Extend auto-triage-issues to triage gh-aw-security-finding issues#25171
Extend auto-triage-issues to triage gh-aw-security-finding issues#25171
gh-aw-security-finding issues#25171Conversation
…h severity labels and assignees Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4af6e02e-400d-4671-90bd-14d111258967 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
gh-aw-security-finding issues
There was a problem hiding this comment.
Pull request overview
Extends the Auto-Triage Issues agent to treat gh-aw-security-finding issues as a first-class triage path by applying severity/component labels and assigning a reviewer, and updates the compiled lock workflow accordingly.
Changes:
- Add new safe outputs (
remove-labels,assign-to-user) to support security-finding triage actions. - Introduce “Security Finding Triage” classification rules for severity labeling, reviewer assignment, and
needs-triagecleanup. - Regenerate
auto-triage-issues.lock.ymlto include the new tools in the prompt and safe-outputs config.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/auto-triage-issues.md | Adds security-finding triage rules plus new safe outputs configuration. |
| .github/workflows/auto-triage-issues.lock.yml | Compiled workflow updated to include new safe-output tools/config and prompt tool list. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 4
| 1. **Fetch unlabeled issues** using GitHub tools | ||
| 2. **Process up to 10 unlabeled issues** (respecting safe-output limits) | ||
| 3. **Apply labels** to each issue based on classification | ||
| 4. **Create a summary report** as a discussion with statistics on processed issues | ||
| 2. **Fetch `gh-aw-security-finding` issues** that lack severity labels (`security:critical`, `security:high-severity`, `security:medium-severity`, `security:low-severity`) and lack assignees | ||
| 3. **Process up to 10 unlabeled or un-triaged security issues** (respecting safe-output limits) |
There was a problem hiding this comment.
In the scheduled-run instructions, the query is described as fetching security findings that both lack severity labels and lack assignees. That will miss findings that are missing only one of those (e.g., already labeled but unassigned, or assigned but missing severity), which seems inconsistent with the manual-run section and the PR description (“…lack severity labels or assignees”). Consider changing this to an “or” condition and explicitly stating both cases should be processed.
| - Otherwise, look up recent contributors to security-related files in the repository (e.g., recent commit authors on files under `pkg/workflow/`, `actions/`) and assign to the most recent contributor who appears to have security domain knowledge. | ||
| - If no clear match is found, skip the assignment and note in the scheduled-run report that the issue needs manual assignment. |
There was a problem hiding this comment.
The assignment heuristic asks the agent to “look up recent contributors to security-related files … recent commit authors…”. This workflow only enables the GitHub issues toolset, which (per docs) does not include repo/commit tooling needed to inspect commit authors. Either expand tools.github.toolsets to include repos (and any other needed toolsets), or adjust the heuristic to use only issue-available signals (e.g., a fixed allowlisted reviewer rotation).
| - Otherwise, look up recent contributors to security-related files in the repository (e.g., recent commit authors on files under `pkg/workflow/`, `actions/`) and assign to the most recent contributor who appears to have security domain knowledge. | |
| - If no clear match is found, skip the assignment and note in the scheduled-run report that the issue needs manual assignment. | |
| - Otherwise, only use signals available from the issue itself (for example, an explicitly named owner, reporter-requested contact, or a clearly indicated responsible maintainer in the title/body). | |
| - If no clear assignee is identified from the issue content alone, skip the assignment and note in the scheduled-run report that the issue needs manual assignment. |
| - Otherwise, look up recent contributors to security-related files in the repository (e.g., recent commit authors on files under `pkg/workflow/`, `actions/`) and assign to the most recent contributor who appears to have security domain knowledge. | ||
| - If no clear match is found, skip the assignment and note in the scheduled-run report that the issue needs manual assignment. | ||
|
|
||
| 6. **Remove `needs-triage`** if it is the only remaining label after applying the severity label (use `remove_labels`). Do not remove other labels. |
There was a problem hiding this comment.
The rule “Remove needs-triage if it is the only remaining label after applying the severity label” is internally inconsistent: after applying a severity label there will be at least that label present, so needs-triage cannot be the only remaining label. Consider rewording to the intended condition (e.g., remove needs-triage if it was present and no other non-security classification labels were applied, or if it was the only pre-existing label before security triage).
| 6. **Remove `needs-triage`** if it is the only remaining label after applying the severity label (use `remove_labels`). Do not remove other labels. | |
| 6. **Remove `needs-triage`** if it was present and no other non-security classification labels were applied during this security triage pass (use `remove_labels`). Do not remove other labels. |
| add-labels: | ||
| max: 10 | ||
| remove-labels: {} | ||
| assign-to-user: {} |
There was a problem hiding this comment.
assign-to-user is enabled without any allowed/blocked restrictions, and the prompt’s heuristic suggests assigning to any @handle mentioned in the issue body. Since this workflow runs on public issue events, that can allow untrusted issue authors to cause assignments to arbitrary users. Consider configuring safe-outputs.assign-to-user.allowed to a small set of security reviewers (and/or blocked: ['*[bot]']), and updating the prompt to assign only within that allowlist.
