Security Alert Burndown

[mnkiefer]

Campaign Overview

Objective: Systematically burn down the code security alerts backlog, prioritizing file write vulnerabilities

This Epic issue tracks the overall progress of the campaign. All work items are sub-issues of this Epic.

Campaign Details:

• Campaign ID: security-alert-burndown
• Project Board: https://github.com/orgs/githubnext/projects/122
• Worker Workflows: code-scanning-fixer, security-fix-pr, security-review

KPIs:

• High-Severity Alerts Fixed (primary): baseline 0 → target 20 over 30 days
• File Write Vulnerabilities Fixed (supporting): baseline 0 → target 10 over 30 days

---

campaign_id: security-alert-burndown

Note

🔒 Integrity filtering filtered 12 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• issue:github/gh-aw#0 (search_issues: Resource 'issue:github/gh-aw#0' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)
• #21434 (search_issues: Resource 'issue:Security Alert Burndown #21434' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• #21632 (search_issues: Resource 'issue:Security Alert Burndown #21632' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• #20251 (search_issues: Resource 'issue:Security Alert Burndown #20251' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• #17766 (search_issues: Resource 'issue:redactions of markdown quoted ` ... ` text too strong #17766' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• #20514 (search_issues: Resource 'issue:AGENTS.md in protected_files list blocks legitimate modifications #20514' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)
• #19652 (search_issues: Resource 'issue:MCP Gateway v0.1.8: tools/call still returns HTTP 400 for Streamable HTTP backends #19652' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)
• #18747 (search_issues: Resource 'issue:gh-aw binary not present in runner working directory for portfolio-analyst #18747' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)
• #17893 (search_issues: Resource 'issue:Ona #17893' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• #15306 (search_pull_requests: Resource 'pr:[Security] Fix HIGH vulnerability: javascript.lang.security.detect-child-process.detect-child-process #15306' has lower integrity than agent requires. Agent would need to drop integrity tags [approved:all] to trust this resource.)
• pr:[code-scanning-fix] Fix go/unsafe-quoting: Use base64 encoding for project views configuration #11432 (pull_request_read: Resource 'pr:[code-scanning-fix] Fix go/unsafe-quoting: Use base64 encoding for project views configuration #11432' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)
• pr:[code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JSON data #11382 (pull_request_read: Resource 'pr:[code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JSON data #11382' has lower integrity than agent requires. Agent would need to drop integrity tags [unapproved:all approved:all] to trust this resource.)

Generated by Security Alert Burndown · ◷