dpndncY

Enforce egress at the kernel

In enforce mode the runtime agent doesn't just observe network egress — it denies it. cgroup/connect4 and cgroup/connect6 BPF programs return -EPERM before the connect syscall completes, so a build step that tries to reach a non-allowlisted host simply gets a connection failure, indistinguishable from the host being down.

How denial works

The agent attaches cgroup-BPF connect4/connect6 programs to the CI job’s cgroup. On every outbound connection the program checks the destination against the allowlist; a miss returns -EPERM at the syscall boundary. The caller sees a normal failed connection — there is no new error surface to handle, and no userspace proxy to bypass.

Allowlist

allowlist.yaml
egress:
  allow:
    - cidr: 10.0.0.0/8
    - host: registry.npmjs.org
      ports: [443]
    - host: github.com
      ports: [443, 22]
  default: deny

Learn mode

Run the agent in observe/learn across a number of representative jobs and it derives a candidate allowlist from the egress it actually saw. Review it, commit it, then switch to enforce — so you don’t hand-author the list from scratch.

Per-step permits & audit

  • Permit a single connection from a specific workflow step when a job legitimately needs a one-off host.
  • Every deny is recorded in the run’s event log and bound into the signed runtime-trace/v1 attestation — so a blocked exfiltration attempt is provable after the fact.
Cheap at the kernel
cgroup-BPF runs in-kernel per connection, not per packet, with sub-microsecond overhead — enforcement adds no meaningful build latency.

See also