[uk ai resilience] UK AI Governance Report — 2026-05-29 (7-day window)

[github-actions[bot]]

Executive Summary

This report covers the 7-day lookback window (2026-05-22 → 2026-05-29) for github/gh-aw, applying UK AI open-code risk and resilience governance. The window saw 378 commits including significant security hardening (Copilot token permission gating, BYOK token suppression, SHA256 install verification, secret redaction regex update). However, 6 open code-scanning alerts and 12 open security issues remain unresolved — including 2 critical AI-amplified risks and 1 error-severity GitHub Actions finding.

Net posture: cautiously improving. Hardening activity is high-velocity, but the XPIA (cross-prompt injection) and secret-redaction surfaces require immediate closure.

---

Asset Graph — Recent-Change Scope

Surface	Changed	Alerts/Issues	Tier
pkg/workflow/awf_helpers.go	✓ (active)	Alert #600 unsafe-quoting	C
pkg/workflow/compilerenv/manager.go	✓ (#35642)	Alert #609 int-conversion	B
pkg/workflow/copilot_engine + BYOK	✓ (#35631, #35642)	—	B
pkg/workflow/ repo/cache-memory	— (stale)	Issues #28830, #28775, #5437	C
.github/workflows/q.lock.yml	—	Alert #585 untrusted-checkout/HIGH	C
.github/workflows/dependabot-repair.lock.yml	—	Alert #588 untrusted-checkout/med	B
.github/workflows/error-message-lint.yml	—	Alert #607 missing-permissions	B
pkg/parser/ strconv error discards	✓ (#35544)	Linter finding	B
pkg/workflow/ ghs_ redaction regex	✓ (#35612)	No test coverage confirmed	B
scripts/install-antigravity-cli.sh	✓ (#35629 ✅)	—	A

---

Tier Classification

Tier	Assets	Count
A — Open Safe	install-antigravity-cli.sh (checksum hardening landed)	1
B — Open With Conditions	compilerenv, copilot_engine/BYOK, dependabot-repair.lock.yml, error-message-lint.yml, pkg/parser strconv, ghs_ redaction	6
C — Restricted Pending Review	awf_helpers.go (unsafe-quoting), q.lock.yml (untrusted-checkout/high), repo/cache-memory XPIA	3
D — Decommission Candidate	—	0

The risk-scorer independently rated Secret Redaction Regex and Cache/Memory XPIA as Tier D (immediate action). These are elevated above Tier C in the remediation queue below.

---

Control Verification Gaps

Ownership Controls

• Evidence: Flat CODEOWNERS covers all four core maintainers across the entire repo.
• Gap: No scoped CODEOWNERS rules for high-sensitivity paths (pkg/workflow/, pkg/constants/). Security-critical changes (token gating, redaction regex) do not require a designated security-reviewer approval separate from general maintainers.
• Recommendation: Add scoped CODEOWNERS entries requiring @github/gh-aw-security (or equivalent) review for pkg/workflow/copilot_engine*, pkg/constants/, and any *redact* file paths.

SDLC Controls

• Evidence: CI pipeline runs zizmor, actionlint, poutine, TruffleHog; Dependabot weekly for gomod; changeset convention for PR tracking.
• Gap 1: Alert [Custom Engine Test] Test Issue Created by Custom Engine #585 (q.lock.yml untrusted-checkout/HIGH) and #600 (awf_helpers.go unsafe-quoting) remain open with poutine:ignore suppressions that carry no linked issue or expiry date — suppressed risks may persist indefinitely.
• Gap 2: No dedicated unit-test coverage confirmed for the updated ghs_ stateless token regex pattern.
• Recommendation: Require suppressions to include expires: and a tracking issue reference. Add a CI step that fails if any suppression is undated.

Dependency Controls

• Evidence: Dependabot weekly for gomod; ghcr.io/github/gh-aw-firewall container images referenced in lock files.
• Gap: Container image references use semver tags only (e.g., 0.25.56) without SHA digest pins — mutable tags create a supply-chain window.
• Recommendation: Pin gh-aw-firewall image references by digest in compiled lock files; automate digest updates via Dependabot or a dedicated digest-pin workflow.

Secret Exposure Controls

• Evidence: TruffleHog post-run scan; ExcludeEnvVarNames mechanism; BYOK dummy-key sentinel; --exclude-env argument to agent container.
• Gap 1: ghs_ regex update (Update ghs_ secret redaction regex for stateless token format #35612) has no observable regression test asserting all current token prefixes are covered.
• Gap 2: TruffleHog runs post-execution only — no pre-dispatch static check that compiled lock files contain no literal secret patterns.
• Recommendation: Add a token-prefix allowlist test; run TruffleHog on compiled lock files before dispatch.

