[uk ai resilience] UK AI Open Code Risk & Resilience Governance — 2026-05-27

[github-actions[bot]]

Executive Summary

This report applies the UK public-sector AI open-code risk and resilience framework to the github/gh-aw repository for the 7-day window 2026-05-20 → 2026-05-27. The repository saw 390 commits (107 security-signal) in this period — an extremely high velocity driven by mixed human and AI-agent authorship. The assessment found no Tier A (safe) areas among the six scored surfaces; every high-priority area landed Tier C (restricted pending review) or Tier D (decommission candidate). The single Tier D finding — 263 comment-triggered AI-agent workflows with no actor-authorization guard — is actively growing at +3 findings/day and represents the most exploitable live risk in the repository.

Key condition: the static analysis pipeline is operating well as a detection layer (zizmor, poutine, actionlint, runner-guard, CodeQL all run daily), but no findings class currently triggers a merge-blocking gate, meaning critical and high findings accumulate without automated enforcement pressure.

---

Asset Graph Summary — Recent-Change Scope

Asset	Tier Hypothesis	Primary Risk Driver
pkg/workflow/	A	CodeQL critical #600 (unsafe-quoting, 7d unfixed); inline skill extraction new parse surface
.github/workflows/	A	263 auth-missing comment triggers (+3/day); github-env High 5d unfixed; 2 open CodeQL alerts
pkg/cli/	B	Unified event timeline new surface; no open alerts
actions/setup/js/	B	unified_timeline.cjs new + prior fence-escaping gap in render_template.cjs
pkg/parser/	B	Frontmatter rename collision fix — schema-validation bypass risk at untrusted-input boundary
go.mod / go.sum	C	Routine patch bumps; no CVEs; go.sum consistent

Top systemic risks this window:

1. RGS-004 comment-trigger missing auth (263 findings, +3/day) — highest exploitability signal
2. CodeQL critical go/unsafe-quoting in awf_helpers.go:140 — fleet-wide blast radius on compilation path
3. github-env High on dev-hawk.lock.yml — 5 consecutive days unfixed, persistent privilege-escalation path
4. untrusted_checkout_exec — 12 findings (poutine + CodeQL dual-flagged), fork-PR code execution in privileged context
5. Inline skills extraction (Add inline skill extraction/runtime support mirroring inline sub-agents #34874) — new prompt-injection vector with no security review on record

---

Tier Classification Table

#	Area	Risk Score	Tier	SLA	Status
1	Comment-Trigger Workflows — no auth (RGS-004, 263 findings)	23/25	D	24h 🚨	Growing +3/day
2	pkg/workflow/awf_helpers.go:140 — go/unsafe-quoting (CodeQL critical)	18/25	C	72h	7d unfixed, bot-assigned
3	dev-hawk.lock.yml — GITHUB_ENV write (zizmor High)	17/25	C	72h	5d unfixed, no owner
4	Inline Skills Extraction — #34874 (new surface)	16/25	C	72h	No security review
5	untrusted_checkout_exec — 12 findings (poutine + CodeQL)	17/25	C	72h	No remediation commits
6	MCP Gateway/Firewall Runtime — v0.25.56/v0.3.20	17/25	C	72h	Recent bundle, untested interaction

Score dimensions (each 1–5): Exposure Amplification + (6−Patchability) + (6−Detectability) + Operational Fragility + (6−Ownership Confidence). Tier A ≤10 · B 11–16 · C 17–20 · D ≥21.

---

Control Verification Gaps

Domain	Status	Primary Gap	Severity
SDLC	⚠️ Partial	Static analysis is detection-only; no merge-blocking gate for github-env writes, missing comment-trigger auth, or invalid permission scopes	🔴 Critical
Ownership	⚠️ Partial	No per-path CODEOWNERS granularity; AI bot merges on security-critical files without mandatory human sign-off; CodeQL critical assigned to bot only	🟠 High
Dependency	⚠️ Partial	untrusted_checkout_exec (12 findings, no remediation); github_action_from_unverified_creator_used (9 workflows); curl-pipe-bash install in 2 workflows	🟠 High
Secret Exposure	⚠️ Partial	Closed RGS-012/018 issues on 4 production workflows without verified remediation commits — dedup-mask anti-pattern	🟡 Medium
Runtime Observability	✅ Pass	Unified timeline + OTEL + audit command in place; gap is no automated alerting thresholds on collected data	🟢 Low
Recovery	⚠️ Partial	Entirely manual-initiation only; no automated rollback trigger; no RTO/RPO targets documented	🟡 Medium

