We just open-sourced CargoWall - a lightweight eBPF firewall for GitHub Actions.

We originally built it to stop LLM agents from connecting to untrusted domains. After recent GitHub Actions supply chain compromises like the Trivy attack, we realized it'd work well for blocking untrusted connections from CI runners too.

It uses iptables DNAT to redirect all outbound port 53 traffic to a local DNS proxy, which checks each query against a hostname allowlist before forwarding. Resolved IPs from allowed responses are inserted into eBPF LPM trie maps, and a TC egress classifier attached to the network interface drops any packet whose destination IP/protocol/port isn't in the trie.

Cgroup hooks capture every socket connect/sendmsg call system-wide, mapping the socket cookie to the process to correlate where connections are coming from. It then correlates the connection times with steps to provide a summary of which connections originated from which steps.

ubuntu-latest and ubuntu-24.04 runners are supported. Simple one-step setup example:

  uses: code-cargo/cargowall-action@v1   # or v1.0.0 for immutable tag
  with:
    mode: enforce
    allowed-hosts: |
      registry.npmjs.org

GitHub Action: https://github.com/code-cargo/cargowall-action

We'd love for you to give it a try! Happy to answer questions or take feedback.

Feels like CI/CD is still operating on a pretty optimistic threat model.