Increase the security of your Github Actions workflows using Bullfrog! With Bullfrog, you can easily control all your outbound network connections made from within your Github Actions workflows by defining a list of IPs and/or domains that you want to allow.
Not sure what IPs or domains? Simply use the default egress-policy: audit mode to get a list of all outbound network connections, without impacting your existing workflows.
# This action should be the first step of your job, and should be loaded on every separate job.
# If this action is not loaded first, it will not be able to see or block any requests that occured prior to the action running.
- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
with:
# List of IPs to allow outbound connections to.
# By default, only localhost and IPs required for the essential operations of Github Actions are allowed.
allowed-ips:
# List of domains to allow outbound connections to.
# Wildcards are accepted. For example, if allowing `*.google.com`, this will allow `www.google.com`, `console.cloud.google.com` but not `google.com`.
# By default, only domains required for essential operations of Github Actions and uploading job summaries are allowed.
# Refer to https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#communication-requirements-for-github-hosted-runners-and-github for additional domains that should be allowed for additional Github Actions features.
allowed-domains:
# Controls the policy for DNS requests when `egress-policy` is set to `block`.
#
# - `allowed-domains-only` (default): Allows DNS requests only for domains specified in `allowed-domains`.
# - `any`: Allows any DNS requests.
#
# Default: `allowed-domains-only`
dns-policy:
# The egress policy to enforce. Valid values are `audit` and `block`.
# Default: audit
egress-policy:
# Enable this option to allow steps to execute commands with sudo.
# This is useful for workflows that require elevated privileges to perform certain tasks.
# Options: `true` (default) or `false`.
enable-sudo:- Default
- Block every outbound connections
- Only allow requests to domains required for pulling a docker image from the docker hub
- Only allow requests to a specific IP address without blocking DNS requests
The default usage will run in audit mode and will not block any request.
- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
with:
egress-policy: block- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
with:
egress-policy: block
allowed-domains: |
*.docker.com
docker.io
*.docker.io- uses: bullfrogsec/bullfrog@1472c28724ef13ea0adc54d0a42c2853d42786b1 # v0.8.2
with:
egress-policy: block
allowed-ips: |
1.2.3.4
dns-policy: anyYou can view blocked or unallowed outbound requests in the workflow summary.
This action is currently only supporting Github-hosted runners on Ubuntu (ubuntu-latest, ubuntu-22.04 and ubuntu-24.04).
If you need support or have any feedback to share, join us on Slack. And if you find Bullfrog useful, please leave a star ⭐️.
The code and documentation in this project are released under the MIT License.