Matthew Slipper's banner
Matthew Slipper's profile picture

Matthew Slipper

@mslipper1,560 subscribers

Building https://t.co/0pucqh9KLy

Shorts

We open-sourced iron-proxy yesterday: a default-deny egress proxy for untrusted workloads. CI is a natural place for this. GitHub Actions runners have unrestricted outbound network access by default. Every dependency, every post-install script, every agent tool call can reach any endpoint on the internet. iron-proxy sits between the runner and the network. Allowlist what should talk to the internet. Log everything. Block everything else. Repo: Walkthrough 👇

We open-sourced iron-proxy yesterday: a default-deny egress proxy for untrusted workloads. CI is a natural place for this. GitHub Actions runners have unrestricted outbound network access by default. Every dependency, every post-install script, every agent tool call can reach any endpoint on the internet. iron-proxy sits between the runner and the network. Allowlist what should talk to the internet. Log everything. Block everything else. Repo: Walkthrough 👇

19,272 views

Videos

LIVE
1.2k

Anya Rossi

sweetdream.ai

SweetDream.aiSponsoredLivecam
Streaming Now

Watch Anya Live

Anya is streaming live right now! Join her private show and enjoy exclusive content.

HD live stream
Exclusive private shows
1.2k viewers online

Free preview available • Premium content

Last week I demoed locking down GitHub Actions egress with iron-proxy. By default your CI runner can talk to anything. Any dependency or build step can quietly exfiltrate data, and you’d never know. I’ve packaged that demo into a GitHub Marketplace action. Drop it into your pipeline with four lines of YAML and get real control and observability over your outbound traffic. v0.7.0 also adds OTLP export, so you can pipe your egress audit logs into your existing tooling and run detection, alerting, or forensics on top. Get it here: Demo below ↓
0:26
mslipper's profile picture

Last week I demoed locking down GitHub Actions egress with iron-proxy. By default your CI runner can talk to anything. Any dependency or build step can quietly exfiltrate data, and you’d never know. I’ve packaged that demo into a GitHub Marketplace action. Drop it into your pipeline with four lines of YAML and get real control and observability over your outbound traffic. v0.7.0 also adds OTLP export, so you can pipe your egress audit logs into your existing tooling and run detection, alerting, or forensics on top. Get it here: Demo below ↓

Matthew Slipper

11,296 views • 2 months ago

Here's a supply chain attack running on an VM. It's so obvious even Claude catches it. But it doesn't matter: by the time Claude sees it, the attack is done. Except in this case, it isn't. Egress rules block it. Real attacks won't look like this. You need real containment.
0:20
mslipper's profile picture

Here's a supply chain attack running on an VM. It's so obvious even Claude catches it. But it doesn't matter: by the time Claude sees it, the attack is done. Except in this case, it isn't. Egress rules block it. Real attacks won't look like this. You need real containment.

Matthew Slipper

11,575 views • 2 months ago

No more content to load