| assign-to-user: {} | |
| assign-to-user: | |
| allowed: | |
| - SECURITY_REVIEWER_1 | |
| - SECURITY_REVIEWER_2 | |
| blocked: | |
| - '*[bot]' |
Several
gh-aw-security-findingissues were filed without severity labels or assignees, leaving them stalled in the unlabeled queue. This extends the Auto-Triage Issues agent to handle these findings as a first-class triage path.Frontmatter changes
remove-labels— needed to stripneeds-triageonce a severity label is appliedassign-to-user— enables routing findings to a security reviewerPrompt changes
New "Security Finding Triage" classification section: when an issue carries
gh-aw-security-finding, the agent now:security:critical/security:high-severity/security:medium-severity/security:low-severity)high, stdio log permissions gap →medium)securitycomponent label@-handle in the issue body, then falls back to recent security-area contributors; skips with a note if no matchneeds-triageif it's the sole remaining labelIssue event / scheduled / manual run task descriptions updated to fetch
gh-aw-security-findingissues lacking severity labels or assignees alongside the existing unlabeled-issue queryWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -buildtags 1/x64/bin/node git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git ithub/workflows/git -buildtags /usr/lib/git-cor--show-toplevel git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -c=4 -nolocalimports -importcfg /tmp/go-build662936920/b410/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go conf�� th .prettierignore --log-level=error committer.email _modules/.bin/node(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq /usr/bin/git te '../../../**/git /sys/fs/cgroup 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha r/repo.git rev-parse /usr/bin/git 01 core.hooksPath x_amd64/vet git remo��(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha y.md 936920/b078/vet.cfg cfg **/*.ts **/*.json --ignore-path ache/go/1.25.8/x64/pkg/tool/linu.github/workflows/test.md(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build662936920/b115/vet.cfg /usr/bin/git caJ877Jio 936920/b084/vet.rev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel rtcfg /usr/bin/git CommaSeparatedCogit 936920/b288/vet.rev-parse ache/go/1.25.8/x--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/compile-allgit rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git /tmp/go-build662git -trimpath /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git rite '**/*.cjs' git cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git 3074407598/.githgit cfg 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha tags/v4 git /usr/bin/git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha get --local odules/npm/node_-nilfunc committer.name(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha d_assignee\|add--errorsas k/gh-aw/gh-aw/.g-ifaceassert uname k/gh-aw/gh-aw/.ggit k/gh-aw/gh-aw/.grev-parse k/gh-aw/gh-aw/.g--show-toplevel ls']: pr-tests ode_�� k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md k/gh-aw/gh-aw/.github/workflows/audit-workflows.md x_amd64/vet k/gh-aw/gh-aw/.ginfocmp k/gh-aw/gh-aw/.g-1 k/gh-aw/gh-aw/.gxterm-color x_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -apr-7 gpg.program rgo/bin/bash(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu-tests /usr/bin/git rite '**/*.cjs' git cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linustatus /usr/bin/git 397334099/.githugit cfg 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --oneline -10 /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel rtcfg /usr/bin/git git(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linuremote /usr/bin/git LsRemoteWithRealgit LsRemoteWithRealrev-parse 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linux_amd64/vet /usr/bin/git y-test.md cfg 64/pkg/tool/linu--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha HEAD git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/docker git(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel -tests 1/x64/bin/node get --local ndor/bin/bash 1/x64/bin/node t-38�� bility_SameInputSameOutput252890205/001/stability-test.md remote 64/pkg/tool/linux_amd64/vet on' --ignore-patgit user.email /usr/local/sbin/--show-toplevel 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel 64/pkg/tool/linu-test.v=true /usr/bin/git e-frontmatter.mdgit(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --bare l /usr/bin/git get --local k/_temp/ghcca-no--show-toplevel git rev-�� --show-toplevel git clusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle tent.md user.name p/bin/bash git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -stringintconv l 1/x64/bin/node ml --local ache/go/1.25.8/x--show-toplevel 1/x64/bin/node -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos=public_2124562517/001 config /usr/bin/git remote.origin.urgit yphen479764238/0rev-parse sh git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 1 --dir test-logs/run-1 cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name(http block)/usr/bin/gh gh run download 12345 --dir test-logs/run-12345(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name(http block)/usr/bin/gh gh run download 12346 --dir test-logs/run-12346(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name(http block)/usr/bin/gh gh run download 2 --dir test-logs/run-2 cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg x_amd64/link(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg 64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path json' --ignore-p-errorsas --local ash copilot.original/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git "prettier" --wrigit(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha te '../../../**/*.json' '!../../../pkg/workflow/-p /sys/fs/cgroup 64/pkg/tool/linux_amd64/compile(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha g/workflow/actio-p g/workflow/actiomain x_amd64/vet g/workflow/actio/usr/bin/git g/workflow/actioconfig g/workflow/actio--get-regexp x_amd64/vet _bra�� '**/*.ts' '**/*.go1.25.8 g/workflow/activ-c=4 x_amd64/vet k/gh-aw/gh-aw/.ggit k/gh-aw/gh-aw/.g-C k/gh-aw/gh-aw/.g/tmp/compile-instructions-test-850735037/.github/workflows x_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha origin REDACTED x_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha FETCH_HEAD(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha k/gh-aw/gh-aw/.github/workflows/artifacts-summary.md k/gh-aw/gh-aw/.github/workflows/audit-workflows.md x_amd64/vet k/gh-aw/gh-aw/.ginfocmp k/gh-aw/gh-aw/.g-1 k/gh-aw/gh-aw/.gxterm-color x_amd64/vet k/gh�� '**/*.ts' '**/*.json' --ignore-p-errorsas k/gh-aw/gh-aw/.github/workflows/-ifaceassert x_amd64/vet(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha l.go l_test.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ules/.bin/node copilot.original/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /home/REDACTED/work/_temp/uv-pytho../../../.prettierignore copilot.original/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build662936920/b396/cli.test /tmp/go-build662936920/b396/cli.test -test.testlogfile=/tmp/go-build662936920/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true user.email(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name json' --ignore-path ../../../.pr**/*.json --local rgo/bin/bash copilot.original/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet(http block)If you need me to access, download, or install something from one of these locations, you can either: