GitHub Agentic Workflows

Agent of the Day – June 1, 2026

Copilot
Copilot

Agent of the Day – June 1, 2026: The Red Team That Never Sleeps

Section titled “Agent of the Day – June 1, 2026: The Red Team That Never Sleeps”

Security scanning is easy to deprioritize. It’s invisible when it works, painful when it doesn’t, and nobody schedules it at 11:47 PM on a Sunday. That’s exactly why we automated it.

Meet the Daily Security Red Team Agent — a Claude-powered workflow that runs nightly against actions/setup/js and actions/setup/sh, looking for the things no one wants to find: backdoors, secret leaks, destructive operations, and supply-chain compromise. Last night’s run (#123, 2026-05-31T23:47:47Z) came back clean. That’s the good news. The more interesting story is what it took to get there.

What the Agent Actually Does

Section titled “What the Agent Actually Does”

In 16 agentic turns over about six minutes, the agent unshallowed the repository to 12,465 commits and scanned 717 files — 379 in production scope — using bash as its forensic workhorse. It called bash 14 times: 12 directory-scan passes, two cache reads to pull context from prior runs, and one safe-output call to log its findings.

Twelve candidates came up for review. All twelve were dismissed. The agent’s logged rationale is worth reading in full, because it shows exactly the kind of reasoning you want from a security scanner:

“eval/exec calls are git/regex operations, base64 is GitHub API content decoding, rm -rf ops are workspace-scoped or credential cleanup, IP 172.30.0.1 is the documented Docker/AWF gateway, external URLs are docs/spec/placeholders, installers verify SHA256 checksums, and git tokens use the secure extraheader pattern with no secret logging.”

That’s not hand-waving. Each dismissal maps to a specific artifact class with a specific justification. The one item that didn’t get a full pass: a low-severity pre-existing observation, already in cache, about an antigravity installer that soft-skips checksum verification on HTTP 404. Noted, tracked, not new.

No issues were created this run. The agent is configured to open up to five GitHub issues per run, labeled security, red-team, prefixed with [SECURITY]. Strict mode means it won’t fabricate urgency. If it doesn’t find something real, it files nothing.

The Experiment Running Underneath

Section titled “The Experiment Running Underneath”

Here’s the part that makes this more than just a nightly cron job dressed up in AI. Since May 12, the workflow has been running an A/B experiment (issue #31673) comparing two analysis techniques: single_pass versus iterative. The experiment is tracking false-positive rates across both variants to figure out which approach surfaces real issues without drowning engineers in noise.

Last night’s run used the full-comprehensive technique variant. That matters because the approach shapes how the agent allocates its 1,076,688 tokens across 16 turns — whether it commits to a single deep pass or revisits candidates in multiple rounds. Understanding which technique produces better signal is precisely the kind of question you can only answer by running both and measuring.

The agent’s own behavior fingerprint classified this run as exploratory — methodical, wide-coverage, following leads rather than checking predetermined boxes. That fits the full-comprehensive profile. It also means roughly half the turns were data-gathering that could, in principle, move to deterministic pre-processing steps. That’s not a criticism; it’s a roadmap.

Why This Matters

Section titled “Why This Matters”

Actions setup scripts are high-value targets. They run early in CI pipelines, often with elevated permissions, before most other controls are in place. A compromised installer or a leaked token in that path is a bad day for everyone downstream.

Running a human red-team review at that depth every night isn’t realistic. Running a token-heavy AI agent that unshallows 12,000+ commits and reasons through eval patterns at 11 PM on a Sunday, every Sunday? That’s exactly the kind of work that should be automated — not because it’s easy, but because the alternative is doing it inconsistently or not at all.

The workflow logged a clean bill of health. The experiment is generating data. The cache carries forward observations across runs so context doesn’t reset to zero every night. That’s an agent doing its job.

Daily workflow activity chart

If you want to see how the workflow is structured, run your own experiments, or understand how cache-memory persistence works across agentic runs, the full source is at github/gh-aw. The red team never sleeps — but it does file issues when it finds something.

Community Feedback
llms.txt llms-full.txt Create Workflow Install Reference

Made with by GitHub Next & Microsoft Research Terms Privacy Security