[uk ai resilience] UK AI Open Code Risk & Resilience Governance — 2026-06-26

[github-actions[bot]]

Repo: github/gh-aw | Lookback: 7d (2026-06-19→26) | Run: §28249997521
319 commits · 71 security-signal commits · 7 code-scanning alerts · 0 secret-scanning alerts · 13 open security issues

---

1. Executive Summary

Two areas are Tier C (Restricted Pending Review):

1. pkg/workflow/sandbox/ — gh-aw-firewall v0.27.10 has a topology-attach deadlock and rootless artifact permission regression. v0.27.11 fix is available but not deployed (Bump default gh-aw-firewall version to v0.27.11 #41554). sandbox.agent.sudo: false workflows silently fail → AI network isolation guardrail is broken.
2. .github/workflows/ — docker/build-push-action@v7.2.0 unpinned ([Custom Engine Test] Test Issue Created by Custom Engine #625, 12+ days open). 302 comment-triggered RGS-004 findings. Large AI-agent-driven supply chain surface.

No secret-scanning alerts. MTTR ~1–3 days. All commits PGP-verified.

---

2. Asset Graph (7-day scope)

Area	Alerts/Issues	Tier
pkg/workflow/sandbox/	#41554 (firewall bugs)	C
.github/workflows/	#625 (unpinned), RGS-004/012/018	C
scripts/safe-outputs/	#41457 fixed	B
pkg/engine/	#41465 closed (improvement)	B
pkg/cli/project_command.go	#627, #628 (CWE-89)	B
scripts/ JS tooling	#635 (high), #636 (medium)	B
pkg/workflow/ compiler	#626 (note, FP-likely)	B
.github/aw/	Pending #41554	A

Ownership: pelikhan (primary), lpcox (firewall/sandbox), dsyme (schema). Gap: #41746 (SOC-2 doc) unassigned.

---

3. AI-Aware Risk Scores

Dimensions (1–5): Exposure (×2), Patchability, Detectability (×1.5), Fragility, Ownership. Weighted ÷ 6.5.

Area	Exp	Ptch	Det	Frag	Own	Score	Tier
pkg/workflow/sandbox/	5	2	3	4	2	3.46	C
.github/workflows/	4	2	4	3	2	3.23	C
scripts/safe-outputs/	4	2	2	3	2	2.77	B
pkg/engine/	5	2	2	2	1	2.77	B
pkg/cli/project_command.go	3	2	3	2	2	2.54	B
scripts/ JS tooling	2	2	3	2	2	2.23	B
pkg/workflow/ compiler	3	2	2	2	1	2.15	B

AI-specific multipliers: (1) network isolation bypass via firewall deadlock; (2) 302 comment-triggered workflows without author-auth amplify agentic blast radius; (3) engine API key exposure in pkg/engine/; (4) safe-output bypass risk in scripts/safe-outputs/.

---

4. Control Gaps

Domain	Status	Gap
Ownership	⚠️	#41746 unassigned; #625 no dismissal/assignee (12d open)
SDLC	⚠️	Actionlint SC2016 spike +131 (34→165); codegen triage needed
Dependency	❌	Unpinned docker/build-push-action@v7.2.0; firewall 1 version behind
Secret exposure	✅	0 open alerts; API keys in named constants
Runtime observability	✅	AWF audit, daily scans, firewall health checks active
Recovery	❌	Firewall topology deadlock + permission regression unpatched

---

5. Remediation Queue

SLA	Action	Ref
🔴 HIGH — 3d	Bump DefaultFirewallVersion → v0.27.11; make build && make recompile && make recompile; refresh actions-lock.json	#41554
🟠 MED — 2w	Pin docker/build-push-action to full commit SHA in publish-safe-outputs-node.yml:193	#625
🟠 MED — 2w	Wrap ownerId/projectId with escapeGraphQLString() in project_command.go:295,368	#627, #628
🟠 MED — 2w	Triage actionlint SC2016 spike; add codegen suppression for literal $	#41614
🟡 LOW — 4w	Replace os.tmpdir() path with tmp library in prepare-objective-impact-safe-output-evaluations.cjs:34	#635
🟡 LOW — 4w	Validate network data before file write in ensure-docs-slide-pdf.js:130	#636
🟡 LOW — 4w	Assign owner for SOC-2 compliance doc (#41746)	#41746

---

6. Exception Register

No formal exceptions. By-design dispositions (all closed-issue tracked):

• RGS-004 (302 comment-triggered): gh-aw author_association guard in pre_activation jobs
• RGS-012 (10 outbound HTTP): Inherent to LLM API calls in AI workflows
• RGS-018 (6 payload execution): AI agent smoke tests; controlled environment

---

7. Operational Metrics Baseline

Metric	Value	Signal
MTTR proxy	~1–3 days	✅
Ownership coverage	3 maintainers; 1 unassigned security issue	⚠️
Unsupported dependency ratio	1 unpinned action; 1 outdated firewall	❌
Exception aging	0 formal; by-design documented	✅
Exposure without recovery	Firewall deadlock + permission regression	❌
Secret scanning	0 open alerts	✅
Commit integrity	100% PGP-verified	✅

Tier C Human Review Triggers: (1) Verify double-recompile SHA pins before deploying v0.27.11 + sudo:false smoke tests; (2) Confirm docker/build-push-action SHA matches authentic v7.2.0 before pinning.

References: §28249997521 · Alert #635 · Alert #625

Generated by UK AI Operational Resilience · 91.4 AIC · ⌖ 7.59 AIC · ⊞ 5.1K · ◷

• expires on Jun 29, 2026, 8:16 AM UTC-08:00

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-29T16:16:06.768Z.

Closed by Workflow