Skip to content

[guard-coverage] Guard coverage gap: 1 new CLI write operation not covered (gh agent-task create) #3132

Open
#3139
Open
[guard-coverage] Guard coverage gap: 1 new CLI write operation not covered (gh agent-task create)#3132
#3139
Assignees
lpcoxcopilot-swe-agent
Labels
automationguardsecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Apr 3, 2026

Summary

The GitHub guard does not cover 1 new write operation introduced via the GitHub CLI since the last scan. This operation has no equivalent MCP tool in the GitHub MCP server and no pre-emptive guard entry.

  • MCP tools scanned: 80 (all fully covered — no new MCP classification or DIFC labeling gaps)
  • CLI write commands scanned: ~61
  • Guard-covered write tools (tools.rs): 42 in WRITE_OPERATIONS + 7 in READ_WRITE_OPERATIONS = 49 named entries (plus merge_*, delete_*, update_*, create_*, lock_*, unlock_* pattern coverage)
  • Tools with explicit DIFC rules (tool_rules.rs): All 80 upstream MCP tools have explicit apply_tool_labels match arms
  • New gaps found this run: 1

GitHub CLI-Only Gaps

These write operations are reachable via the GitHub CLI but have no corresponding MCP tool and no guard entry.

CLI Command REST Endpoint GitHub API Action Risk
gh agent-task create POST <copilot-api>/agents/swe/v1/jobs/{owner}/{repo} Creates a Copilot coding-agent job that opens a PR and modifies repo branches Medium

Details

gh agent-task create (preview feature, added to cli/cli at pkg/cmd/agent-task/create/) calls the Copilot Agent API:

POST {copilot_base_url}/agents/swe/v1/jobs/{owner}/{repo}

This creates a coding-agent job that:

  • Creates a new branch in the target repository
  • Pushes code changes implementing the requested task
  • Opens a pull request

While this goes through the Copilot API (not the standard GitHub REST API at api.github.com), it results in real repository mutations (branches, PRs) and has no guard entry.

Suggested remediation

Add a pre-emptive entry to WRITE_OPERATIONS in guards/github-guard/rust-guard/src/tools.rs:

// Pre-emptive entries for anticipated future MCP tools (no equivalent tool today)
// ...existing entries...
"create_agent_task",  // gh agent-task create — creates Copilot coding-agent job (branch + PR)

And add a corresponding match arm in guards/github-guard/rust-guard/src/labels/tool_rules.rs:

"create_agent_task" => {
    // Creates a Copilot coding-agent job that modifies repo branches and opens a PR.
    // S = S(repo) — inherits from repository visibility
    // I = writer (requires repo write access)
    secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
    integrity = writer_integrity(repo_id, ctx);
}

Alternatively, file a request to the GitHub MCP server team to add a create_agent_task tool so it can be properly modeled.

Notes on gh run delete (no gap)

A new gh run delete command was also observed (pkg/cmd/run/delete/, DELETE /repos/{owner}/{repo}/actions/runs/{run_id}). This is covered by the guard's delete_* prefix pattern in is_delete_operation() and requires no action.

All 80 MCP Tools: Fully Covered ✅

All tools from github-mcp-server at the current main branch (80 tools, same count as previous run) are:

  • Correctly classified in WRITE_OPERATIONS, READ_WRITE_OPERATIONS, or a prefix pattern in tools.rs
  • Have explicit DIFC labeling match arms in tool_rules.rs

References

Generated by GitHub Guard Coverage Checker (MCP + CLI) ·

  • expires on Apr 17, 2026, 8:10 PM UTC

Metadata

Metadata

Assignees

Labels

automationguardsecurity

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions