Enforce egress at the kernel
In enforce mode the runtime agent doesn't just observe network egress — it denies it. cgroup/connect4 and cgroup/connect6 BPF programs return -EPERM before the connect syscall completes, so a build step that tries to reach a non-allowlisted host simply gets a connection failure, indistinguishable from the host being down.
How denial works
The agent attaches cgroup-BPF connect4/connect6 programs to the CI job’s cgroup. On every outbound connection the program checks the destination against the allowlist; a miss returns -EPERM at the syscall boundary. The caller sees a normal failed connection — there is no new error surface to handle, and no userspace proxy to bypass.
Allowlist
egress:
allow:
- cidr: 10.0.0.0/8
- host: registry.npmjs.org
ports: [443]
- host: github.com
ports: [443, 22]
default: denyLearn mode
Run the agent in observe/learn across a number of representative jobs and it derives a candidate allowlist from the egress it actually saw. Review it, commit it, then switch to enforce — so you don’t hand-author the list from scratch.
Per-step permits & audit
- Permit a single connection from a specific workflow step when a job legitimately needs a one-off host.
- Every deny is recorded in the run’s event log and bound into the signed
runtime-trace/v1attestation — so a blocked exfiltration attempt is provable after the fact.