[uk ai resilience] UK AI Resilience Governance — 2026-06-01

[github-actions[bot]]

Executive Summary

This report covers the 7-day lookback window (2026-05-25 → 2026-06-01) for github/gh-aw, a Go-based GitHub CLI extension that compiles natural-language agentic workflows into GitHub Actions. The window captured 358 commits and 110 security-signal commits, reflecting high engineering velocity. Six code-scanning alerts remain open, 11 security issues are tracked, and zero secret-scanning alerts are active.

Two surfaces warrant immediate restriction: the workflow compiler's unpatched shell-injection alert (#600, confirmed RCE vector in generated YAML) and the cache/memory ingestion pipeline (persistent cross-run prompt injection with near-zero detectability). Three additional surfaces are open with conditions pending targeted remediations. No decommission candidates were identified.

---

Asset Graph — Recent-Change Scope

Surface	Tier	Changed?	Key Signal
pkg/workflow — compiler core + safe-outputs + cache/memory	A	✅	Alerts #600, #609; ASI-06 open; XPIA unmitigated
.github/workflows — agentic lock files	A	✅	Alert #585 ERROR untrusted-checkout
.github/workflows — standard CI	B	✅	Alert #610 missing-permissions
pkg/workflow/compilerenv	B	✅	Alert #609 integer-conversion; provider-auth issue
actions/setup/js — agent factory	B	✅	Supply-chain + cache-APM bundle changes
pkg/cli	C	✅	No direct alerts; indirect exposure via compiler
pkg/parser	C	✅	Untrusted-input boundary; no active alerts
specs/ + README	D	✅	Alert #564 anomalous finding on README.md
scripts/	D	✅	Dev tooling only

Owners: @dsyme @eaftan @pelikhan @krzysztof-cieslak (CODEOWNERS, repo-wide)

---

Tier Classification

Surface	Tier (AI-Risk)	Tier (Asset)	Reconciled
Cache/Memory System (XPIA)	C — restrict	A	C — Restrict Pending Review
Workflow Compiler (Go)	C — restrict	A	C — Restrict Pending Review
MCP Integration & Tool Access	C — restrict	B	C — Restrict Pending Review
Safe-Outputs System	B — conditions	A	B — Open With Conditions
CI/CD Workflows	B — conditions	B	B — Open With Conditions
Auth & Provider Management	B — conditions	B	B — Open With Conditions

---

Control Verification Gaps

View Full Control Gaps by Surface

.github/workflows/q.lock.yml — Alert #585 (untrusted-checkout/HIGH)

Domain	Status	Gap
Ownership	⚠️ Partial	Branch protection reviewer requirements unverifiable (API 403)
SDLC	❌ Fail	No merge gate blocks PRs while HIGH CodeQL alert is open
Dependencies	⚠️ Partial	Dependabot alert list inaccessible (403)
Secrets	⚠️ Partial	Untrusted-checkout creates secret exfiltration path from fork-triggered jobs
Observability	⚠️ Partial	ASI-08 (circuit breaker for failing workflows) open and unimplemented
Recovery	⚠️ Partial	No documented SLA for HIGH alert resolution; #585 open with no linked remediation PR

pkg/workflow/awf_helpers.go — Alert #600 (go/unsafe-quoting)

Domain	Status	Gap
Ownership	✅ Pass	CODEOWNERS covers file; 4 named owners
SDLC	❌ Fail	Alert #600 open; sibling alerts #580-#582 fixed — this one missed in sweep
Dependencies	✅ Pass	No external shell deps in path
Secrets	⚠️ Partial	Unsafe-quoting + unvalidated XPIA = chained secret-leakage path
Observability	⚠️ Partial	XPIA surface open (ASI-06 unresolved)
Recovery	⚠️ Partial	No linked remediation PR; sibling fix pattern available

pkg/workflow/compilerenv/manager.go — Alert #609 (integer-conversion)

Domain	Status	Gap
Ownership	✅ Pass	CODEOWNERS covers file
SDLC	⚠️ Partial	No fuzz gate; integer overflow unpatched
Dependencies	✅ Pass	No Go CVEs confirmed
Secrets	✅ Pass	Low-probability indirect risk
Observability	⚠️ Partial	No OTEL alert rule for compiler panics
Recovery	⚠️ Partial	No remediation batch sweep planned

Cross-cutting gaps:

• CI does not block merges on open HIGH/ERROR code-scanning alerts
• Circuit breaker for failing agentic workflows (ASI-08) unimplemented
• XPIA sanitization pipeline (ASI-06) unimplemented — affects multiple surfaces

