Skip to main content

Introduction

Bullfrog is a free, open-source GitHub Action that increases the security of your GitHub Actions workflows by controlling all outbound network connections. With Bullfrog, you can easily define a list of allowed IPs and domains that your workflows can connect to, preventing data exfiltration and supply chain attacks.

Key Features

  • Network Egress Control: Block or audit all outbound network connections from your GitHub Actions workflows
  • Easy Configuration: Define allowed IPs and domains using simple YAML configuration
  • Audit Mode: Start with audit mode to discover all outbound connections without blocking them
  • Block Mode: Enforce strict egress filtering by blocking unauthorized connections
  • DNS Policy Control: Configure DNS resolution policies to match your security requirements
  • Zero Cost: Completely free and open source under the MIT License

How It Works

Bullfrog works by intercepting network traffic at the system level on GitHub-hosted Ubuntu runners. It must be loaded as the first step in your workflow job to ensure all subsequent network connections are monitored or blocked according to your policy.

- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
  with:
    egress-policy: audit

Why Use Bullfrog?

GitHub Actions workflows often make numerous outbound network connections to download dependencies, pull container images, and interact with external services. Without egress control:

  • Data Exfiltration: Malicious code could send sensitive data (secrets, source code, credentials) to attacker-controlled servers
  • Supply Chain Attacks: Compromised dependencies could reach out to malicious infrastructure
  • Unauthorized Access: Workflows could access internal or restricted networks unexpectedly

Bullfrog solves these problems by giving you complete visibility and control over your workflow's network behavior.

Open Source & Free

Bullfrog is released under the MIT License and is completely free to use. No sign-up, no credit card, no limitations. Simply add it to your workflow and start securing your CI/CD pipeline.

Next Steps