Optimize security-review workflow: ~67% cost reduction, 55% fewer LLM turns

[Copilot]

The security-review.md workflow was generating ~5.1M tokens per run ($8.91) due to 33 LLM turns driven by sequential phase structure and overly broad tool loading.

Tool/schema pruning

• Remove agentic-workflows and web-fetch tools (neither needed in final form)
• Restrict GitHub toolsets: [default, actions, code_security] → [repos, code_security] — drops ~15 unused tool schemas (~297K tokens across turns)

Phase 1: pre-step replaces agentic-workflows tool

Add a steps: pre-step that fetches the latest firewall-escape-test run logs via gh CLI and writes them to /tmp/gh-aw/escape-test-summary.txt before the agent starts. Phase 1 now just does cat /tmp/gh-aw/escape-test-summary.txt — eliminates 3–4 agentic-workflows turns.

Phase 2: batch evidence gathering

7 separate bash blocks (one per sub-section) collapsed into a single block:

echo "=== NETWORK SECURITY ===" && cat src/host-iptables.ts && cat containers/agent/setup-iptables.sh && ...
echo "=== CONTAINER SECURITY ===" && grep -rn "cap_drop|capabilities..." && cat containers/agent/seccomp-profile.json && ...
echo "=== DOMAIN PATTERNS ===" && cat src/domain-patterns.ts && ...
# ... all evidence in one bash call

Reduces ~15 evidence-gathering turns to 2 (gather + analyze).

Phases 3–5: single synthesis phase

Merged STRIDE threat modeling, attack surface mapping, and CIS/NIST comparison into one prompt section — 1 synthesis turn instead of 9–10.

Projected impact

Metric	Before	After
Cost/run	$8.91	~$2.90
LLM turns	33	~15
Total tokens	5,140K	~2,100K

[Copilot]

Pull request overview

This PR optimizes the daily security-review agentic workflow to reduce token usage and LLM turns by pruning unused tool schemas, moving deterministic data-fetching into a pre-agent steps: block, and collapsing multi-phase analysis into fewer prompts.

Changes:

• Remove unused agentic-workflows / web-fetch tooling and restrict GitHub MCP toolsets to [repos, code_security].
• Add a pre-agent step that fetches the latest escape test logs into /tmp/gh-aw/escape-test-summary.txt for the agent to read locally.
• Consolidate evidence gathering into a single bash block and merge phases 3–5 into a single synthesis phase.

Show a summary per file

File	Description
.github/workflows/security-review.md	Workflow prompt/frontmatter updates: tool pruning, new pre-agent log fetch step, batched evidence collection, and merged synthesis phase.
.github/workflows/security-review.lock.yml	Regenerated compiled workflow reflecting the prompt/tooling changes and removal of the agentic-workflows MCP server wiring.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 3

[Copilot]

The pre-step queries gh run list --workflow "firewall-escape-test.lock.yml", but there is no workflow file with that name in this repository’s .github/workflows/ directory. As written, this will consistently produce an empty RUN_ID and Phase 1 will always read the fallback “No recent successful…” message. Update the --workflow argument to the actual workflow file name or workflow display name used by the escape test workflow in this repo (and consider documenting it here).

Suggested change

	RUN_ID=$(gh run list --workflow "firewall-escape-test.lock.yml" \
	# Keep this workflow identifier aligned with the escape test workflow's file name or display name.
	RUN_ID=$(gh run list --workflow "firewall-escape-test" \

[Copilot]

gh run list ... --jq '.[0].databaseId' can output the literal string null (jq returns null with exit code 0 when the array is empty). Because the script only checks -n "$RUN_ID", it may attempt gh run view "null" and then report a fetch failure instead of the clearer “no run found” path. Consider validating RUN_ID is a numeric id (or non-null) before calling gh run view.

Suggested change

	if [ -n "$RUN_ID" ]; then
	if [ -n "$RUN_ID" ] && [ "$RUN_ID" != "null" ] && [[ "$RUN_ID" =~ ^[0-9]+$ ]]; then

[Copilot]

Several grep -r... src/ --include="*.ts" -l / grep ... containers/ --include="*.sh" commands place --include after the path argument. In GNU grep, options after a file/dir operand can be treated as additional filenames, causing the search to fail (and undermining the “single evidence-gathering block” goal). Reorder these greps so all options (including --include and -l) come before the pattern/path operands.

[lpcox]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all three review fixes in commit 2b02de8:

1. Workflow name — changed from firewall-escape-test.lock.yml (non-existent) to secret-digger-copilot.lock.yml, which is the actual red-team escape test workflow in this repo, with a comment explaining the mapping.

