[uk ai resilience] UK AI Open Code Risk & Resilience Governance — 2026-06-11 #38675
Closed
Replies: 1 comment
-
|
This discussion has been marked as outdated by UK AI Operational Resilience. A newer discussion is available at Discussion #38880. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Repository: github/gh-aw · Lookback: 2026-06-04 – 2026-06-11 · Run: §27362553635
Executive Summary
The 7-day window (494 commits, 145 security-signal) shows active hardening — AWF Firewall bumped 3× (v0.27.0→v0.27.2), safe-outputs MCP received critical fixes, and new agent guardrails shipped. Despite this, two Tier-C findings remain open 22–44 days with no committed fix dates. Zero secret scanning alerts.
Highest-risk finding: Cache-memory cross-run XPIA (#28830) — pentest-confirmed, 44 days open, no content-scanning control in place.
Tier Classification
pkg/workflow/Go compiler coreactions/setup/sh/shell scripts.github/workflows/*.lock.ymlactions/setup/js/JS MCP runtimepkg/workflow/compilerenv/pkg/cli/CLI handlers.github/workflows/CI sourcepkg/linters/Go lintersControl Verification Summary
Pass 9 · Partial 25 · Fail 2 (36 domains, 6 asset areas)
Critical failures:
Key gaps: Alert #600 CRITICAL owned by AI agent only (no human SLA); Issue #28830 has no human assignee; No content scanning on
migrate-legacy-filescache path; No signed provenance on cache commits; Circuit breaker (#28776) unimplemented.Positive evidence: AWF Firewall — all 4 container images SHA+digest pinned (compiler-enforced); token steering active;
maxRuns: 500+maxAiCreditsenforced; OTLP telemetry active; GPG-signed commits.Risk-Scoring Table
AI-aware scoring (1=low risk, 5=high risk).
setup_cache_memory_git.sh)awf_helpers.go:195)q.lock.yml:1889)compilerenv/manager.go:106)strings.go:167)Cache-Memory XPIA (Critical): Pentest-confirmed, 44d. Structural controls (hooks cleared, exec-bits stripped, symlinks deleted) are strong but do not scan file content. Confirmed attack: run A writes instruction-shaped
.md/.jsonto cache → run B merges → agent reads as instructions with full write-scope token access. No content-scanning control deployed.Compiler Unsafe Quoting (High):
awf_helpers.go:195embedsecosystemJSONinto a Python raw-string heredoc. Current data (internal domain names) has no triple-quote; exploitability low. Governance gap: CRITICAL CodeQL open 22d, Copilot-only ownership, no fix date. Compiler blast radius means any confirmed injection reaches every compiled workflow. Fix: base64-encode or write to$RUNNER_TEMP.Weak Heredoc Hash (False Positive):
strings.go:167uses SHA-256 for deterministic heredoc delimiter generation — not credential storage. CWE-916 does not apply; suppress alert #612 with annotation.Remediation Queue
migrate-legacy-files; provenance sidecar; opt-in cross-run fornoneintegrity$RUNNER_TEMP; or document as FPq.md,ai-moderator.md,dev-hawk.md); recompilecompilerenv/manager.go:106strings.go:167; close alert #612permissions: contents: readinerror-message-lint.ymlazure/login@v2to full SHAzizmor: ignorescope indev-hawk.lock.yml:1719Interim mitigation for Tier-C (if SLAs cannot be met): Restrict cache-memory to
merged/approvedintegrity only; add runtime assertion panicking on triple-single-quote inecosystemJSON.Operational Metrics Baseline
Primary governance gap: Human ownership of HIGH/CRITICAL CodeQL alerts is 0%. All 4 alerts are Copilot SWE only — no human escalation path or SLA. Engineering velocity is high (494 commits/week) but the SAST remediation pipeline is stalled.
References:
Beta Was this translation helpful? Give feedback.
All reactions