You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audit period: Last 24 hours (ending 2026-03-24T18:08Z) Runs analyzed: 390 unique completed runs sampled from github/gh-aw (pages 1–30 of workflow run history, covering ~4.3h of activity from 13:49Z–18:08Z today) Runs with MCP Gateway execution: 3 confirmed
Sampling note: The github/gh-aw repository is extremely active — ~390 runs were observed in just the ~4.3h window examined. Full 24h coverage would require ~200 additional API pages and is not feasible in a single audit run. The sampled window is representative of today's activity.
Findings Summary
Severity
Count
Description
🔴 Critical
0
No data leaks, guard bypasses, or labeling failures detected
🟡 Warning
2
Audit scope limitation; artifact/log access blocked by DIFC policy
🟢 Info
5
Normal DIFC enforcement, healthy agent runs, active DIFC development
Critical Findings
None detected in the sampled window.
Warnings
⚠️ W1 — Audit agent lacks clearance for [secret]-scoped data
When attempting to download firewall-audit-logs artifacts (artifact IDs: 6086518610, 6086568101, 6082119009) and retrieve job logs for the agent jobs, all responses were filtered by DIFC with the message:
[DIFC] 1 item(s) in this response were removed by integrity policy and are not shown:
resource:actions_get / resource:get_job_logs
(Resource has secrecy requirements that agent doesn't meet.
The agent is not authorized to access [secret]-scoped data.)
This means the actual DIFC event counts, guard errors, filter ratios, and rpc-messages.jsonl contents could not be inspected in this audit run. The DIFC correctly classified workflow artifacts and job logs as [secret]-scoped data.
Impact: Cannot confirm or rule out internal anomalies (over-filtering, unscoped tags, guard errors) in the 3 confirmed MCP Gateway runs. Recommendation: Perform deeper audits using a privileged audit runner with secret-clearance credentials, or establish a dedicated DIFC monitoring pipeline that exports sanitized metrics.
⚠️ W2 — Coverage gap: only ~4.3 hours of a 24h window sampled
Due to the extremely high workflow volume (~90 runs per 5 minutes during burst periods, total_count ≈ 379,544 workflow runs), full 24h sampling was not feasible. Runs from 2026-03-23T18:08Z through 2026-03-24T13:49Z were not examined.
Impact: Unknown agent runs from the unsampled 19.7h window could contain anomalies. Recommendation: Consider a dedicated daily compliance checker workflow that captures real-time DIFC telemetry rather than relying on post-hoc artifact inspection.
Informational
ℹ️ I1 — DIFC is actively enforcing access controls
All 4 artifact download attempts and 2 job log retrieval attempts were correctly blocked with [secret]-scoped DIFC labels. This confirms the DIFC pipeline is intercepting GitHub API calls and applying integrity/secrecy labels to workflow artifacts and logs. No bypass or passthrough was observed.
All 3 runs: pre_activation ✅ → activation ✅ → agent ✅ → safe_outputs ✅ → conclusion ✅. No job-level failures in the MCP pipeline stages.
The 994 KB agent artifact in the 14:17Z run suggests significantly more agent activity (~10× more than the 17:54Z run), though the cause cannot be determined without log access.
ℹ️ I3 — Active DIFC-related development branches observed
6 "Running Copilot coding agent" runs completed successfully. Two branches are directly DIFC-related:
copilot/deep-report-handle-integrity-filtered-reads — Agent working on handling integrity-filtered read responses
These indicate active investment in DIFC improvements. Review the associated PRs for any changes that may affect the DIFC pipeline behavior.
ℹ️ I4 — 194 action_required runs did not execute MCP Gateway
The largest conclusion category (49.7% of sampled runs) was action_required — these are lock workflows that paused waiting for manual approval before the agent job ran. No MCP Gateway was started in these runs. This is expected behavior for the environment protection system.
ℹ️ I5 — Release v0.63.1 pipeline failure is unrelated to DIFC
Run 23500773396 (Release, 16:32Z) failed at "Setup release environment" in the agent job. This is a release pipeline failure, not an MCP Gateway or DIFC issue. The release artifacts (release-binaries-v0.63.1, SBOMs) were successfully generated before the failure.
Privileged audit access: For a fully effective DIFC audit, the audit runner needs clearance to access [secret]-scoped data (firewall-audit-logs, rpc-messages.jsonl, mcp-gateway.log). Consider a dedicated audit workflow with appropriate credentials.
Real-time DIFC telemetry: Given the high workflow volume (~90 runs/5min during bursts), post-hoc artifact inspection is impractical. Export DIFC metrics (event counts, filter ratios, guard errors) to an observability system during the agent run rather than relying on artifact downloads.
DIFC-related PRs: Review the open PRs on branches copilot/deep-report-handle-integrity-filtered-reads and copilot/update-difc-proxying-actions to ensure DIFC behavioral changes are intentional and reviewed.
Run the audit during off-peak hours: The burst of 90 runs within 5 minutes today suggests a mass-trigger event. Running this audit after the burst settles may yield a more representative sample with manageable API pagination.
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
actions_get actions_get: has secrecy requirements that agent doesn't meet. The agent is not authorized to access [secret]-scoped data.
get_job_logs get_job_logs: has secrecy requirements that agent doesn't meet. The agent is not authorized to access [secret]-scoped data.