2. Null RUN_ID guard — changed the condition to [ -n "$RUN_ID" ] && [ "$RUN_ID" != "null" ] && [[ "$RUN_ID" =~ ^[0-9]+$ ]] so a literal null jq output or any non-numeric value falls through to the "no run found" path instead of calling gh run view "null".

3. grep --include ordering — moved all --include flags before the pattern/path arguments (e.g., grep -r --include="*.ts" -l "network" src/) so they're always treated as options, not file operands.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.67.1
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.67.1 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	86.20%	86.29%	📈 +0.09%
Statements	86.07%	86.16%	📈 +0.09%
Functions	87.41%	87.41%	➡️ +0.00%
Branches	78.57%	78.62%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.6% → 87.0% (+0.39%)	86.1% → 86.5% (+0.38%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke test results (run 24048360915)

✅ GitHub MCP: #1704 "Fix Secret Digger (Copilot)…", #1701 "⚡ pelis-agent-factory-advisor…"
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24048360915.txt created and verified
✅ Bash: file content confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test Results — PASS

Test	Status
GitHub MCP connectivity	✅ PR #1704 fetched successfully
GitHub.com connectivity	✅ Smoke test file confirms pass
File write/read	✅ /tmp/gh-aw/agent/smoke-test-copilot-24048360963.txt verified

PR: "Optimize security-review workflow: ~67% cost reduction, 55% fewer LLM turns"
Author: @Copilot | Assignees: @lpcox, @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke test results:
Merged PR titles: Fix Secret Digger (Copilot): reframe prompt to avoid safety policy false positive; ⚡ pelis-agent-factory-advisor: pre-fetch content, restrict tools, reduce prompt tokens (~21% token savings)

1. GitHub MCP Testing ✅
2. Safe Inputs GH CLI Testing ❌
3. Playwright Testing ❌
4. Tavily Web Search Testing ❌
5. File Writing Testing ✅
6. Bash Tool Testing ✅
7. Discussion Interaction Testing ❌
8. Build AWF ✅
   Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Security Review

This PR modifies CI workflow files only — no changes to AWF core security components (iptables, squid config, container hardening, domain patterns, seccomp profile).

✅ Security Improvements

• Removed agenticworkflows MCP server: Eliminated a tool with "write-sink": {"accept": ["*"]} guard policy, reducing the write attack surface.
• Reduced token exposure: GITHUB_TOKEN: $\{\{ secrets.GITHUB_TOKEN }} removed from MCP gateway environment; no longer passed into containerized environment unnecessarily.
• Better token hygiene: Changed $\{\{ github.token }} interpolated directly into shell strings → \$\{GITHUB_TOKEN} via env: block. Tokens passed via env: are automatically redacted in GitHub Actions logs.
• Restricted GitHub MCP toolsets: context,repos,issues,pull_requests,actions,code_security → repos,code_security, reducing the agent's read surface.

⚠️ Supply Chain Security Regression

File: .github/workflows/security-review.lock.yml (5 occurrences)

# Before (pinned SHA — immutable):
uses: github/gh-aw-actions/setup@cde65c546c2b0f6d3f3a9492a04e6687887c4fe8 # v0.67.0

# After (mutable version tag):
uses: github/gh-aw-actions/setup@v0.67.1

Pinning to a commit SHA guarantees the exact code that runs cannot change after merge. A mutable version tag can be moved to point to different code at any time, which introduces supply chain risk. This is inconsistent with the other actions in this file, which all remain SHA-pinned (actions/download-artifact@3e5f45b2cfb9..., actions/github-script@ed597411d8f9..., actions/upload-artifact@bbbca2ddaa5d...).

Recommended action: Pin the new version to its commit SHA. For example:

uses: github/gh-aw-actions/setup@<SHA-for-v0.67.1> # v0.67.1

Note: Since this is an internal GitHub org action (github/gh-aw-actions), the practical risk is lower than for third-party actions — but this is a security-focused repository and maintaining consistent pinning is a sound practice.

---

Overall: The optimization intent is sound and the net effect is a smaller attack surface. The unpinned action reference is the one item worth addressing before merge.

Generated by Security Guard for issue #1717 · ● 109.6K · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING (host.docker.internal:6379)	❌ Failed — port not reachable
PostgreSQL pg_isready (host.docker.internal:5432)	❌ Failed — no response
PostgreSQL SELECT 1 (smoketest db)	❌ Failed — connection could not be established

host.docker.internal resolves to 172.17.0.1 but ports 6379 and 5432 are not accessible from this sandbox. The service containers may not be running or may not be bound to the host gateway interface.

🔌 Service connectivity validated by Smoke Services