From 8980c7a4fc5a830fd17cdd031c72213f4cc7294b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 11 Jun 2026 11:53:54 +0000 Subject: [PATCH] docs: update glossary - daily scan 2026-06-11 Add Threat Detection Max AI Credits entry for the new safe-outputs.threat-detection.max-ai-credits frontmatter field introduced in #38456. This field caps AIC spend for threat-detection runs (default 400), with precedence over GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/src/content/docs/reference/glossary.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/src/content/docs/reference/glossary.md b/docs/src/content/docs/reference/glossary.md index 7dc6150b461..cf95eca8c72 100644 --- a/docs/src/content/docs/reference/glossary.md +++ b/docs/src/content/docs/reference/glossary.md @@ -160,6 +160,17 @@ A critical security vulnerability that occurs when a `pull_request_target` workf Automated security analysis that scans agent output and code changes for potential security issues before application. When safe outputs are configured, a threat detection job automatically runs between the agent job and safe output processing to identify prompt injection attempts, secret leaks, and malicious code patches. See [Threat Detection Reference](/gh-aw/reference/threat-detection/). +### Threat Detection Max AI Credits (`safe-outputs.threat-detection.max-ai-credits`) + +A `safe-outputs.threat-detection` field that caps the total AI Credits (AIC) the AWF proxy will spend for a single threat-detection run. Defaults to `400` AIC when omitted. Accepts an integer, a `K`/`M` suffix string (e.g., `750`), or `-1` to disable budget steering for detection runs. The organization-wide default can be overridden at runtime via `vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS` without recompiling. Precedence: frontmatter literal → `GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS` variable → built-in default of `400`. See [Compiler Enterprise Environment Controls](/gh-aw/reference/compiler-enterprise-environment-controls/). + +```aw wrap +safe-outputs: + create-pull-request: + threat-detection: + max-ai-credits: 750 +``` + ### Staged Mode A preview mode where workflows simulate actions without making changes. The AI generates output showing what would happen, but no GitHub API write operations are performed. Use for testing before production runs. See [Staged Mode](/gh-aw/reference/staged-mode/) for details.