[uk ai resilience] [uk-ai-resilience] UK AI Open Code Risk & Resilience Governance Report — 2026-07-02 #43013
Closed
Replies: 1 comment
-
|
This discussion was automatically closed because it expired on 2026-07-05T16:17:42.021Z.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
UK AI Open Code Risk & Resilience Governance — 2026-07-02
Lookback window: 2026-06-25 → 2026-07-02 | Commits: 418 (92 security-signal) | Run: §28604141985
1. Executive Summary
Active development velocity is high (418 commits / 7 days, dominated by Copilot-authored PRs). Security posture is stable but has 3 untracked findings from CodeQL alerts created in this window. No secret scanning alerts. Two high-priority issues (#42799, #42800) were created yesterday and remain open and unassigned. The critical governance gap is the insecure temp-file pattern (CodeQL HIGH #635) in a CI evaluation script, which has no tracking issue.
No repository hiding or access restriction is recommended; all findings are addressable through targeted code fixes.
2. Asset Graph Summary (Recent-Change Scoped)
scripts/ensure-docs-slide-pdf.jsscripts/prepare-objective-impact-safe-output-evaluations.cjspkg/cli/project_command.gopkg/workflow/repository_features_validation.go.github/workflows/publish-safe-outputs-node.ymldocker/build-push-action@v7.2.0(CodeQL #625)pkg/parser/schedule_fuzzy_scatter.gopkg/compiler/(ARC/DinD PRs #42815, #42855)No Tier C or D assets identified.
3. Tier Classification Table
scripts/ensure-docs-slide-pdf.js(CodeQL #636)scripts/prepare-objective-impact-safe-output-evaluations.cjs(CodeQL #635)tmplibrary ormkdtemp.pkg/cli/project_command.go(CodeQL #627/#628)fmt.Sprintfwithout escaping. IDs come from prior API responses, not direct user input. Low exploitability, but inconsistent withescapeGraphQLString(title)on line 303. Defense-in-depth gap..github/workflows/publish-safe-outputs-node.yml(CodeQL #625)pkg/parser/schedule_fuzzy_scatter.go(CodeQL #637)repository_features_validation.go(CodeQL #626)pkg/compiler/ARC/DinD paths4. Control Verification Gaps
make fmt+ custom linters enforced.scripts/*.js,scripts/*.cjs) appear underrepresented in test coverage. No CI gate blocks on open Medium+ CodeQL alerts.scripts/: dependency management unclear (no visible package.json pinning check in CI for these scripts).docker/build-push-action@v7.2.0inpublish-safe-outputs-node.ymlis not SHA-pinned (tracked #42800). No automated Dependabot SHA-pinning enforcement for Actions.pkg/audit/. Error classification indetect_agent_errors.cjs.schedule_fuzzy_scatter.go). Silent integer overflow would not trigger an alert.5. Risk-Scoring Table
scripts/ensure-docs-slide-pdf.js(CodeQL #636, CWE-434/912)scripts/prepare-objective-impact-safe-output-evaluations.cjs(CodeQL #635, CWE-377/378)pkg/cli/project_command.go(CodeQL #627/#628, CWE-89)publish-safe-outputs-node.yml(CodeQL #625, CWE-829)schedule_fuzzy_scatter.go(CodeQL #637, CWE-190/681)repository_features_validation.go(CodeQL #626)pkg/compiler/ARC/DinD* ARC/DinD scored A because the changes are tested, reviewed, and contain no CodeQL findings.
Scoring dimensions (1=low, 5=high): Exposure amplification · Patchability (1=trivial) · Detectability (5=silent) · Operational fragility · Ownership confidence
6. Remediation Queue
scripts/prepare-objective-impact-safe-output-evaluations.cjs— insecure temp file (CodeQL #635, CWE-377)path.join(os.tmpdir(), ...)withfs.mkdtempSync(path.join(os.tmpdir(), 'prefix-'))or usetmpnpm librarypublish-safe-outputs-node.yml— unpinned action (CodeQL #625, CWE-829)docker/build-push-actionto full SHA. See issue #42800.schedule_fuzzy_scatter.go— int overflow (CodeQL #637, CWE-190)strconv.Atoi+ cast withstrconv.ParseUint(s, 10, 32). See issue #42799.scripts/ensure-docs-slide-pdf.js— http-to-file (CodeQL #636, CWE-434)pkg/cli/project_command.go— GraphQL unescaped IDs (CodeQL #627/#628, CWE-89)ownerId,projectId,repositoryIdwithescapeGraphQLString()or use parameterized GraphQL variables7. Exception Register
No exceptions requested. All findings are patchable without exception. No permanent hiding or access restriction recommended.
8. Operational Metrics Baseline
References:
Beta Was this translation helpful? Give feedback.
All reactions