Rocket - Think it. Type it. Launch it.
Mini toolsgithub / gh-aw-firewall
GitHub Agentic Workflows Firewall
README
Agentic Workflow Firewall
A network firewall for agentic workflows that restricts outbound HTTP/HTTPS to an allowlist of domains.
[!TIP]
This project is a part of GitHub's explorations of Agentic Workflows. For more background, check out the project page! โจ
How it works
awf runs your command inside a Docker sandbox with three containers:
- Squid proxy โ filters outbound traffic by domain allowlist
- Agent โ runs your command; all HTTP/HTTPS is routed through Squid
- API proxy sidecar (optional) โ holds LLM API keys so they never reach the agent process
Requirements
- Docker: 20.10+ with Docker Compose v2
- Node.js: 20.12.0+ (for building from source)
- OS: Ubuntu 22.04+ or compatible Linux distribution
See Compatibility for full details on supported versions and tested configurations.
Get started fast
curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash
sudo awf --allow-domains github.com -- curl https://api.github.comThe -- separator divides firewall options from the command to run.
Explore the docs
- Quick start โ install, verify, and run your first command
- Usage guide โ CLI flags, domain allowlists, examples
- Enterprise configuration โ GitHub Enterprise Cloud and Server setup
- Chroot mode โ use host binaries with network isolation
- API proxy sidecar โ secure credential management for LLM APIs
- Authentication architecture โ deep dive into token handling and credential isolation
- SSL Bump โ HTTPS content inspection for URL path filtering
- GitHub Actions โ CI/CD integration and MCP server setup
- Environment variables โ passing environment variables to containers
- Logging quick reference and Squid log filtering โ view and filter traffic
- Security model โ what the firewall protects and how
- Architecture โ how Squid, Docker, and iptables fit together
- Compatibility โ supported Node.js, OS, and Docker versions
- Troubleshooting โ common issues and fixes
- Image verification โ cosign signature verification
Development
- Install dependencies:
npm install - Run tests:
npm test - Build:
npm run build
Contributing
Contributions welcome! Please see CONTRIBUTING.md for guidelines.
