You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Over the last 7 days, the gh-aw agentic workflow platform processed 4,524 firewall-monitored network requests across 10 firewall-enabled workflow runs, with an exceptionally low block rate of 0.4% (18 blocked requests). The firewall is functioning as designed — permitting AI API traffic (GitHub Copilot, Anthropic), telemetry (Sentry, Grafana), and infrastructure-related domains while blocking non-whitelisted services. The three blocked domains (proxy.golang.org, awmg-mcpg, and patch-diff.githubusercontent.com) represent expected policy enforcement: Go proxy access is not in the allowlist, internal infrastructure hostnames should not be accessed directly, and the GitHub patch diff endpoint is not on the approved list.
The DIFC (Data Integrity and Flow Control) integrity-filtered event collection timed out during this reporting window. No DIFC event data is available for the last 7 days. This is noted as an observability gap and warrants investigation into whether the DIFC collection service is experiencing performance issues.
Firewall Analysis
Key Firewall Metrics
Metric
Value
Workflows analyzed (firewall-enabled)
10
Total network requests monitored
4,524
Allowed requests
4,506
Blocked requests
18
Block rate
0.4%
Total unique blocked domains
3
Firewall Request Trends
Allowed traffic is consistently dominated by AI API calls (GitHub Copilot: 2,486, Sentry telemetry: 1,019, Grafana OTLP: 877). Blocked traffic is negligible across all dates, with a small spike on 2026-07-01 reflecting increased run volume. The firewall is not causing disruption to agent operations.
Top Blocked Domains
The three blocked domains are: proxy.golang.org (9 blocks, Go module proxy — not on the allowlist), awmg-mcpg (8 blocks, internal AWF infrastructure DNS name — likely health-check or direct-access attempts), and patch-diff.githubusercontent.com (1 block, GitHub patch diff CDN endpoint not in the allowed domains list).
Add proxy.golang.org to allowlist — Workflows performing Go compilation or module validation (Daily Formal Spec Verifier, Impeccable Skills Reviewer) need access to the Go module proxy. Consider adding .proxy.golang.org and .sum.golang.org to the allow-both-plain rule if Go build operations are expected.
Investigate awmg-mcpg blocks — Test Quality Sentinel is attempting to connect directly to the internal AWF infrastructure DNS name. This may indicate a misconfiguration in MCP server URL resolution. The host should be accessed only via the api-proxy sidecar, not directly.
Add patch-diff.githubusercontent.com to allowlist — PR review workflows that need to fetch patch diffs from GitHub CDN should have this domain added to the allowlist, or the workflow logic should be updated to use the standard api.github.com endpoint instead.
Enable DLP — The current dlpEnabled: false setting in the firewall policy means data loss prevention is inactive. Consider enabling for high-sensitivity workflows.
DIFC Integrity Analysis
Key DIFC Metrics
Metric
Value
Total filtered events
N/A — data unavailable
Collection status
Timed out (context deadline exceeded)
Analysis window
Last 7 days
Note: The DIFC integrity-filtered event collection (filtered_integrity logs query) timed out on all attempts during this run. This is an observability gap — it is not possible to determine whether events occurred or not.
DIFC Events Over Time
Top Filtered Tools
Filter Reasons and Tags
DIFC Tuning Recommendations
Investigate DIFC collection timeout — The filtered_integrity logs query consistently times out (60s deadline exceeded on 3 attempts). This prevents visibility into tool call filtering. Investigate whether the DIFC gateway service is healthy and whether the query can be optimized with smaller date windows or pagination.
Establish DIFC baseline — Once collection is restored, establish a baseline of expected filtered events per workflow to enable anomaly detection in future reports.
Consider warm-start cache — The existing cache snapshot (filtered-logs.snapshot.json) is >7 days old (last updated 2026-06-23). Consider refreshing this cache on successful DIFC queries to enable warm-start capability for future runs.
