[uk ai resilience] UK AI Open Code Risk & Resilience — Weekly Governance Report (2026-06-19)

[github-actions[bot]]

UK AI Open Code Risk & Resilience — 2026-06-19

Repo: github/gh-aw · Window: 2026-06-12→19 · Run: §27836896591

---

1 — Executive Summary

Repository is well-instrumented (282 commits, 5 security fixes merged, 4 active scanners, 0 secret alerts) but carries two Tier C risks that compound:

1. notify_comment.go — 2 CRITICAL CodeQL go/unsafe-quoting (CWE-78/89/94), zero patch velocity; fix pattern (%q) already present in same file.
2. threat-detect binary — no SHA-256/attestation verification before execution; a supply-chain compromise silently defeats the runtime AI-output safety control.

These compound: a poisoned threat-detect binary cannot catch YAML injections from (1). Fix (1) first (single PR), then (2).

---

2 — Asset Graph (recent-change scoped)

Asset	Changed	Open alerts
pkg/workflow/notify_comment.go	No	2 CRITICAL CodeQL
pkg/workflow/safe_outputs/	Yes (5 PRs)	0
pkg/workflow/checkout_manager.go	Yes (2 PRs)	0
pkg/cli/project_command.go	No	3 Semgrep
scripts/...evaluations.cjs	No	2 HIGH CodeQL
Threat-detect binary	Yes (#40166)	0
.github/workflows/ (250 files)	Yes	1 actionlint
go.mod / go.sum	No	0

---

3 — Tier Classification

Asset	Tier
MCP dispatch_workflow schema	A — fix merged #40315
Headroom workflow	A — digest-pinned, no alerts
undici 6.24→6.27	A — Dependabot, no CVEs
safe_outputs pipeline	B — 5 fixes merged; blocked from A by notify_comment.go
checkout_manager.go	B — credential churn; verify all paths
project_command.go	B — GraphQL injection, trivial fix
scripts/...cjs	B — HIGH temp-file alerts, CI/eval scope
Auth fallback (SAML)	B — fix merged, silent-degradation risk
.github/workflows/	B — 1 permissions error; 315 accepted Highs
notify_comment.go	C — Restricted Pending Review
Threat-detect binary	C — Restricted Pending Review

---

4 — Control Verification Gaps

Area	Own	SDLC	Deps	Secrets	Runtime	Recovery	Rating
notify_comment.go	🟡	🟡	🟢	🟢	🟡	🔴	🔴 RED
project_command.go	🟡	🟡	🟢	🟢	🟡	🟡	🟡 AMBER
scripts/...cjs	🟡	🟡	🟢	🟢	🟡	🟡	🟡 AMBER
safe_outputs/	🟡	🟢	🟢	🟢	🟢	🟢	🟢 GREEN
.github/workflows/	🟡	🟡	🟢	🟢	🟢	🟡	🟡 AMBER
go.mod/go.sum	🟢	🟢	🟢	🟢	🟢	🟢	🟢 GREEN
Threat-detect binary	🟡	🟡	🟡	🟢	🟢	🟢	🟡 AMBER

Top gaps: Recovery🔴 notify_comment.go (no fix PR, undefined MTTR) · SDLC🟡 escapeGraphQLString inconsistently applied · Dep🟡 threat-detect binary no digest pin · Ownership🟡 no file-specific CODEOWNERS for critical paths.

---

5 — Risk Scores

Area	ExpAmp	Patch	Detect	Frag	Own	Tier	Priority
notify_comment.go unsafe quoting	4	4	4	3	4	C	🔴 Critical
Threat-detect supply chain	5	2	2	4	3	C	🟠 High
safe_outputs credentials	3	3	3	4	4	B	🟠 High
CI 250-workflow supply chain	5	2	3	4	3	B	🟠 High
project_command.go GraphQL	2	5	4	2	4	B	🟡 Medium
scripts/ insecure temp files	2	4	4	2	3	B	🟡 Medium

ExpAmp = AI/LLM exploit amplification · Patch = fix ease (5=trivial) · Detect = monitoring visibility · Frag = operational fragility · Own = ownership confidence

AI-specific interaction: Areas C1+C2 compound (poisoned binary can't catch C1 YAML injection). B3+B4 compound (template injection could abuse B3 retained credentials).

---

6 — Remediation Queue

#	Action	SLA
R1	Fix notify_comment.go lines 407/414: replace '%s' with %q (pattern already at line 481 same file). Closes CodeQL #631/#632.	Critical — 48 h
R2	Add SHA-256/cosign attestation for threat-detect binary before execution; block gh-aw-detection flag exit from experimental until done.	High — 1 wk
R3	Remove invalid vulnerability-alerts: read from dependabot-go-checker and recompile. Closes actionlint error (#40261).	High — 1 wk
R4	Add regression test: no checkout generator emits persist-credentials: true in agent job path. Freeze credential-handling changes.	High — 1 wk
R5	Apply escapeGraphQLString() to ownerId, projectId, repositoryId in project_command.go. Closes Semgrep #627/#628.	Medium — 2 wk
R6	Replace /tmp creation in scripts/...evaluations.cjs (lines 26/133) with fs.mkdtempSync(). Closes CodeQL #629/#630.	Medium — 2 wk
R7	Add file-specific CODEOWNER entries for notify_comment.go, project_command.go, threat-detect integration.	Low — 4 wk
R8	Establish differential alert gate for runner-guard/zizmor accepted-design findings; document RGS-004/012/018 rationale.	Low — 4 wk

---

7 — Exception Register

ID	Pattern	Expiry	Mitigation
EX-001	315 runner-guard High accepted designs (RGS-004/012/018) — alert-fatigue normalization risk	2026-09-19	Differential alert gate (R8); quarterly re-validation
EX-002	gh-aw-detection binary unattested — experimental flag in production path	2026-07-19	R2 (attestation) before graduation from experimental

---

8 — Operational Metrics Baseline

Metric	Value	Signal
MTTR proxy	~24 h medium/low (5 fixes in 7 days); undefined for CRITICAL	🔴
Ownership coverage	100% blanket CODEOWNERS; 0% file-specific for critical paths	🟡
Unsupported dep ratio	0% (govulncheck daily, all deps current)	🟢
Exception aging	EX-001 now tracked with 2026-09-19 expiry	🟡
Exposure w/o recovery	2 gaps: notify_comment.go (no fix PR) + threat-detect (no attestation)	🔴
Scanner coverage	CodeQL · Semgrep · govulncheck · gosec · zizmor · actionlint · poutine · runner-guard	🟢
Secret scanning	0 open alerts	🟢
Commit velocity	282 commits / 7 days; 101 security-signal	🟢 (also raises churn risk)

References: §27836896591 · §27809452521 · §27643159359

Generated by UK AI Operational Resilience · 304.2 AIC · ⌖ 8 AIC · ⊞ 5K · ◷

• expires on Jun 22, 2026, 8:36 AM UTC-08:00

[github-actions[bot]]

This discussion was automatically closed because it expired on 2026-06-22T16:36:18.361Z.

Closed by Workflow