[uk ai resilience] UK AI Open Code Risk & Resilience Governance Report — 2026-05-19

[github-actions[bot]]

Executive Summary

The gh-aw repository (GitHub Agentic Workflows CLI) demonstrates strong foundational security controls (5/6 domains passing) but faces critical AI-era attack surface amplification requiring immediate remediation before broader AI agent exposure.

Key Metrics:

• 493 commits in 7 days (84 security-signal commits, 17%)
• 14 open security issues, 6 open CodeQL alerts
• 12 distinct repository assets classified
• 3 CRITICAL areas requiring immediate action (Tier C/D)
• 5 areas safe for open operation with monitoring (Tier A/B)

Overall Risk Posture: ⚠️ Medium-High (pending Tier C/D remediation)

Recommendation: Implement UK AI guidance with resilience-first approach - maintain public repository while addressing operational vulnerabilities through time-boxed remediation plan.

---

View Full Asset Graph & Changed Surfaces

Changed Surfaces (7-Day Window)

Asset	Type	Activity	Security Signals	Tier	Priority
pkg/workflow	Go Compiler	357 commits	3 CodeQL HIGH alerts	A	Critical
.github/workflows	CI/CD Runtime	83 commits	2 untrusted-checkout, 8 MCP wildcards	A	Critical
actions/	JS Handlers	47 commits	Schema validation failures	A	Critical
pkg/auth	Token Minting	283 'auth' mentions	Secret scanner evasion	A	Critical
.github/aw/mcps/	MCP Config	18 commits	Wildcard permissions (Issue #33348)	A	Critical
Agentic workflows	AI Automations	15+ workflows	OWASP compliance gaps	A	Critical
pkg/otel	Observability	12 commits	Sentry 401 auth failures	B	High
internal/	Core Utils	8 commits	Cache-memory XPIA	B	High
cmd/gh-aw	CLI Entry	6 commits	Panic recovery additions	B	High
schemas/	Validation	4 commits	Anthropic anyOf rejection	C	Medium
go.mod/go.sum	Dependencies	12 commits	AWF firewall v0.25.49 updates	C	Medium
docs/	Documentation	3 commits	Caveman optimization	D	Low

Dependency Landscape:

• AWF firewall v0.25.49 (security boundary)
• MCP go-sdk v1.6.0
• golang.org/x/crypto v0.51.0
• 8 external MCP servers (azure, jupyter, semgrep, skillz, brave-search, tavily, markitdown, microsoft-docs)

Ownership Signals:

• CODEOWNERS: @dsyme, @eaftan, @pelikhan, @krzysztof-cieslak
• Primary Committer: Copilot bot (72% of commits)
• 97.6% commit signature verification (481/493 GPG-verified)

---

View Control Verification Status

Control Domain Status

Domain	Status	Confidence	Key Evidence	Gaps
Ownership Controls	✅ PASS	High	CODEOWNERS (4 maintainers), 97.6% commit verification	No coverage validation in CI
SDLC Controls	✅ PASS	High	26+ test groups, CodeQL/Gosec/govulncheck, 84 security commits	Branch protection API 403
Dependency Controls	✅ PASS	High	Dependabot (6 ecosystems), go.sum, SHA-pinned actions	No automated SBOM in CI
Secret Exposure	✅ PASS	High	0 secret alerts, COPILOT_DUMMY_BYOK indirection	No rotation policy
Runtime Observability	✅ PASS	High	OTEL multi-backend, daily monitoring workflows	No centralized APM
Recovery Controls	⚠️ PARTIAL	Medium	CHANGELOG, promote-release workflow	No release tags, no rollback docs

Overall Score: 5 Pass, 1 Partial, 0 Fail

Critical Finding: Despite strong controls, recovery domain gap (no release tags) prevents reliable rollback capability - a key resilience requirement under UK AI guidance.

