CargoWall
Close the GitHub Actions Network Security Gap
CargoWall is an open-source eBPF-based network firewall that monitors and controls outbound traffic for your workflows, protecting you from supply chain attacks.
Defend Against Malicious GitHub Actions
CargoWall protects your credentials, secrets, and other sensitive data from comprimised or malicious GitHub Actions, even if they are executed within your environment or GitHub Cloud.
Retroactive poisoning: Existing GitHub Actions tags can be tainted with malicious code
Credential theft: Malicious GitHub Actions can extract cloud or other credentials
Wide impact: Thousands of organizations unknowingly impacted by a single attack
Protection from AI Coding Agents
AI coding agents can introduce security vulnerabilities by connecting to untrusted endpoints, hallucinating domain names, or by not following corporate policy.
Untrusted endpoints: AI agents may fetch packages from unverified external sources
Domain hallucination: Non-existent domains can be registered by attackers to exfiltrate data
Insider threat: Employees can provide malicious instructions to AI coding agents to stealthily exfiltrate data
Four Layers of Protection
CargoWall uses complementary security layers to ensure comprehensive network filtering
DNS Attack Interception
Prevent DNS tunneling attacks by refusing queries for unauthorized domains at the kernel level
Dynamic Rule Updates
Adds resolved IPs to the firewall as they are discovered for granular network controls
eBPF Traffic Control
Filters egress traffic at the kernel level using the high-performance eBPF traffic control layer
Sudo Lockdown
Prevents firewall circumvention by restricting sudo access in subsequent workflow steps
Two Ways to Deploy CargoWall
CargoWall GitHub Action
Network security stack for GitHub Actions. Perfect for teams who want complete control.
What you get:
- Private and Public GitHub repositories
- Free CodeCargo dashboard with runtime metrics
- GitHub-hosted & Self-hosted runners
- Docker & Kubernetes support
- eBPF-based network filtering
- CIDR block filtering
- DNS query interception to prevent tunneling
- Audit mode (log-only) and Enforce mode (blocking)
- Sudo restriction mode
- Community support
Open Source • Protect your GitHub Actions today
CodeCargo Starter Edition
Free platform to provide scalable GitHub Actions runtime security to your organization.
CargoWall GitHub Action plus:
- CodeCargo Platform
- Track GitHub Actions and Workflow usage
- Developer self-service
- Centralized network policy management
- Automatically detect and apply policies to workflows
- Identify non-compliant GitHub Actions workflows
- Audit readiness and egress host identification
- Establish baseline network characteristics per Action
- Visual dashboards and analytics
- Community support
Free • GitHub App Installation
GitHub-Hosted Runners
- Ubuntu runners (latest and LTS versions)
Self-Hosted Runners
- Linux with kernel 5.x or newer
- eBPF capability enabled
Repository Access
- Public repositories
- Private repositories
Get Started in Minutes
Add CargoWall to your workflow with minimal configuration
Add to Your Workflow
Include CargoWall as a step in your GitHub Actions workflow file.
- uses: code-cargo/cargowall-action@v1 with: allowed-hosts: | github.com npmjs.com registry.npmjs.orgConfigure Access Control
Specify which domains your workflow is allowed to access.
allowed-hosts: | github.com npmjs.com pypi.org docker.ioRun Your Workflow
CargoWall automatically protects your runner at the kernel level.
## CargoWall (Audit Mode) [View full details on CodeCargo](https://app.dev.codecargo.dev/orgs/2z0.../cargowall/activity/runs/32n...) DNS query filtering enabled (blocks DNS tunneling)Docker DNS interception enabled docker_bridge=172.17.0.1Configuring Docker DNS dns=172.17.0.1Docker DNS configured (restart required to take effect) dns=172.17.0.1DNS redirect iptables rules installedRunning in AUDIT MODE - connections will be logged but NOT blocked audit_log=/tmp/cargowall-audit.jsonRunning in GitHub Actions modeResolving rules count=0Ready to Secure Your Pipelines?
Start with open source or unlock enterprise features with our free tier