To allow these resources, lower min-integrity in your GitHub frontmatter:
Integrity Filtering Audit — github/gh-aw-mcpg
Audit period: Last 24 hours (ending 2026-03-24T18:08Z)
Runs analyzed: 390 unique completed runs sampled from github/gh-aw (pages 1–30 of workflow run history, covering ~4.3h of activity from 13:49Z–18:08Z today)
Runs with MCP Gateway execution: 3 confirmed
Findings Summary
Critical Findings
None detected in the sampled window.
Warnings
When attempting to download
firewall-audit-logsartifacts (artifact IDs: 6086518610, 6086568101, 6082119009) and retrieve job logs for theagentjobs, all responses were filtered by DIFC with the message:This means the actual DIFC event counts, guard errors, filter ratios, and
rpc-messages.jsonlcontents could not be inspected in this audit run. The DIFC correctly classified workflow artifacts and job logs as[secret]-scoped data.Impact: Cannot confirm or rule out internal anomalies (over-filtering, unscoped tags, guard errors) in the 3 confirmed MCP Gateway runs.
Recommendation: Perform deeper audits using a privileged audit runner with secret-clearance credentials, or establish a dedicated DIFC monitoring pipeline that exports sanitized metrics.
Due to the extremely high workflow volume (~90 runs per 5 minutes during burst periods, total_count ≈ 379,544 workflow runs), full 24h sampling was not feasible. Runs from 2026-03-23T18:08Z through 2026-03-24T13:49Z were not examined.
Impact: Unknown agent runs from the unsampled 19.7h window could contain anomalies.
Recommendation: Consider a dedicated daily compliance checker workflow that captures real-time DIFC telemetry rather than relying on post-hoc artifact inspection.
Informational
ℹ️ I1 — DIFC is actively enforcing access controls
All 4 artifact download attempts and 2 job log retrieval attempts were correctly blocked with
[secret]-scoped DIFC labels. This confirms the DIFC pipeline is intercepting GitHub API calls and applying integrity/secrecy labels to workflow artifacts and logs. No bypass or passthrough was observed.ℹ️ I2 — 3 MCP Gateway agent runs completed successfully with firewall audit logs
The following runs fully executed the MCP Gateway pipeline (including
Start MCP Gateway,Stop MCP Gateway,Parse MCP Gateway logs for step summary, andUpload firewall audit logssteps):All 3 runs: pre_activation ✅ → activation ✅ → agent ✅ → safe_outputs ✅ → conclusion ✅. No job-level failures in the MCP pipeline stages.
The 994 KB agent artifact in the 14:17Z run suggests significantly more agent activity (~10× more than the 17:54Z run), though the cause cannot be determined without log access.
ℹ️ I3 — Active DIFC-related development branches observed
6 "Running Copilot coding agent" runs completed successfully. Two branches are directly DIFC-related:
copilot/deep-report-handle-integrity-filtered-reads— Agent working on handling integrity-filtered read responsescopilot/update-difc-proxying-actions— Agent updating DIFC proxying actionsThese indicate active investment in DIFC improvements. Review the associated PRs for any changes that may affect the DIFC pipeline behavior.
ℹ️ I4 — 194 action_required runs did not execute MCP Gateway
The largest conclusion category (49.7% of sampled runs) was
action_required— these are lock workflows that paused waiting for manual approval before the agent job ran. No MCP Gateway was started in these runs. This is expected behavior for the environment protection system.ℹ️ I5 — Release v0.63.1 pipeline failure is unrelated to DIFC
Run 23500773396 (Release, 16:32Z) failed at "Setup release environment" in the
agentjob. This is a release pipeline failure, not an MCP Gateway or DIFC issue. The release artifacts (release-binaries-v0.63.1, SBOMs) were successfully generated before the failure.Runs Analyzed (MCP Gateway Executions)
Full Run Population (sampled 4.3h window)
Recommendations
Privileged audit access: For a fully effective DIFC audit, the audit runner needs clearance to access
[secret]-scoped data (firewall-audit-logs, rpc-messages.jsonl, mcp-gateway.log). Consider a dedicated audit workflow with appropriate credentials.Real-time DIFC telemetry: Given the high workflow volume (~90 runs/5min during bursts), post-hoc artifact inspection is impractical. Export DIFC metrics (event counts, filter ratios, guard errors) to an observability system during the agent run rather than relying on artifact downloads.
DIFC-related PRs: Review the open PRs on branches
copilot/deep-report-handle-integrity-filtered-readsandcopilot/update-difc-proxying-actionsto ensure DIFC behavioral changes are intentional and reviewed.Run the audit during off-peak hours: The burst of 90 runs within 5 minutes today suggests a mass-trigger event. Running this audit after the burst settles may yield a more representative sample with manageable API pagination.
Note
🔒 Integrity filter blocked 2 items
The following items were blocked because they don't meet the GitHub integrity level.
actions_get: has secrecy requirements that agent doesn't meet. The agent is not authorized to access [secret]-scoped data.get_job_logs: has secrecy requirements that agent doesn't meet. The agent is not authorized to access [secret]-scoped data.To allow these resources, lower
min-integrityin your GitHub frontmatter: