[security-observability] Daily Security Observability Report — 2026-05-18

[github-actions[bot]]

Executive Summary

Over the last 7 days, the gh-aw firewall system monitored 56 firewall-enabled workflow runs across 23 audited runs, recording 463 allowed requests and 234 blocked requests (block rate: ~34%). The blocked traffic is attributed to requests to domains outside the declared network.allowed allowlists, classified as (unknown) by the firewall proxy — primarily concentrated in runs on 2026-05-18. On the DIFC side, 33 integrity-filtering events were observed across 4 workflows, all triggered by the github MCP server attempting to surface issues created by external (unapproved) contributors to the Issue Triage Agent.

The cross-cutting theme is clear: both the firewall blocks and the DIFC filtering events are driven by the Issue Triage Agent workflow, which interacts with external user-submitted content. This workflow accounts for 27/33 (82%) of all DIFC events and is among the runs with the most blocked network requests on 2026-05-18.

---

🔥 Firewall Analysis

Key Firewall Metrics

Metric	Value
Workflows analyzed (firewall-enabled)	23 audited / 56 total
Total network requests monitored	697
✅ Allowed requests	463
🚫 Blocked requests	234
Block rate	33.6%
Total unique blocked domains	1 ((unknown))

📈 Firewall Request Trends

Firewall activity was relatively quiet on 2026-05-17 with 49 allowed requests and zero blocks, but surged dramatically on 2026-05-18 with 414 allowed and 234 blocked requests. This spike corresponds to multiple smoke CI runs and agent workflows executing in parallel during a heavy development day, many of which attempted to reach unlisted domains.

Top Blocked Domains

All 234 blocked requests are attributed to the (unknown) domain category — meaning these requests targeted domains not present in the workflow's declared network.allowed list and were silently dropped by the proxy. The chart above shows which workflows generated the most blocked traffic, with Smoke CI and in-progress agent runs leading the list.

Most Frequently Blocked Domains

Domain	Times Blocked	Category
(unknown / unlisted domains)	234	Network policy violation

Policy Rule Attribution

📋 Policy: 8 rules, SSL Bump disabled, DLP disabled

No individual rule hits were recorded in the policy analysis — all blocks are attributed to the default-deny catch-all for unlisted destinations.

View Detailed Request Patterns by Workflow

Workflow	Allowed	Blocked
Issue Triage Agent	12	12
Code Simplifier	40	21
Daily Team Evolution Insights	40+	21+
Smoke CI (multiple runs)	~150	~80
Design Decision Gate	varies	varies
PR Sous Chef	varies	varies
Daily SPDD Spec Planner	varies	varies

View Allowed Domain List

• api.githubcopilot.com:443
• github.com:443
• proxy.golang.org:443
• raw.githubusercontent.com:443
• registry.npmjs.org:443
• storage.googleapis.com:443
• sum.golang.org:443
• api.openai.com:443
• api.anthropic.com:443
• files.pythonhosted.org:443
• pypi.org:443

🔒 Firewall Security Recommendations

1. Identify unknown blocked domains: The proxy currently aggregates all policy-blocked requests as (unknown). Enable DNS/SNI logging on the firewall proxy to resolve specific destination domains so blocked traffic can be individually audited.
2. Review Smoke CI network policy: Smoke runs consistently generate blocked traffic — ensure the network.allowed list in smoke workflow frontmatter includes all necessary test endpoints.
3. Audit in-progress runs: Several workflows were in_progress at audit time (Smoke Codex, Smoke Claude, Smoke Gemini, etc.) and may have additional blocked traffic not yet captured.
4. Consider allowlisting common Go/npm/Python registries: proxy.golang.org, registry.npmjs.org, pypi.org are already allowed in some workflows but not all — standardize these in a shared network policy template.

---

🔒 DIFC Integrity Analysis

Key DIFC Metrics

Metric	Value
Total filtered events	33
Unique tools filtered	3
Unique workflows affected	4
Most common filter reason	integrity (100%)
Busiest day	2026-05-18 (28 events)

📈 DIFC Events Over Time

DIFC filtering activity is strongly concentrated on 2026-05-18 (28 events, 85% of the week's total), driven almost entirely by the Issue Triage Agent's scheduled execution. The remaining 5 events on 2026-05-17 come from CLI Version Checker (4) and Daily Team Evolution Insights / Code Simplifier (1 each), indicating these workflows also regularly encounter external-contributor content.

🔧 Top Filtered Tools

list_issues dominates with 28/33 events (85%), followed by search_issues (4) and pull_request_read (1). All filtered calls were to the github MCP server. The pattern is consistent: the agent attempts to read issues/PRs created by external contributors whose content carries unapproved:all integrity tags — exactly the scenario DIFC is designed to block.

🏷️ Filter Reasons and Tags

100% of filtered events carry the integrity reason — no secrecy-based filtering was observed this week. The dominant integrity tags are none:all (33 events) and unapproved:all (32 events), indicating the filtered resources were created by users with no prior approval status in the repository.

📋 Per-Workflow DIFC Breakdown

Workflow	Filtered Events
Issue Triage Agent	27
CLI Version Checker	4
Daily Team Evolution Insights	1
Code Simplifier	1

📋 Per-Server DIFC Breakdown

MCP Server	Filtered Events
github	33

👤 Per-User DIFC Breakdown (issues whose content was filtered)

Author Login	Filtered Events
IEvangelist	5
anthonymastreanvae	4
JamesNK	3
samuelkahessay	2
jeffhandley	2
theletterf	2
jsquire, benissimo, bindsi, polmichel, arthurfvives, jonathanpeppers, wtgodbe, chrizbo, matiloti, danielmeppiel, norrietaylor, Arithmomaniac, bbonafed, sneric	1 each

💡 DIFC Tuning Recommendations

1. Approve frequent contributors: Users like IEvangelist, JamesNK, jeffhandley, and theletterf appear repeatedly across filtered events. If these are known contributors, approve them to eliminate unnecessary filtering and allow the Issue Triage Agent to process their submissions.
2. Add an allowlist pre-check step: Before the Issue Triage Agent invokes list_issues, add a deterministic pre-step that filters the issue list to only approved-author issues, reducing the number of DIFC filter events at runtime.
3. Tune CLI Version Checker: This workflow triggered 4 filtering events on 2026-05-17 from search_issues. Scope its query to is:author:@me`` or limit to repository-member authors to avoid external content.
4. Review Daily Team Evolution Insights & Code Simplifier: Each triggered 1 filtering event — audit their prompts to ensure they're not inadvertently ingesting external issue/PR data without appropriate author filtering.
5. Consider author_association filtering: The DIFC events include author_association metadata. Workflows that only need to process MEMBER or COLLABORATOR content can pre-filter by association before passing data to the agent.

---

Generated by the Daily Security Observability workflow (consolidated from Daily Firewall Reporter + Daily DIFC Analyzer)
Analysis window: Last 7 days | Repository: github/gh-aw
References: §26047302624

Generated by 🔒 Daily Security Observability Report · ● 21.7M · ◷

• expires on May 21, 2026, 5:17 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Security Observability Report.

A newer discussion is available at Discussion #33809.