github-actions
Bot
added
cis-controls
Contributor
🔍 Lighthouse Performance Audit
📥 Download full Lighthouse report Budget Compliance: Performance budgets enforced via |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Both WORKFLOWS.md and SECURITY_ARCHITECTURE.md lacked formal coverage of the gh-aw security architecture despite the repository running 14 agentic workflows within that runtime. The existing docs mentioned individual controls (Squid proxy, iptables, safe-outputs) but didn't map them to gh-aw's formal three-layer trust model.
Changes
WORKFLOWS.md (v7.5 → v7.6)
SECURITY_ARCHITECTURE.md (v2.4 → v2.5)
.md→ schema validation + SHA pinning + scanners →.lock.yml)Key diagram example (SafeOutputs flow)
sequenceDiagram participant Agent as 🤖 AI Agent (read-only) participant Buffer as 📦 Artifact Buffer participant Detect as 🕵️ Threat Detection Job participant Gate as ⛔ Analysis Gate participant Output as 📤 Safe Output Jobs Agent->>Buffer: Write analysis artifacts + article Buffer->>Detect: Download artifacts for analysis Detect->>Gate: Structural validation (checks 1–9b) Gate->>Output: Authorize safe output execution