Skip to main content

Audit Mode

Audit mode is the default and recommended starting point for using Bullfrog. It allows you to discover all outbound network connections made by your workflow without blocking anything.

What is Audit Mode?

In audit mode, Bullfrog:

  • Monitors all outbound network connections
  • Logs connection attempts in the workflow summary
  • Does not block any connections
  • Helps you understand your workflow's network behavior

When to Use Audit Mode

Use audit mode when you:

  • Are first setting up Bullfrog
  • Want to discover what connections your workflow makes
  • Are adding new dependencies or steps to your workflow
  • Need to troubleshoot why a workflow is being blocked

Basic Usage

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
        # egress-policy defaults to 'audit', so no configuration needed

      - uses: actions/checkout@v4

      - name: Install dependencies
        run: npm install

      - name: Build
        run: npm run build

Explicit Audit Configuration

You can explicitly set audit mode for clarity:

- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
  with:
    egress-policy: audit

Reviewing Audit Results

After your workflow runs, you can view all outbound connections in the workflow summary:

  1. Navigate to your workflow run in GitHub Actions
  2. Select the Summary section
  3. Look for the Bullfrog Results in each job summary
  4. Review all logged connections with:
    • Timestamp
    • Destination IP address and port
    • Domain name (if available)
    • Protocol (TCP/UDP/DNS)
    • Decision
    • Reason for the decision
    • Process metadata (executable path, command arguments)

Transitioning to Block Mode

Once you've reviewed the audit results and identified necessary connections:

  1. Create a list of allowed domains and IPs based on the audit log
  2. Update your workflow configuration to use block mode

Example Transition:

# Before (audit mode)
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2

# After (block mode with discovered connections)
- uses: bullfrogsec/bullfrog@c8e5fff94e0050c0cef9b9596c55cf3d9c53ba2c # v0.9.2
  with:
    egress-policy: block
    allowed-domains: |
      github.com
      *.github.com
      registry.npmjs.org
      *.npmjs.org

Next Steps