---

Risk-Scoring Table

Surface	Exposure	Patch	Detect	Fragility	Ownership	Tier	Priority
Cache/Memory (XPIA)	5	2	1	5	3	C	🔴 Critical
Workflow Compiler	4	4	2	4	5	C	🔴 Critical
MCP Integration	4	3	2	4	3	C	🟠 High
Safe-Outputs	4	3	3	4	4	B	🟠 High
CI/CD Workflows	3	4	4	3	4	B	🟠 High
Auth & Provider	3	3	3	3	4	B	🟡 Medium

Scores 1–5; Exposure/Fragility: higher = worse · Patch/Detect/Ownership: higher = better

Key rationale:

• Cache/Memory: Detect=1 is the critical driver — prompt-injected cache payloads are structurally indistinguishable from legitimate content; no behavioural anomaly detection exists
• Workflow Compiler: Alert #600 is scanner-confirmed RCE in compiler-generated YAML; payload evades source-code review because it lives in generated output

---

Remediation Queue

#	Action	Surface	SLA	Urgency
1	Assign lead + milestone to ASI-06; implement cache/repo-memory sanitization pipeline with schema validation and content-hash integrity	Cache/Memory	1 week	🔴 Critical
2	Patch Alert #600 (go/unsafe-quoting in awf_helpers.go) + add regression test covering AI-output shell interpolation	Compiler	1 week	🔴 Critical
3	Patch Alert #609 (go/incorrect-integer-conversion in compilerenv/manager.go) + audit use site for timeout/buffer impact	Compiler	1 week	🔴 Critical
4	Add CI merge gate: block PRs when HIGH/ERROR CodeQL alerts are open on changed files	CI/CD	1 week	🟠 High
5	Complete OWASP Agentic Top 10 gap analysis for MCP tool access surface	MCP	2 weeks	🟠 High
6	Implement MCP sanitize mode (box/sanitize tool responses before returning to agent)	MCP	2 weeks	🟠 High
7	Document threat-model rationale for each poutine:ignore suppression in q.lock.yml and dependabot-repair.lock.yml	CI/CD	3 days	🟠 High
8	Add explicit permissions: read-only block to error-message-lint.yml	CI/CD	3 days	🟠 High
9	Add safe-output bypass-detection telemetry; add integration tests for each recent fix path	Safe-Outputs	2 weeks	🟠 High
10	Implement ASI-08: circuit breaker for repeatedly failing agentic workflows	Resilience	2 weeks	🟡 Medium
11	Implement provider-based auth abstraction for AI credentials (scoped tokens + rotation)	Auth	1 quarter	🟡 Medium
12	Investigate Alert #564 (workflow-security-finding-1 on README.md) — potential hardcoded token or dangerous shell snippet in code block	README	3 days	🟡 Medium

---

Exception Register

No formal exceptions requested. The following accepted-risk suppressions exist and require documentation:

File	Suppression	Alert	Required Action
.github/workflows/q.lock.yml	poutine:ignore untrusted_checkout_exec	#585 (HIGH)	Document threat-model rationale inline; add expiry date and reviewer sign-off
.github/workflows/dependabot-repair.lock.yml	poutine:ignore untrusted_checkout_exec	#588 (medium)	Document rationale; confirm bounded blast radius

All exceptions must be temporary with documented expiry and mitigation plan per UK AI Open Code governance requirements.

---

Operational Metrics Baseline

Metric	Value	Signal
MTTR proxy	Alert #585 open while sibling alerts #583-#587 closed; lag = ≥1 sprint	⚠️ Inconsistent patch velocity for agentic lock files
Ownership coverage	100% repo covered by CODEOWNERS (4 named owners)	✅ Full coverage
Unsupported dependency ratio	Dependabot API blocked (403); unverifiable	⚠️ Monitoring gap
Exception aging	2 poutine:ignore suppressions; age unknown, no expiry set	⚠️ Needs expiry tracking
Exposure without recovery capability	Cache/XPIA surface: no sanitization + no anomaly detection	🔴 High exposure, low recovery
Security issue aging	ASI-06 open (no assigned lead); cache poisoning issue open	⚠️ Unowned critical issues

---

References:

• §26769812897 — Workflow run (this assessment)

Generated by UK AI Operational Resilience · sonnet46 3.7M · ◷

• expires on Jun 4, 2026, 5:17 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by UK AI Operational Resilience.

A newer discussion is available at Discussion #36681.