[uk ai resilience] UK AI Open Code Risk & Resilience Governance — 2026-06-12

[github-actions[bot]]

Repo: github/gh-aw · Window: 2026-06-05→2026-06-12 · Run: §27428752211
Signals: 472 commits (132 security-signal), 8 CodeQL alerts, 12 security issues, 0 secret scanning alerts.

---

Executive Summary

Control posture is adequate: zero secret alerts, daily CodeQL, threat-detection test suite (CTR-001–016), firewall v0.27.1, six security fixes merged in window.

Two critical unmitigated findings demand immediate action:

1. Cache-memory XPIA (#28830) — pentest-confirmed, score 24/25, no owner, no milestone, 7+ days open.
2. Unsafe quoting in compiler (CodeQL #600) — score 20/25, CRITICAL severity, no owner.

Systemic root: externally-influenced content flows into privileged execution contexts without sanitization — compiler → shell, cache → agent context, PR-ref → secrets-holding CI. On an AI-agent platform this converts to agent hijacking, credential theft, or unbounded spend.

---

Asset Tier Classification

Asset	Tier	Score	Key Signal
setup_cache_memory_git.sh	D	24/25	#28830 pentest XPIA, no content validation
pkg/workflow/awf_helpers.go	D	20/25	#600 CRITICAL unsafe-quoting/fmt.Sprintf
.github/workflows/q.lock.yml	C	16/25	#585 HIGH privileged issue_comment checkout
pkg/workflow/compilerenv/manager.go	B	11/25	#609 HIGH int64→int without bounds
actions/setup/js/safe_outputs_handlers.cjs	B	—	High-value write-gate
pkg/workflow/cache.go + cache_integrity.go	B	—	Implicated by #28830; Go layer sound
.github/workflows/dependabot-repair.lock.yml	B	—	#588 MEDIUM; fork guard present
.github/workflows/aoai-endpoint-smoke-test.yml	B	—	#611 MEDIUM unpinned azure/login@v2
.github/workflows/error-message-lint.yml	B	—	#610 MEDIUM missing permissions block
.github/workflows/dev-hawk.lock.yml	B	8/25	zizmor github-env HIGH; suppression justified
pkg/workflow/strings.go	B	10/25	#612 HIGH SHA-256 false positive
actions/setup/js/artifact_client.cjs	B	—	#38803 SEC-004 false positive; exempt in place
actions/setup/js/apply_samples.cjs	B	—	#38802 SEC-005 false positive; exempt in place

0 × A · 10 × B · 1 × C · 2 × D

---

Control Verification

Domain	Status	Top Gap
Ownership	⚠️ Partial	#28830 unassigned, no milestone; flat CODEOWNERS
SDLC	⚠️ Partial	117 actionlint errors (#38795) untriaged; 984 poutine suppressions unvalidated
Dependency	⚠️ Partial	govulncheck in go.mod but not in CI; sbom-action not SHA-pinned
Secret Exposure	✅ Verified	0 open alerts; OIDC tokens; egress allowlist
Observability	⚠️ Partial	ASI-08 circuit breaker (#28776) unimplemented; no on-call path
Recovery	⚠️ Partial	No rollback workflow; no IR runbook; no MTTR targets

MTTR proxy: 10–20 days · Ownership coverage: ~75%

---

Remediation Queue

Tier D — Critical (assign within 72 h, implement within 14 days)

• D-1 · Cache-memory cross-run poisoning: migrate-legacy-files ingests unvalidated content (XPIA surface) #28830 · Cache-memory XPIA: Assign owner + milestone immediately. Add content-scan before git add -A in setup_cache_memory_git.sh (reject instruction-shaped patterns, quarantine to .gh-aw-quarantine/, emit ::warning::). Add provenance sidecar per migration.
• D-2 · #600 · Unsafe quoting: Assign owner immediately. Audit all fmt.Sprintf-into-shell callsites in awf_helpers.go; apply shellEscapeArg consistently. Add go-linter rule to prevent regression.

Tier C — High (14 days)

• C-1 · [Custom Engine Test] Test Issue Created by Custom Engine #585 · Privileged checkout: Refactor q.lock.yml — issue_comment trigger queues repository_dispatch; privileged job checks out only default-branch ref. Remove 3 poutine:ignore suppressions after fix.

Tier B — Medium/High (7–21 days)

• B-1 · [Custom Engine Test] Test Issue Created by Custom Engine #609: Apply int64 return or bounds check in ResolveDefaultTimeoutMinutes; audit all parsePositiveIntEnvVar callers.
• B-2 · Guardrail evolution: Freeze compiler↔firewall guardrail contract with integration test; require 2-maintainer review for daily-AIC logic.
• B-3 · [Safe Outputs Conformance] SEC-005: apply_samples.cjs references target-repo without an allowlist check or documented exemption #38802/[Safe Outputs Conformance] SEC-004: artifact_client.cjs flagged for unsanitized body field (HTTP transport payload — needs documented exemption) #38803: Require second-maintainer countersign for @safe-outputs-exempt annotations; add CI gate.
• B-4 · #611/[Custom Engine Test] Test Pull Request - Custom Engine Safe Output #610: Pin azure/login@v2 to commit SHA; add permissions block to error-message-lint.yml.
• B-5 · [Custom Engine Test] Test Issue Created by Custom Engine #612: Triage and add SHA-256 suppression comment if confirmed false positive (heredoc delimiter use, not credential hashing).

---

Exception Register

Suppression	Location	Status	Deadline
poutine:ignore ×3	q.lock.yml	Remove after C-1 fix	2026-06-26
@safe-outputs-exempt SEC-005	apply_samples.cjs:4	Needs countersign	2026-06-26
@safe-outputs-exempt SEC-004	artifact_client.cjs:5–6	Needs countersign	2026-06-26
zizmor:ignore[github-env]	dev-hawk.lock.yml:1718	Justified (runner-controlled var)	Quarterly
poutine:ignore ×3	dependabot-repair.lock.yml	Fork guard present	Quarterly

---

Operational Metrics Baseline

Metric	Value	Target
MTTR proxy	10–20 days	< 7 days (critical)
Ownership coverage	~75%	100% on critical
Confirmed pentest findings unmitigated	1 (#28830, 7+ days)	0
Tier-D findings with no rollback path	2	0
Secret scanning alerts	0	0
Static analysis trend	+5 (all churn)	Flat

---

References: §27428752211 · #38795 Static Analysis · #28770 OWASP Top 10

Generated by UK AI Operational Resilience · 1.7K AIC · ⌖ 14.1 AIC · ⊞ 20.9K · ◷

• expires on Jun 15, 2026, 8:46 AM UTC-08:00