When working with continuous integration and continuous deployment (CI/CD), balancing development velocity with strong security it is critical both are considered high priority. We’ve previously detailed our development and deployment processes, here we detail some technical implementations that are the result of these processes. Among the various automation tools available, GitHub Actions has become a backbone for streamlining workflows. However, with automation comes the imperative need for strong and consistent security measures. In this post we are focusing on outbound network connections, in response to CI/CD pipelines being used to exfil data from companies, we tested Bullfrog—a GitHub Action designed to harden your workflows by controlling egress traffic.
Understanding Bullfrog
Bullfrog is a simple, plug-and-play GitHub Action that enhances the security of your workflows by managing outbound network connections. By defining a list of allowed IPs and domains, Bullfrog ensures that only authorized egress traffic is permitted, effectively mitigating potential security risks associated with unauthorized egress.
Key Features
- Egress Control: Define specific IP’s and domains to allow outbound connections, blocking any unauthorized traffic based on your rules.
- Audit Mode: Monitor all outbound connections without impacting existing workflows, aiding in identifying necessary allowances.
- Compatibility: Supports GitHub-hosted runners on Ubuntu (ubuntu-latest, ubuntu-22.04, and ubuntu-24.04).
Why Bullfrog?
Consider a scenario where a development team utilizes GitHub Actions for building and deploying applications. Without egress control, the workflow may inadvertently connect to unauthorized external services, posing security risks.
Bullfrog is a GitHub Action that strengthens the security of CI/CD workflows by managing outbound network connections. By defining allowed IPs and domains, Bullfrog ensures only authorized traffic can exit, reducing risks tied to unauthorized egress.
- Monitor Outbound Connections: Using Bullfrog’s audit mode, the team can track all outbound connections during workflow execution.
- Define Egress Policies: Based on audit results, the team specifies allowed IPs and domains, ensuring only sanctioned connections are possible.
- Enforce Restrictions: Switching to block mode applies these policies, preventing unauthorized outbound traffic.
Step 1
Implementing Bullfrog in Your GitHub Workflows
Integrating Bullfrog into your GitHub workflows is straightforward.
Adding Bullfrog as the First Step in Your Job:
Ensure Bullfrog is the initial step in each job to monitor and control all subsequent outbound connections. The egress-policy set to audit will allow for us to enumerate a list of all outbound network connections, without breaking workflows.
Review the “uses” line and update the release as necessary.
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
egress-policy: audit
Step 2
Configure Allowed IPs and Domains
Specify the IP’s and domains permitted for outbound connections. Wildcards are accepted for domains.
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
egress-policy: audit
##Add Allowed IPs
allowed-ips: |
192.168.1.1
10.0.0.1
##Add Allowed Domains
allowed-domains: |
*.centric3.com
api.centric3.com
Step 3
Set the Egress Policy to Block
Once confident in the audit output, you can choose between audit (default) to monitor connections or block to enforce restrictions.
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
egress-policy: block
Step 4
Define DNS Policy
Control DNS requests when egress-policy is set to block. Options are allowed-domains-only (default) or any.
In the Define DNS Policy section, you can configure how Bullfrog handles DNS requests when the egress-policy is set to block. There are two options:
allowed-domains-only(default): This setting permits DNS requests exclusively to the domains specified in the allowed-domains list. It ensures that only predefined domains can be resolved, enhancing security by restricting DNS queries to trusted sources.any: This option allows DNS requests to any domain, without restriction. While it offers greater flexibility, it may expose the workflow to potential security risks from untrusted domains.
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
egress-policy: block
dns-policy: any
Step 5 (Optional)
Enable Sudo if Necessary
The enable-sudo option in Bullfrog allows steps within your GitHub Actions workflow to execute commands with elevated privileges using sudo. This is particularly useful for tasks that require administrative access. By default, enable-sudo is set to true, permitting such operations. However, if your workflow doesn’t need elevated privileges, it’s advisable to set enable-sudo to false to enhance security by limiting unnecessary access.
Allow steps to execute commands with sudo by setting
enable-sudo to true (default) or false.
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
enable-sudo: true
GitHub Example Workflow with Bullfrog
name: Pipeline
on:
push:
branches:
- develop
pull_request:
branches:
- develop
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Set up Bullfrog
uses: bullfrogsec/bullfrog@v0.8.2
with:
egress-policy: block
allowed-ips: |
192.168.1.1
10.0.0.1
allowed-domains: |
*.centric3.com
api.centric3.com
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
with:
node-version: '4.1.0'
- name: Install dependencies
run: npm install
- name: Run tests
run: npm test