SDLC Gap Detail

The static analysis pipeline (CodeQL, zizmor, poutine, actionlint, runner-guard) runs daily and has strong detection coverage. However, none of the finding classes currently block merges:

• github-env HIGH on dev-hawk.lock.yml: open 5+ days, GITHUB_ENV written from a step that includes GH_HOST injection — maps directly to CWE-454 environment variable poisoning
• RGS-004 Comment-trigger auth missing: 263 findings growing at +3/day across q.lock.yml, ai-moderator.lock.yml, dev-hawk.lock.yml — issue_comment/pull_request_target triggers without author_association guard
• copilot-requests: write invalid permission scope confirmed in security-review.lock.yml and brave.lock.yml — schema validation not blocking at merge
• 509 workflow files represent systemic blast radius for any schema/lint gap

Recommended remediation: Promote github-env HIGH findings to merge-blocking status; add required Actions schema validation blocking copilot-requests: write; enforce author_association validation as a linter rule for issue_comment/pull_request_target triggers.

Ownership Gap Detail

• CODEOWNERS present but single global rule (4 humans) — no per-directory granularity for .github/workflows/, secret-redaction code, or firewall/gateway integration
• AI bots (copilot-swe-agent[bot], gh-aw-bot) merge PRs on high-risk files without mandatory human sign-off path
• CodeQL critical alert #600 assigned exclusively to Copilot bot; 7 days without human acknowledgement
• Mixed AI/human authorship at 390 commits/7d velocity creates accountability gaps during off-hours windows

Dependency Gap Detail

• untrusted_checkout_exec (12 poutine findings + CodeQL #588): fork PR content reaches runner execution context with production secrets in scope across dependabot-worker, smoke-workflow-call, smoke-workflow-call-with-inputs, dependabot-repair.lock.yml — no remediation commits found
• github_action_from_unverified_creator_used (9 workflows): agentic-token-audit, dataflow-pr-discussion-dataset, hippo-embed, link-check (×2), mcp-inspector, smoke-codex, super-linter, copilot-setup-steps
• unverified_script_exec (2 workflows): curl-pipe-bash install in smoke-codex (trufflehog) and copilot-setup-steps (install-gh-aw.sh)

Secret Exposure Gap Detail

• RGS-012 (Secret Exfiltration via HTTP) flagged on 4 production workflows — all historical issues CLOSED without verified remediation commits
• Closing without a signed-off remediation commit creates a dedup-mask anti-pattern: findings silently reclassified as known-good between audit cycles
• Affected workflows: daily-model-inventory (3 findings), visual-regression-checker (2), daily-multi-device-docs-tester, docs-noob-tester

---

Risk-Scoring Table and Rationale

Area	Exp↑	Patch↓	Detect↓	Frag↑	Own↓	Score	Tier
Comment-Trigger no auth (RGS-004)	5	2	2	4	2	23	D
awf_helpers.go unsafe-quoting	4	3	4	5	2	18	C
dev-hawk GITHUB_ENV write	5	3	3	4	2	17	C
untrusted_checkout_exec	4	3	3	4	3	17	C
MCP Gateway/Firewall runtime	4	3	3	4	3	17	C
Inline Skills Extraction	4	3	2	4	3	16	C

Scoring Rationale Detail

Comment-Trigger / RGS-004 (Score 23, Tier D)
Any GitHub user can trigger privileged AI agents via comment on any issue — full repo permissions, no actor guard. The dedup-mask pattern (closed historical issues suppress re-raising) means there is no active tracking for 263 findings growing at +3/day. This is a systemic architectural gap, not an isolated misconfiguration. The AI-amplification factor is maximum: the agent executes arbitrary tool calls with production credentials upon comment receipt.