---

AI-Aware Risk Scoring

Risk Dimension Scores (1-5 scale, 5=highest risk)

Area	Exposure	Patch	Detect	Fragility	Ownership	Composite	Tier
Cache & Memory	5	2	2	4	3	3.2	D
MCP Integration	5	2	3	5	3	3.6	C
Workflow Compiler	5	3	4	5	4	4.2	C
Safe Outputs	4	3	4	4	4	3.8	B
Auth & Tokens	4	3	3	4	4	3.6	B
Actions Generation	3	4	2	3	4	3.2	B
Expression Safety	4	4	5	4	4	4.2	A
Dependencies	3	5	3	2	4	3.4	A

Tier Distribution: A=2 (25%), B=3 (37.5%), C=2 (25%), D=1 (12.5%)

---

View Critical Risk Areas

🔴 Tier D - Decommission Candidate

Cache & Memory Systems (Score: 3.2)

Why Tier D:

• Exposure Amplification (5/5): Classic prompt injection vector via cross-run cache poisoning. AI agents reading unvalidated cache content can be manipulated into executing attacker instructions.
• Patchability (2/5): Architectural change required (disable OR cryptographic signing). No quick fix.
• Detectability (2/5): Silent, persistent attack surface. No monitoring for cache tampering.
• Operational Fragility (4/5): Cross-session impact. Single poisoned cache entry affects all future workflow runs.
• Ownership Confidence (3/5): Long-standing issue caches should be sanitized #5437 "caches should be sanitized" remains open.

Evidence:

• Issue Cache-memory cross-run poisoning: migrate-legacy-files ingests unvalidated content (XPIA surface) #28830: Cache-memory cross-run poisoning (XPIA surface)
• Issue ASI-06: Sanitize repo-memory and cache-memory content before prompt injection #28775: ASI-06 sanitization requirement
• Issue caches should be sanitized #5437: Open since early development

Remediation SLA: 🔴 CRITICAL - 2 weeks

---

🔴 Tier C - Restricted Pending Review

MCP Server Integration (Score: 3.6)

Why Tier C:

• Exposure Amplification (5/5): Primary AI-to-system trust boundary. Wildcard permissions on 8 servers eliminate intended security isolation.
• Patchability (2/5): Coordination required across firewall (mcpg), AI engines, protocol versions.
• Detectability (3/5): Actor validation exists but gaps remain. Limited request/response logging.
• Operational Fragility (5/5): Jupyter MCP enables arbitrary code execution. Azure/Semgrep have broad system access.
• Ownership Confidence (3/5): 75 MCP Go files. Complexity suggests coordination challenges.

Evidence:

• Issue [deep-report] Audit and restrict allowed: ["*"] on 8 high-privilege MCP servers #33348: 8 servers with allowed: ["*"] wildcards
• Issue OWASP Agentic Top 10 compliance evaluation: gap analysis across gh-aw, firewall, and mcpg #28770: OWASP Agentic Top 10 gap analysis
• Issue Feature request: per-tool call limits (max-calls) in tools.github.allowed #18407: No per-tool call limits
• Issue ASI-08: Add circuit breaker for repeatedly failing workflows #28776: ASI-08 circuit breaker missing

Remediation SLA: 🔴 CRITICAL - 4 weeks

---

Workflow Compilation Engine (Score: 4.2)

Why Tier C:

• Exposure Amplification (5/5): Highest-privilege boundary. AI manipulation of markdown → YAML could inject malicious code into GitHub Actions, enabling CI/CD compromise.
• Patchability (3/5): Active patching (2 allocation-overflow fixes in 7 days) but 6 CodeQL alerts remain.
• Detectability (4/5): Expression safety validation, 676 test files, CodeQL integration.
• Operational Fragility (5/5): Core compilation logic. Failure or compromise impacts all 261+ workflows.
• Ownership Confidence (4/5): 493 commits/7 days from single Copilot bot = review bottleneck risk.

