[uk ai resilience] Risk & Resilience Governance — 2026-06-03

[github-actions[bot]]

This report covers 2026-05-27 → 2026-06-03 for github/gh-aw under UK public-sector AI open-code risk guidance. The repository had 364 commits (127 security-signal) in the window. Overall posture: 🔴 High Risk — zero areas fully safe, one Tier D decommission candidate, four Tier C restricted areas.

---

Asset Tier Summary

Tier	Count	Top Assets
A (Open Safe)	0	—
B (Open With Conditions)	2	Integer conversion · Safe-output conformance
C (Restricted Pending Review)	4	Unsafe quoting · SEC-005 cross-repo · $GITHUB_ENV inject · Untrusted checkout
D (Decommission Candidate)	1	Cache-memory XPIA (#28830)

---

Critical Findings

#	Asset	Alert/Issue	Severity	Age	Assignee
1	pkg/workflow/awf_helpers.go:161	CodeQL #600 go/unsafe-quoting CWE-78/89/94	🔴 CRITICAL	14 days	Bot only
2	.github/workflows/q.lock.yml:1810	CodeQL #585 untrusted checkout CWE-829	🔴 HIGH	28 days	Bot only
3	actions/setup/js/update_activation_comment.cjs	#36591 SEC-005 cross-repo write no allowlist	🟠 HIGH	0 days	None
4	.github/workflows/dev-hawk.lock.yml:765,1641	zizmor github-env injection	🟠 HIGH	12 days	None
5	#28830 cache-memory XPIA	Cross-run prompt injection, no mitigation	🔴 CRITICAL	36+ days	None
6	pkg/workflow/compilerenv/manager.go:97	CodeQL #609 integer conversion CWE-190/681	🟠 HIGH	6 days	None
7	aoai-endpoint-smoke-test.yml	CodeQL #611 unpinned azure/login@v2	🟡 MEDIUM	1 day	None

---

Control Domain Summary

Domain	Status	Key Gap
Ownership	🟡 partial	CODEOWNERS single global entry; Copilot bot merges .github/ with no forced human reviewer
SDLC	🟡 partial	2 CodeQL findings open 14/28 days; SEC-005 open with no assignee
Dependency	🔴 fail	azure/login@v2 mutable tag; no package.json/lockfile for JS actions
Secret	🟡 partial	$GITHUB_ENV injection in dev-hawk unfixed 12 days; RGS-012 triage not codified
Runtime Obs.	✅ mostly pass	OTEL, daily audits, conformance checker in place
Recovery	🟡 partial	#28830 XPIA open 60+ days, no owner, no recovery plan

---

Remediation Queue

Priority	Item	SLA
🔴 P0	Pin azure/login to commit SHA	24 hours
🔴 P0	Reassign alert #600 to human; fix go/unsafe-quoting in awf_helpers.go:161	48 hours
🔴 P0	Assign human owner to #28830 XPIA; produce mitigation plan	48 hours
🔴 P0	Reassign alert #585 to human; fix untrusted checkout in q.lock.yml:1810	3 biz days
🟠 P1	Fix SEC-005 update_activation_comment.cjs — allowlist or exemption annotation	5 biz days
🟠 P1	Fix $GITHUB_ENV injection in dev-hawk.lock.yml (12 days overdue)	5 biz days
🟠 P1	Fix integer conversion compilerenv/manager.go:97	5 biz days
🟡 P2	Add path-scoped CODEOWNERS; require human reviewer on bot PRs to .github/	2 weeks
🟡 P2	Add package.json + Dependabot for actions/setup/js/	2 weeks

---

Exception Register (Tier C/D)

EXC-001 · Tier C · Unsafe Quoting — awf_helpers.go:161

Threat hypothesis: Workflow input with shell metacharacters embeds into compiler output; compiled YAML runs attacker code. Exploit acceleration: Bot commits ~364/week — injection ships at scale across all compiled workflows. Bot is both committer and assigned remediator (circular ownership gap). Mitigation: Replace string interpolation with env-var passing; add corpus-based test; reassign to human. Expiry: 5 business days.