awf_helpers.go:140 unsafe-quoting (Score 18, Tier C)
CodeQL flags this at security_severity_level: critical (CWE-78/89/94). The finding sits in the core compilation path — a quote-breakout here propagates to every compiled workflow artifact. Assigned to Copilot bot with no human follow-through in 7 days. Operational fragility is maximum (5): a compilation-path fix or regression affects the entire workflow fleet.

dev-hawk GITHUB_ENV write (Score 17, Tier C)
GITHUB_ENV writes with attacker-reachable values (issue_comment trigger) allow environment variable injection: PATH hijack, NODE_OPTIONS RCE, secret variable overwrite. Dev-hawk's AI agent co-runs in this workflow, meaning a successful injection silently redirects agent behavior. Five days without a human owner filing a PR.

untrusted_checkout_exec (Score 17, Tier C)
Both poutine (12 findings) and CodeQL (#588) flag this independently — not a false positive. Fork PR content executes with production secrets in scope in dependabot-worker and smoke test variants. Standard remediation (unprivileged/privileged job split) is documented but not applied.

MCP Gateway/Firewall runtime (Score 17, Tier C)
Gateway is the sole security boundary in bypassPermissions mode; filter failure yields unrestricted MCP tool access for the agent. Three runtime dependency bumps in the same window (firewall v0.25.56, gateway v0.3.20, SDK v1.6.1) without confirmed interaction testing. Unified event timeline adds log injection as a new attack vector.

Inline Skills Extraction (Score 16, Tier C)
New surface in pkg/workflow/ compilation path. Adversarial skill content embedded in markdown compiles into the workflow and silently alters agent behavior at runtime. No input sanitization confirmed, no security review on PR #34874. Prompt injection via compiled skill content is invisible to current static analysis.

---

Remediation Queue with SLAs

#	Action	Area	SLA	Owner Signal
1	Add author_association: MEMBER guard to all issue_comment and pull_request_target triggers in q.lock.yml, ai-moderator.lock.yml, dev-hawk.lock.yml	Comment-trigger auth	24h 🚨	CODEOWNER required
2	Fix or assign human owner to CodeQL critical #600 (awf_helpers.go:140 unsafe-quoting)	pkg/workflow	72h	Human CODEOWNER must claim bot-assigned alert
3	Fix GITHUB_ENV writes in dev-hawk.md (lock.yml lines 739+1584) per zizmor remediation guidance	dev-hawk workflow	72h	CODEOWNER sign-off
4	Split untrusted-checkout workflows into unprivileged/privileged job pairs for dependabot-worker, smoke-workflow-call*, dependabot-repair	Supply chain	72h	CODEOWNER review
5	Gate inline skills extraction (#34874) behind compile-time opt-in flag; require security review before production enablement	pkg/workflow	72h	Security review + CODEOWNER
6	Regression-test MCP gateway v0.3.20 tools-filter path in bypassPermissions mode before enabling on untrusted-input workflows	MCP runtime	72h	Platform team
7	Add per-path CODEOWNERS rules for .github/workflows/, pkg/workflow/, pkg/cli/ gating security-critical paths to human-only reviewers	Ownership	1 week	@pelikhan / @lpcox
8	Convert detection-only static analysis findings (github-env, RGS-004, invalid permission scopes) into merge-blocking CI gates	SDLC	1 week	CI maintainer
9	Require re-scan sign-off before closing RGS-012/018 issues; replace dedup-mask pattern with # runner-guard:ignore + rationale	Secret exposure	1 week	Workflow owner
10	Replace copilot-requests: write (110 occurrences) with correct scope; remove invalid queue: max (236 occurrences) from workflow template	SDLC schema drift	2 weeks	Template maintainer
11	Add anomaly-detection thresholds on unified event timeline data (rate-limit tripwires, SIEM integration)	Runtime observability	2 weeks	Platform team
12	Document RTO/RPO targets for workflow failure scenarios; evaluate automated rollback trigger on CI gate failure	Recovery	2 weeks	@pelikhan