Evidence:

• 6 CodeQL go/allocation-size-overflow alerts (3 in pkg/workflow)
• 107 compiler files, 88,677+ lines
• Recent fixes: Harden run step sanitizer against allocation-size overflow pattern #32841, Guard MergeUnique allocation sizing against integer overflow (CodeQL #592) #32842
• 97.6% commit signature verification

Remediation SLA: 🔴 CRITICAL - 6 weeks

---

Tier Classification Summary

Tier	Count	Assets	Recommendation
A - Open Safe	2	Expression Safety, Dependencies	Maintain current controls + monitoring
B - Open With Conditions	3	Safe Outputs, Auth, Actions Gen	Implement 5 conditions before AI scale-up
C - Restricted Pending Review	2	MCP Integration, Compiler	Time-boxed remediation (4-6 weeks)
D - Decommission Candidate	1	Cache & Memory	Disable OR cryptographic signing (2 weeks)

Decision: Repository remains PUBLIC (aligned with UK AI "resilience over secrecy" guidance) with temporary operational restrictions on AI agent access to Tier C/D areas until remediation complete.

---

View Remediation Queue & SLAs

Phase 1: Emergency Stabilization (Weeks 1-2)

Priority	Task	Owner	SLA	Success Criteria
🔴 P0	Implement release tagging workflow	@pelikhan	Week 1	Tagged v0.x.x release + rollback docs
🔴 P0	Disable cache-memory cross-run persistence OR implement signing	@dsyme	Week 2	Zero XPIA surface OR signed cache entries
🔴 P0	Audit MCP wildcard permissions (Issue #33348)	@eaftan	Week 2	Explicit allowlists for 8 servers

Phase 2: Core Security Remediation (Weeks 3-6)

Priority	Task	Owner	SLA	Success Criteria
🔴 P0	Restrict MCP wildcard permissions	@pelikhan	Week 4	Zero allowed: ["*"] in production
🔴 P0	Fix CodeQL allocation-overflow alerts (6 total)	@dsyme	Week 6	Zero HIGH severity CodeQL alerts
🟠 P1	Complete OWASP Agentic Top 10 gap analysis (Issue #28770)	@eaftan	Week 6	Compliance matrix + remediation plan
🟠 P1	Implement circuit breaker for failing workflows (Issue #28776)	@pelikhan	Week 6	ASI-08 compliance

Phase 3: Hardening & Monitoring (Weeks 7-8)

Priority	Task	Owner	SLA	Success Criteria
🟡 P2	Add token scope auditing (log usage with repo/scope context)	@dsyme	Week 7	Structured token usage logs
🟡 P2	Deploy workflow security scanning in CI (zizmor/actionlint)	@eaftan	Week 7	Automated workflow alerts
🟡 P2	Automate SBOM generation in release workflow	@pelikhan	Week 8	SBOM in release artifacts
🟡 P2	Add CODEOWNERS coverage validation in CI	@dsyme	Week 8	100% path coverage

Human-Review Triggers:

• Any Tier C/D area showing increased attack indicators
• CodeQL severity escalation (medium → high → critical)
• Secret scanning alert (currently zero)
• Unusual authentication failure patterns
• MCP server wildcard permission re-introduction

---

View Exception Register

Temporary Exceptions (Time-Boxed)

Area	Exception	Threat Hypothesis	Expiry	Mitigation Plan
Cache-Memory	Cross-run persistence enabled	XPIA prompt injection via poisoned cache	2026-06-02 (2 weeks)	Disable OR implement cryptographic signing
MCP Servers	Wildcard permissions on 8 servers	Privilege escalation via jupyter/azure/semgrep MCP	2026-06-16 (4 weeks)	Explicit allowlist per Issue #33348
Workflow Compiler	6 HIGH CodeQL alerts unfixed	Integer overflow → runtime panic/DoS	2026-06-30 (6 weeks)	Overflow guards per #32841/#32842 pattern

No permanent exceptions granted. All must resolve within SLA or escalate to human review for architecture decision.