Runtime Observability Controls

• Evidence: OTEL/Grafana + Sentry integration; structured logging via logger.New(); dedicated agentic-token-audit.lock.yml workflow.
• Gap: No circuit-breaker or token-exhaustion alert threshold — runaway token consumption would surface only via billing, not an automated halt.
• Recommendation: Implement ASI-08 (issue ASI-08: Add circuit breaker for repeatedly failing workflows #28776): circuit breaker triggering on successive failure rates or token-spend anomalies.

Recovery Controls

• Evidence: error_recovery.go with severity classification; retry/resume logic in progress for Copilot and Codex engines; high patch cadence.
• Gap: No automated rollback workflow on token-handling regression; recovery relies entirely on manual PR revert.
• Recommendation: Add a revert-and-redeploy trigger on secret-scan or redaction-failure CI signal.

---

AI-Aware Risk Scoring

Area	Exp. Amp	Patchability	Detectability	Op. Fragility	Ownership	Tier	SLA
Cache/Memory XPIA (#28830, #28775)	5	4	5	4	3	D→C	Critical 24h
Secret Redaction Regex (#35612)	5	2	5	2	2	D→C	Critical 24h
Copilot Token Gating (#35631, #35642)	5	3	4	3	2	C	High 72h
Unsafe Quoting – #600	4	2	3	3	3	C	High 72h
Untrusted Checkout – #585	4	2	3	3	2	C	High 72h
Integer Conversion – #609	3	2	4	4	3	B	High 1 week

Exposure Amplification and Detectability are scored 1–5 (5 = worst). Patchability 1–5 (1 = easy, 5 = hard).

---

Remediation Queue

#	Area	Action	SLA	Owner Signal
1	Secret Redaction Regex	Add token-prefix allowlist test; validate ghs_ + github_pat_ + ghp_ covered; add CI canary	24h	Unowned — assign immediately
2	Cache/Memory XPIA	Gate ingest with trust-tag provenance; sandbox cache namespaces per-run; add prompt-injection detection at ingest boundary (ASI-06 #28775)	24h	Unowned — assign immediately
3	Copilot Token Gating	Audit all BYOK code paths; assert default-deny when permissions.copilot-requests field is absent; add integration test	72h	Active (recent commits)
4	Unsafe Quoting #600	Apply shellquote/shellescape at all fmt.Sprintf interpolation sites in awf_helpers.go	72h	Active (alert open)
5	Untrusted Checkout #585	Assign owner; apply SHA-pin + environment protection guard to q.lock.yml checkout step; expire poutine:ignore suppression	72h	Suppression has no owner
6	Container Image Digest Pins	Pin gh-aw-firewall semver references by SHA in compiled lock files	1 week	Dependency hygiene
7	Integer Conversion #609	Bounds-checked cast in compilerenv/manager.go; add overflow unit test	1 week	Alert open
8	Missing Permissions #607	Add permissions: read-all block to error-message-lint.yml	1 week	Trivial fix
9	strconv Error Discards	Surface/log errors per strconvparseignorederror linter in schedule_parser.go, schedule_time_utils.go	1 month	Linter added (#35544)
10	Circuit Breaker	Implement ASI-08 (#28776): token-spend / failure-rate threshold halt	1 month	Issue open

---

Exception Register

Exception	Justification	Expiry	Mitigation
poutine:ignore on q.lock.yml checkout (#585)	Deliberate suppression with reviewer sign-off	No expiry — OPEN GAP	Must be linked to a tracking issue with expiry date; recommend 30-day max
Open XPIA issues (#28830, #28775, #5437)	Architectural fix in progress	Undated — OPEN GAP	Assign owner; set milestone

---

Operational Metrics Baseline

Metric	Value	Status
MTTR proxy	High patch cadence (96 security-signal commits / 7 days)	✅ Good
Ownership coverage	4 maintainers via flat CODEOWNERS; no scoped security path	⚠️ Partial
Unsupported dependency ratio	0 known EOL dependencies (Dependabot active)	✅ Good
Exception aging	poutine:ignore suppressions — no expiry dates	❌ Gap
Exposure without recovery	XPIA surface + no automated rollback on redaction failure	❌ Gap

---

References

• §26649594563 — Governance workflow run
• Security alert #585 — untrusted-checkout/HIGH in q.lock.yml
• Issue #28830 — Cache-memory XPIA surface

Generated by UK AI Operational Resilience · sonnet46 4M · ◷

• expires on Jun 1, 2026, 4:45 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by UK AI Operational Resilience.

A newer discussion is available at Discussion #36289.