[uk ai resilience] UK AI Open Code Risk & Resilience Governance — 2026-06-25

[github-actions[bot]]

Scope: github/gh-aw · 7-day lookback (2026-06-18 → 2026-06-25) · 301 commits · 84 security-signal commits · 6 open code-scanning alerts · 0 secret-scanning alerts · 12 open security issues

Executive Summary

github/gh-aw is a Go + Node.js/CJS GitHub CLI extension orchestrating agentic workflows (Copilot, Claude, Codex, Gemini, Pi). The 7-day window shows a high-velocity, well-governed cycle: active daily static-analysis gates, responsive remediation, and no critical or secret-scanning alerts. Two residual concerns require continued attention: (1) CodeQL HIGH alert #635 (insecure temp file) is actively tracked but unresolved; (2) a confirmed cross-run prompt injection (XPIA) surface in the cache-memory subsystem (#28830) remains open and unassigned since 2026-04-28 — the highest AI-amplified risk in the repository.

Overall posture: Tier B — Open With Conditions (one surface at Tier C).

Tier Classification

Surface	Tier	Rationale
Safe-Outputs Node.js layer	B	Alert #635 (HIGH temp file) tracked in #41061; symlink guard centralised (#40795)
Go compiler core (project_command.go)	B	Alerts #627/#628: GraphQL injection via API-returned node IDs — defence-in-depth gap
GitHub Actions workflow configs	B	Unpinned Actions (alert #625, RGS-007); permissions actively hardened
Network isolation subsystem	A	Rootless install fixed; sudo omitted in isolation mode; ARC/DinD egress added
Agent assignment & auth layer	B	4 auth fixes in window; high churn, monitoring required
Threat detection engine	A	Refactored into 6 focused modules; no open alerts
Cache-memory subsystem (XPIA)	C — Restricted Pending Review	#28830: pentest-confirmed cross-run prompt injection; no content validation; unassigned, 0 comments, 58 days old
Dependency surface	B	Astro v6→v7; unpinned docker/login-action, azure/login (RGS-007)

Control Verification

Domain	Status	Key Gaps
Ownership	✅ Present	Issue #28830 unassigned
SDLC	✅ Present	Daily CodeQL/Semgrep/zizmor/poutine/runner-guard; PRs reviewed
Dependency	⚠️ Partial	4 unpinned Action refs (alert #625, RGS-007)
Secret exposure	✅ Present	0 secret alerts; symlink guard centralised
Runtime observability	✅ Present	Threat detection active; network isolation with firewall
Recovery	✅ Present	MTTR ~3 days for #635; #28830 stalled at 58 days

AI-Aware Risk Scoring

Surface	Exp. Amp	Patch	Detect	Op Frag	Owner Conf	Tier
Safe-Outputs layer (alert #635)	4	4	3	3	4	B
GraphQL injection (#627/#628)	2	4	3	2	5	B
Unpinned Actions (#625, RGS-007)	3	5	3	2	4	B
Comment-triggered workflows (RGS-004)	3	2	5	2	4	A*
Cache-memory XPIA (#28830)	5	3	2	4	2	C
ASI-06: memory sanitization (#28775)	4	3	2	4	3	C
ASI-08: circuit breaker (#28776)	3	4	4	4	4	B

*RGS-004 at Tier A: upstream author_association guard confirmed in pre_activation jobs.

Top 3 AI-specific risks: (1) Cache XPIA #28830 — injected markdown reaches LLM context on next run; (2) Token exhaustion via retry loops — fix merged but no circuit-breaker framework yet (#28776); (3) Temp file race on evaluation script — could corrupt AI decision data silently.

Remediation Queue

#	Finding	SLA	Action
1	Alert #635 insecure temp file	High — 7 days	Use tmp.fileSync() / fs.mkdtemp() mode 0o600 (issue #41061 active)
2	Cache-memory XPIA #28830	High — 14 days	Assign owner; add instruction-pattern scanning before git add -A; quarantine suspicious files
3	ASI-06 memory sanitization #28775	High — 30 days	Sanitize repo-memory/cache-memory before agent context injection
4	Unpinned Actions (alert #625, RGS-007)	Medium — 14 days	Pin docker/login-action, docker/setup-buildx-action, azure/login to SHAs (prompt in #41170)
5	GraphQL injection #627/#628	Medium — 30 days	Wrap ownerId/projectId with escapeGraphQLString() or use parameterized variables
6	ASI-08 circuit breaker #28776	Medium — 30 days	Implement circuit-breaker frontmatter field with failure counter via artifacts
7	RGS-019 step-output interpolation	Low — 60 days	Replace ${{ steps.X.outputs.Y }} in run: with env vars

Exception Register

ID	Surface	Justification	Expiry
EX-001	RGS-004 comment-triggered workflows	Upstream author_association guard confirmed; not exploitable	2026-09-25
EX-002	Alert #626 workflow-graphql-static-concat	Hardcoded static template; no user-controlled injection path	2026-09-25
EX-003	Alert #564 smoke-claude dummy	Intentional test artifact	2026-09-25

Operational Metrics

Metric	Value	Signal
MTTR proxy (alert #635)	~3 days active, 26 comments	✅ Responsive
MTTR proxy (XPIA #28830)	58 days, 0 comments, unassigned	❌ Stalled
Ownership coverage	~85% of active surfaces	⚠️ Gap: #28830
Unsupported dependency ratio	Low; 4 unpinned Action refs	⚠️ Partial
zizmor High (7-day trend)	0 for 7 consecutive days	✅ Strong
Secret scanning alerts	0 open	✅ Clean

References:

• §28183930023
• §28078517319 (Static Analysis 2026-06-24)
• §28037495024 (DeepReport for alert #635)

Generated by UK AI Operational Resilience · 143.2 AIC · ⌖ 10.1 AIC · ⊞ 5.1K · ◷

• expires on Jun 28, 2026, 8:21 AM UTC-08:00