Generated by the Daily Security Observability workflow (consolidated from Daily Firewall Reporter + Daily DIFC Analyzer) Analysis window: Last 7 days | Repository: github/gh-aw Run: §28532989643
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Executive Summary
Over the last 7 days, the gh-aw agentic workflow platform processed 4,524 firewall-monitored network requests across 10 firewall-enabled workflow runs, with an exceptionally low block rate of 0.4% (18 blocked requests). The firewall is functioning as designed — permitting AI API traffic (GitHub Copilot, Anthropic), telemetry (Sentry, Grafana), and infrastructure-related domains while blocking non-whitelisted services. The three blocked domains (
proxy.golang.org,awmg-mcpg, andpatch-diff.githubusercontent.com) represent expected policy enforcement: Go proxy access is not in the allowlist, internal infrastructure hostnames should not be accessed directly, and the GitHub patch diff endpoint is not on the approved list.The DIFC (Data Integrity and Flow Control) integrity-filtered event collection timed out during this reporting window. No DIFC event data is available for the last 7 days. This is noted as an observability gap and warrants investigation into whether the DIFC collection service is experiencing performance issues.
Firewall Analysis
Key Firewall Metrics
Firewall Request Trends
Allowed traffic is consistently dominated by AI API calls (GitHub Copilot: 2,486, Sentry telemetry: 1,019, Grafana OTLP: 877). Blocked traffic is negligible across all dates, with a small spike on 2026-07-01 reflecting increased run volume. The firewall is not causing disruption to agent operations.
Top Blocked Domains
The three blocked domains are:
proxy.golang.org(9 blocks, Go module proxy — not on the allowlist),awmg-mcpg(8 blocks, internal AWF infrastructure DNS name — likely health-check or direct-access attempts), andpatch-diff.githubusercontent.com(1 block, GitHub patch diff CDN endpoint not in the allowed domains list).Most Frequently Blocked Domains
Policy Rule Attribution
Policy rules active across all 10 monitored runs follow a default-deny architecture with explicit allowlists:
View Detailed Request Patterns by Workflow
View Complete Blocked Domains List
awmg-mcpg— internal infrastructure DNS name (8 blocks)patch-diff.githubusercontent.com— GitHub patch diff CDN (1 block)proxy.golang.org— Go module proxy (9 blocks)Firewall Security Recommendations
proxy.golang.orgto allowlist — Workflows performing Go compilation or module validation (Daily Formal Spec Verifier, Impeccable Skills Reviewer) need access to the Go module proxy. Consider adding.proxy.golang.organd.sum.golang.orgto theallow-both-plainrule if Go build operations are expected.awmg-mcpgblocks — Test Quality Sentinel is attempting to connect directly to the internal AWF infrastructure DNS name. This may indicate a misconfiguration in MCP server URL resolution. The host should be accessed only via the api-proxy sidecar, not directly.patch-diff.githubusercontent.comto allowlist — PR review workflows that need to fetch patch diffs from GitHub CDN should have this domain added to the allowlist, or the workflow logic should be updated to use the standardapi.github.comendpoint instead.dlpEnabled: falsesetting in the firewall policy means data loss prevention is inactive. Consider enabling for high-sensitivity workflows.DIFC Integrity Analysis
Key DIFC Metrics
DIFC Events Over Time
Top Filtered Tools
Filter Reasons and Tags
DIFC Tuning Recommendations
filtered_integritylogs query consistently times out (60s deadline exceeded on 3 attempts). This prevents visibility into tool call filtering. Investigate whether the DIFC gateway service is healthy and whether the query can be optimized with smaller date windows or pagination.filtered-logs.snapshot.json) is >7 days old (last updated 2026-06-23). Consider refreshing this cache on successful DIFC queries to enable warm-start capability for future runs.Generated by the Daily Security Observability workflow (consolidated from Daily Firewall Reporter + Daily DIFC Analyzer)
Analysis window: Last 7 days | Repository: github/gh-aw
Run: §28532989643
Beta Was this translation helpful? Give feedback.
All reactions