[uk ai resilience] 🇬🇧 UK AI Open Code Risk & Resilience Governance — 2026-06-17

[github-actions[bot]]

Executive Summary

Repository: github/gh-aw · Lookback: 7d (2026-06-10→17) · Commits: 269 (80 security-signal) · Run: §27704440522

Synthesized from 3 parallel sub-agents (asset-tier-classifier · ai-risk-scorer · control-verifier), 16 code scanning alerts, 12 open security issues.

Metric	Value
Code scanning alerts	16 — 1 CRITICAL · 5 HIGH · 6 MEDIUM · 3 NOTE/WARN · 1 dummy
Secret scanning alerts	✅ 0
Open security issues	12 — 1 CRITICAL unowned · 3 HIGH · 8 tracking
Oldest open bug	196 days (#5437 — cache sanitization)
OWASP ASI coverage	7/10 strong · ASI-06 ❌ · ASI-07 ⚠️ · ASI-08 ⚠️
Control score	5.5/10 — strong SDLC + observability; weak ownership routing and recovery runbooks

🚨 Priority Actions

Priority	SLA	Action
🔴 CRITICAL	≤24h	Assign owner + fix #28830 — cache-memory XPIA, 51d open, pentest-confirmed, no assignee
🔴 CRITICAL	≤24h	SHA-pin Docker actions in publish-safe-outputs-node.yml (alerts #623–625) — single supply-chain entry point for all gh-aw consumers (exposure amp=5)
🟠 HIGH	≤7d	Apply escapeGraphQLString() to ownerId at project_command.go:295 (CodeQL #627–628, confirmed valid)
🟠 HIGH	≤7d	Dismiss CodeQL #612 (false positive — SHA-256 for heredoc delimiter, not credential storage)
🟠 HIGH	≤7d	Block @firebas11 + audit agent-trigger events — issue content = prompt injection vector
🟠 HIGH	≤7d	Triage CRITICAL alert #600 (go/unsafe-quoting, 28d, Copilot-assigned, no PR)
🟡 MEDIUM	≤30d	Add path-glob rules to CODEOWNERS — currently 4 names, zero path patterns
🟡 MEDIUM	≤30d	Create .github/secret_scanning.yml — no custom token patterns registered
🟡 MEDIUM	≤30d	Create docs/runbooks/security-incident.md — no rollback procedure exists

---

Phase 1 — Asset Tier Classification

Segment	Active Alerts	Open Issues	Tier
pkg/workflow/	3	#28830 XPIA · #28776 · #28775	C
scripts/	2 HIGH (insecure tmp, 1d)	—	C
pkg/cli/	2 WARNING	—	B
actions/setup/js/	0	#5437 indirect	B
actions/setup/sh/	0	#28830 root surface	B
.github/workflows/	4 MEDIUM (unpinned)	#39743	B
pkg/actionpins/	0	—	A ✅

---

Phase 2 — Control Verification (score 5.5/10)

Domain	Status	Key Gap
Ownership	⚠️ Partial	CODEOWNERS = 4 names + zero path-glob rules; #28830 (CRITICAL 51d) has no assignee
SDLC	⚠️ Partial	Lockdown ✅, template-injection guards ✅, permission fixes same-week ✅. Commit signing unverifiable (shallow clone)
Dependency	⚠️ Partial	go.mod pinned ✅, mcp-scripts validation ✅. GAP: publish-safe-outputs-node.yml uses 3 mutable docker/* version tags
Secret Exposure	⚠️ Partial	RUNNER_TEMP isolation ✅, sanitizeContent() ✅. GAP: .github/secret_scanning.yml absent
Runtime Obs.	⚠️ Partial	OTLP ✅, bot detection 6h ✅, CodeQL/gosec daily ✅. GAP: No circuit breaker (exhaustive grep = 0 matches)
Recovery	⚠️ Partial	GAP: No incident runbook in docs/. #28830 + #627–628 both unassigned.

FP triage: CodeQL #612 = DISMISS (SHA-256 for heredoc delimiters); CodeQL #627–628 = VALID (ownerId unescaped in GraphQL).

---

Phase 3 — AI-Aware Risk Scores

Area	Exposure	Patch	Detect	Fragility	Ownership	Composite	SLA
Cache-memory XPIA (#28830)	5	4	5	4	5	4.60 🔴	≤24h
Unpinned Docker (#623–625)	5	2	4	4	2	3.40 🔴	≤24h
Bot @firebas11 (#39034)	4	3	3	2	4	3.20 🟠	≤7d
mcp-scripts runtime (#39739)	4	3	3	3	2	3.00 🟠	≤7d
GraphQL injection (#627–628)	2	1	3	2	2	2.00 🟡	≤30d
Insecure temp (#629–630)	2	1	3	1	2	1.80 🟢	≤90d
Weak hashing (#612)	1	1	2	1	2	1.40 🟢	FP

Docker actions scored Exposure=5: publish-safe-outputs-node.yml is the single upstream pipeline for the safe-outputs Node image — tag mutation would contaminate all gh-aw consumers.

---

Phase 4 — Remediation Queue

Priority	SLA	Action	Owner
🔴 CRITICAL	≤24h	[#28830] Add content scanning in setup_cache_memory_git.sh before git add -A	Assign now
🔴 CRITICAL	≤24h	SHA-pin docker/login-action, docker/setup-buildx-action, docker/build-push-action	pelikhan
🟠 HIGH	≤7d	Alert #600 go/unsafe-quoting — check Copilot PR; escalate if absent	Copilot
🟠 HIGH	≤7d	Converge #28830 + #28775 + #5437 into single cache-sanitization PR	lpcox
🟠 HIGH	≤7d	Block @firebas11; add new-account cooldown gate to agent triggers	pelikhan
🟠 HIGH	≤7d	Apply escapeGraphQLString() to ownerId at project_command.go:295,368	Unassigned
🟠 HIGH	≤7d	Alert #585 untrusted checkout — confirm Copilot PR	Copilot
🟠 HIGH	≤7d	Dismiss alert #612 (false positive)	pelikhan
🟡 MEDIUM	≤30d	#28776 circuit breaker — open/half-open/closed state machine	lpcox
🟡 MEDIUM	≤30d	CODEOWNERS path-globs: pkg/workflow/**, pkg/cli/**, .github/workflows/**	pelikhan
🟡 MEDIUM	≤30d	.github/secret_scanning.yml with internal token patterns	pelikhan
🟡 MEDIUM	≤30d	docs/runbooks/security-incident.md with rollback + post-mortem template	lpcox
🟢 LOW	≤90d	Alerts #609, #610, #629–630, #564 — integer conv, permissions, temp files, smoke dismiss	—

---

OWASP Agentic Top 10 Gaps

Category	Status	Gap
ASI-06 Memory Poisoning	❌ Largest gap	Cache+repo memory injected into agent context without scanning; XPIA confirmed (#28830 + #28775 + #5437)
ASI-08 Cascading Failures	⚠️ Moderate	No circuit breaker confirmed by grep; #28776 open 51 days
ASI-07 Inter-Agent Comms	⚠️ Moderate	No E2E encryption or message signing between agent and gateway
ASI-01–05, 09–10	✅ Strong	Well-covered — see #28770 for full gap analysis

---

Operational Metrics Baseline

Metric	Current	Target
MTTR proxy (HIGH+ avg age)	~67 days (#5437=196d, #28830=51d)	≤14 days
Alert ownership coverage	25% (4/16 assigned)	≥80%
Unpinned Docker action ratio	75% of image-build pipeline	0%
Custom secret patterns	0 (no secret_scanning.yml)	Register all
CODEOWNERS path coverage	0% (0 of N paths have rules)	≥80%
Incident runbook	❌ Absent	Create docs/runbooks/
General patch velocity	✅ 269 commits/7d — excellent	Maintain
Secret scanning cleanliness	✅ 0 open alerts	0

Convergence: #28830 + #28775 + #5437 share the same root surface. One PR closes all three and drives MTTR from 67d → ~14d.

---

References: §27704440522 · §27670090231 · §27643159359

Generated by UK AI Operational Resilience · ◷

• expires on Jun 20, 2026, 8:55 AM UTC-08:00