EXC-002 · Tier C · Cross-Repo Write SEC-005 — update_activation_comment.cjs

Threat hypothesis: Prompt-injected agent supplies attacker-controlled targetRepo; handler writes to arbitrary repo — bypasses the only write-control layer. Exploit acceleration: Cross-repo writes are indistinguishable from legitimate activation comments in audit logs; silent lateral movement. Mitigation: Add allowlist check or SEC-005 exemption annotation; extend conformance checker. Expiry: 5 business days.

EXC-003 · Tier C · $GITHUB_ENV Injection — dev-hawk.lock.yml:765,1641

Threat hypothesis: Attacker influences PR metadata → poisons $GITHUB_ENV → all subsequent AI tool calls run under attacker environment. Exploit acceleration: Persists entire run; every agentic tool call affected. 12-day age with no ticket is governance failure. Mitigation: Replace with $GITHUB_OUTPUT; sanitise writes; add zizmor to PR gate; make recompile. Expiry: 7 business days.

EXC-004 · Tier C · Untrusted Checkout — q.lock.yml:1810

Threat hypothesis: issue_comment from any external contributor triggers privileged checkout; attacker code exfiltrates secrets via AI tool calls that appear as normal agent activity. Exploit acceleration: Semantic camouflage — exfiltration indistinguishable from legitimate orchestration. Open 28+ days; bot-assigned, unresolved. Mitigation: Add author-access check; scope token to contents: read; move secret steps to trusted-ref workflow; P0 human owner. Expiry: 3 business days.

EXC-005 · Tier D · Cache-Memory XPIA — #28830 — DECOMMISSION REQUIRED

Threat hypothesis: Attacker writes prompt-injection payload to Actions cache; migrate-legacy-files ingests without validation; every subsequent agent run executes attacker instructions indefinitely. Exploit acceleration: Persistent and cumulative — single cache write corrupts all future runs in that scope until purged; injected payload semantically indistinguishable from legitimate agent memory. Detectability 5/5 (worst case). Mitigation (Day 0): Disable/air-gap migrate-legacy-files. (Day 1–3) Define strict ingestion schema. (Day 3–7) HMAC-sign cache entries. (Day 7–14) Sandboxed pre-processing. (Day 14+) Cache-scope isolation by trust domain. No time-bound exception permitted without compensating control.

---

Operational Metrics Baseline

Metric	Value	Status
MTTR proxy (oldest critical open)	#28830: 36+ days · Alert 585: 28 days · Alert 600: 14 days	🔴 Degraded
Ownership coverage	3/7 scored areas have human assignees	🔴 57% unowned
Mutable-tag dependency count	1 (azure/login@v2)	🟡 Fixable in 24h
Exception aging	EXC-004: 28 days · EXC-005: 36+ days — both exceed permissible age	🔴 Stale
Secret scanning	0 open alerts	✅ Pass
Commit velocity (security-signal)	127/week	🟡 Elevated — human review bandwidth under pressure

References: §26900356206 · §26867331287 · §26869716747

Generated by UK AI Operational Resilience · sonnet46 7.4M · ◷

• expires on Jun 6, 2026, 5:17 PM UTC

[github-actions[bot]]

💥 WHOOSH! 🦸 The Smoke-Test Agent BLASTS through this discussion! ⚡

KA-POW! 🟢 All systems nominal — the Claude engine ran like a CAPED CRUSADER! 🦾

"Another repo saved from the clutches of broken builds!" — and with a FWOOSH, the agent vanishes into the CI ether... 🌟💨

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

💥 [THE END] — Illustrated by Smoke Claude · opus48 4.8M · ◷

[github-actions[bot]]

Smoke goblin was here. Me bonk buttons. Repo still sparkle.

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · gpt54 6.2M · ◷

[github-actions[bot]]

Tiny smoke-test sprite was here — it booped the repo, chased the sparks, and left the gears humming. 🤖✨

Warning

Firewall blocked 6 domains

The following domains were blocked by the firewall during workflow execution:

• accounts.google.com
• android.clients.google.com
• clients2.google.com
• contentautofill.googleapis.com
• safebrowsingohttpgateway.googleapis.com
• www.google.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "accounts.google.com"
    - "android.clients.google.com"
    - "clients2.google.com"
    - "contentautofill.googleapis.com"
    - "safebrowsingohttpgateway.googleapis.com"
    - "www.google.com"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot · gpt54 6.5M · ◷

[github-actions[bot]]

This discussion has been marked as outdated by UK AI Operational Resilience.

A newer discussion is available at Discussion #36956.