---

Exception Register

ID	Area	Threat Hypothesis	Exploit Acceleration	Operational Weakness	Expiry	Mitigation Plan
EXC-001	Comment-trigger workflows (Tier D)	Any GitHub user triggers privileged agent via issue comment; exfiltrates secrets or modifies repo via agent tool calls	High — requires only a public issue comment; no authentication beyond GitHub login	Closed historical issues suppress new findings; no active detection on trigger invocations	2026-05-28 (24h)	Suspend issue_comment trigger or add author_association: MEMBER guard; escalate to CISO if not resolved in 24h
EXC-002	CodeQL critical #600 bot-only ownership	Adversarial workflow markdown causes quote-breakout in compilation, injecting malicious content into compiled YAML	Moderate — requires contributor access to a markdown source file	Bot-only triage creates 7-day+ accountability gap for critical findings	2026-05-30 (72h)	Named human CODEOWNER must claim alert within 72h; feature-flag the affected compilation path if not claimed
EXC-003	dev-hawk GITHUB_ENV write	Attacker posts crafted issue comment to inject environment variables hijacking PATH/NODE_OPTIONS for RCE	Moderate-high — trigger is issue_comment, reachable by any GitHub user	5-day remediation gap signals ownership breakdown for this specific workflow	2026-05-30 (72h)	Disable GITHUB_ENV writes or restrict trigger to author_association: MEMBER

---

Operational Metrics Baseline

Metric	Value	Assessment
MTTR proxy (time-to-close for critical findings)	>7 days (CodeQL critical #600 open 7d; zizmor High open 5d)	🔴 Degraded — target should be ≤72h for critical
Ownership coverage	4 named human CODEOWNERs; 1 global rule for 509 workflows	🟠 Partial — no per-path gating on security-critical files
Unsupported dependency ratio	0 known EOL dependencies; 9 workflows use unverified Action publishers	🟡 Monitor — poutine unverified_creator findings require policy decision
Exception aging	EXC-001 is 5 days old (github-env, first flagged 2026-05-22)	🔴 Overdue — 5d without remediation on High finding
Exposure without recovery capability	263 auth-missing trigger invocations possible without automated rollback	🔴 Critical — no automated recovery trigger exists
Security signal commit ratio	107/390 = 27.4% of commits carry security signals	🟠 Elevated — above typical 10-15% baseline for active projects
Finding growth rate	RGS-004 +3/day; all others stable	🟠 Monitor — structural gap driving daily growth

---

Continuous Reassessment Recommendations

1. Immediate (24h): Suspend or guard issue_comment-triggered workflows in q.lock.yml, ai-moderator.lock.yml, dev-hawk.lock.yml with author_association: MEMBER minimum — Tier D exception EXC-001 expires 2026-05-28.
2. Short-term (72h): Human CODEOWNER must claim CodeQL critical #600; fix or feature-flag awf_helpers.go:140; fix GITHUB_ENV writes in dev-hawk.md; begin untrusted-checkout workflow split.
3. Structural (1 week): Convert static analysis HIGH/CRITICAL finding classes to merge-blocking CI gates — this is the single remediation that would have prevented all five currently-open findings from persisting past their first detection.
4. Governance (1 week): Add per-path CODEOWNERS for security-critical directories; require human sign-off on bot-assigned security alerts; replace dedup-mask pattern with runner-guard:ignore + rationale comments.
5. Platform (2 weeks): Add anomaly-detection thresholds on unified timeline; document RTO/RPO for workflow failures; evaluate automated rollback on CI gate failure.

---

References:

• §26524692490 (this run)
• §26493874470 (static analysis 2026-05-27)
• CodeQL alert #600 — go/unsafe-quoting
• CodeQL alert #607 — missing-workflow-permissions
• Issue #35145 — Static Analysis Report 2026-05-27

Generated by UK AI Operational Resilience · sonnet46 4.3M · ◷

• expires on May 30, 2026, 4:45 PM UTC

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-05-30T16:45:25.490Z.

Closed by Workflow