NHS England orders GitHub repos made private

According to guidance seen by The Register, NHS England has instructed technology teams to set public GitHub repositories to private by May 11. The guidance cited the risk of "unintended disclosure of source code, architectural decisions, configuration detail, and contextual information that may be exploited," and explicitly mentioned Mythos as an example of an advanced AI model, The Register reports. The Register also reports the guidance states repositories should not be public "unless there is an explicit and exceptional need," and that the change was approved by the NHS' Engineering Board. An NHS England spokesperson told The Register, "We are temporarily restricting access to some NHS England source code to further strengthen cybersecurity while we assess the impact of rapid developments in AI models," and added, "We will continue to publish source code where there is a clear need."

Per coverage in New Scientist, the same guidance instructs that "All source code repositories must be private by default," with the May 11 deadline repeated in that reporting. A technical blog, shkspr.mobi, published a copy of a guidance note referred to as SDLC-8 and reproduced a quote attributed to a senior technical person in NHS England saying, "We are obviously looking at things like Mythos, which is more sophisticated at finding vulnerabilities... Most of our repos, unless they're essential, will be removed for security reasons." Those items appear in public reporting; neither New Scientist nor The Register attribute that quote directly to an on-the-record NHS executive beyond the NHS England spokesperson quoted by The Register.

Editorial analysis: Industry context: Companies and public bodies with large open-source footprints face renewed scrutiny of code publication as large AI models increase the surface area for automated scanning and vulnerability discovery. Observed patterns in similar situations show organisations balancing legal and policy commitments to open source with short-term threat mitigation measures, often tightening access controls while reviewing sensitive components.

Editorial analysis: Practitioner implications: For practitioners tracking software supply-chain and reproducibility, temporary closure of repositories can impede reuse, auditability, and community contributions. Industry observers note that when public-sector code is made private, downstream teams and third-party auditors frequently request access arrangements or redaction workflows to preserve reviewability without full public exposure.

For practitioners: What to watch Observers should track whether NHS England publishes a follow-up statement or a revised open-source policy. Also watch for:

• •timelines for returning repos to public view
• •any exceptions or formal approval processes for public access
• •whether other public-sector bodies adopt similar guidance. Reporting to date consists of The Register and New Scientist coverage and the shkspr.mobi reproduction of internal guidance; NHS England's public rationale is currently limited to the quoted spokesperson remarks in The Register