---

Operational Metrics Baseline

Current State (7-Day Window)

Metric	Value	Target	Status
MTTR (Proxy)	~3 days	<7 days	✅ Good
Ownership Coverage	97.6% (GPG-verified)	100%	✅ Good
Unsupported Dependency Ratio	0% (all Dependabot-managed)	<5%	✅ Excellent
Exception Aging	3 active (<2 weeks old)	<4 weeks	✅ Good
Recovery Capability	⚠️ No release tags	Tagged releases	❌ CRITICAL GAP
Security Signal Ratio	17% (84/493 commits)	>10%	✅ Excellent
Code Scanning Coverage	100% (CodeQL + Gosec)	100%	✅ Excellent
Secret Exposure	0 open alerts	0	✅ Excellent

Key Performance Indicators (KPIs) for Next Assessment:

• Release tags implemented (binary: yes/no)
• Cache poisoning surface eliminated (binary: yes/no)
• MCP wildcard count (target: 0 of 8)
• CodeQL HIGH alert count (target: 0 of 6)
• OWASP compliance % (target: 100%)

---

Governance Decision

Recommendation: ✅ MAINTAIN PUBLIC REPOSITORY with time-boxed operational restrictions

Rationale:

• Resilience over secrecy: Foundational controls are strong (5/6 domains passing)
• Recoverability: Remediation plan addresses recovery gap (release tags)
• Operational transparency: High security signal ratio (17%) demonstrates active security culture
• AI-specific risks: Cache poisoning and MCP wildcards are addressable within 4-6 weeks

Conditions for Continued Open Operation:

1. Complete Phase 1 remediation (Weeks 1-2): release tags + cache fix + MCP audit
2. Implement human-review checkpoints for Copilot bot commits (single-committer risk)
3. Deploy automated monitoring for exception register expirations
4. Publish security posture update at Week 4 milestone
5. Re-tier all assets at Week 8 completion (target: zero Tier C/D)

Alternative Considered & Rejected:

• ❌ Private repository: Would eliminate community security review, hide vulnerability disclosures, and contradict UK AI transparency guidance
• ❌ Delayed remediation: Current velocity (493 commits/7 days) supports aggressive timeline

Approval Authority: CODEOWNERS (@dsyme, @eaftan, @pelikhan, @krzysztof-cieslak)

---

Continuous Reassessment Schedule

Cadence: Bi-weekly during remediation phase (8 weeks), then monthly

Next Assessment: 2026-06-02 (2 weeks)

Triggers for Out-of-Band Assessment:

• New CVE affecting gh-aw dependencies (CVSS ≥7.0)
• Secret scanning alert (currently zero)
• CodeQL severity escalation to CRITICAL
• Unauthorized MCP wildcard permission re-introduction
• Commit signature verification drop below 95%

---

References:

• UK Government AI Open Code Guidance: (www.gov.uk/redacted)
• OWASP Agentic Security Top 10 (referenced in Issue OWASP Agentic Top 10 compliance evaluation: gap analysis across gh-aw, firewall, and mcpg #28770)
• Workflow Run: §26110808666
• Related Issues: [deep-report] Audit and restrict allowed: ["*"] on 8 high-privilege MCP servers #33348, Cache-memory cross-run poisoning: migrate-legacy-files ingests unvalidated content (XPIA surface) #28830, ASI-06: Sanitize repo-memory and cache-memory content before prompt injection #28775, OWASP Agentic Top 10 compliance evaluation: gap analysis across gh-aw, firewall, and mcpg #28770, ASI-08: Add circuit breaker for repeatedly failing workflows #28776, caches should be sanitized #5437, Warn/report token soon to expire? #20097, Feature request: per-tool call limits (max-calls) in tools.github.allowed #18407, Have "santize" mode where GitHub MCP tools box and sanitize text content according to contributor status #19967
• Security Commits: 84 of 493 (17%) in 7-day window

Generated by UK AI Operational Resilience · ● 15.1M · ◷

• expires on May 22, 2026, 4:42 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by UK AI Operational Resilience.

A newer discussion is available at Discussion #33588.