Skip to content

Re-enable sandbox for daily-team-evolution-insights workflow#12103

Merged
pelikhan merged 3 commits intomainfrom
copilot/re-enable-sandbox-or-document-exception
Jan 27, 2026
Merged

Re-enable sandbox for daily-team-evolution-insights workflow#12103
pelikhan merged 3 commits intomainfrom
copilot/re-enable-sandbox-or-document-exception

Conversation

Copy link
Contributor

Copilot AI commented Jan 27, 2026
edited
Loading

Static analysis flagged daily-team-evolution-insights.md running with sandbox: false, disabling firewall and MCP gateway protections. Workflow only requires GitHub API (read repo activity) and Claude API (AI processing) - no legitimate need for unrestricted network access.

Changes

  • Removed sandbox: false configuration
  • Replaced wildcard network allowlist (["*"]) with explicit domains:
    • github.com, api.github.com (GitHub API access)
    • anthropic.com, api.anthropic.com (Claude engine)
  • Removed documentation section justifying the security exception
  • Recompiled workflow to generate lock file with AWF and MCP gateway enabled

Security Impact

Restores defense-in-depth protections:

  • AWF enforces domain-based egress control
  • MCP Gateway routes and inspects all MCP server requests
  • Process isolation prevents data exfiltration to unauthorized domains

Before:

sandbox: false
network:
  allowed: ["*"]

After:

# sandbox defaults to true
network:
  allowed:
    - "github.com"
    - "api.github.com"
    - "anthropic.com"
    - "api.anthropic.com"
Original prompt

This section details on the original issue you should resolve

<issue_title>[deep-report] Re-enable sandbox or document exception for daily-team-evolution-insights</issue_title>
<issue_description>### Description
Static analysis flagged daily-team-evolution-insights.md as running with sandbox: false, which disables firewall and MCP gateway protections. Review the workflow to either re-enable sandboxing or document the explicit security exception and add compensating controls.

Expected Impact

Restores baseline security posture for agentic workflows and reduces risk of uncontrolled network access.

Suggested Agent

Security Review / Workflow Hardening agent

Estimated Effort

Medium (1-4 hours)

Data Source

DeepReport Intelligence Briefing - 2026-01-27 (§21402586299); Static Analysis Report discussion githubnext/gh-aw#12036.

AI generated by DeepReport - Intelligence Gathering Agent

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 27, 2026 20:07
@pelikhan
Re-enable sandbox protection for daily-team-evolution-insights workflow
70a0801 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add Anthropic domains to network allowlist for Claude engine
22a70b0 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Re-enable sandbox or document exception for insights Re-enable sandbox for daily-team-evolution-insights workflow Jan 27, 2026
Copilot AI requested a review from pelikhan January 27, 2026 20:13
@pelikhan pelikhan marked this pull request as ready for review January 27, 2026 21:07
@pelikhan pelikhan merged commit 8de3390 into main Jan 27, 2026
@pelikhan pelikhan deleted the copilot/re-enable-sandbox-or-document-exception branch January 27, 2026 21:07
This was referenced Jan 27, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deep-report] Re-enable sandbox or document exception for daily-team-evolution-insights

2 participants

@pelikhan