dpndncY

See every syscall your CI runner makes.

A self-hosted Linux daemon that attaches four CO-RE BPF programs to the kernel, correlates every event to the workflow step that caused it, and emits a DSSE-signed in-toto trace at job end.

The four hooks

HookWhat it seesWhy it matters
tracepoint/syscalls/sys_enter_connectEvery outbound TCP / UDP connectExfiltration, C2 beacons
tracepoint/sched/sched_process_execEvery process spawnCompiler/installer side-effects, postinstall hooks
kprobe/security_file_openSensitive file opens (with allowlist)Cred theft, SSH-key read
uprobe:libc:getaddrinfoEvery DNS lookupDNS-tunnel exfil, novel domain resolution

Auto-detected CI platforms

The agent reads the well-known environment variables and pid trees to attribute each event to the workflow step that caused it. Auto-detection covers:

  • GitHub Actions
  • GitLab CI
  • Jenkins
  • CircleCI
  • Azure Pipelines
  • Bitbucket Pipelines
  • Tekton
  • Buildkite
  • Drone

Three modes

  • observe — log every event; emit signed trace at job end. No enforcement.
  • learn — observe + auto-derive an allowlist of egress destinations across N jobs. Useful for ramping toward enforce.
  • enforce — observe + actively deny non-allowlisted egress via cgroup-BPF. Callers see a standard EPERM. See cgroup-BPF enforce.

Installation surfaces

Pick the one that matches your runner:

  • GitHub Action — composite action with pre/post steps. Works on GitHub-hosted Ubuntu 22.04 / 24.04 runners and self-hosted.
  • Kubernetes DaemonSet — one privileged pod per node. Works under Tekton, Argo Workflows, kpack, GitLab K8s runners, Buildkite agents on K8s, actions-runner-controller.
  • systemd unit — for bare-metal runners and self-hosted CI nodes.

What gets signed

At job end the agent emits a DSSE envelope wrapping an in-toto v1 Statement of type:

attestation type
https://dpndncy.io/agent/runtime-trace/v1

Containing:

  • Per-kind event counts (connect, exec, file, dns)
  • Deduplicated egress destinations
  • Exec summary (binary + first-arg, sha256-hashed)
  • DNS hostnames resolved
  • SHA-256 of the full event-log NDJSON (bound into the signature)
  • Policy version applied
Optional Sigstore-keyless mode
When an OIDC token is available (GitHub Actions, GitLab CI), the agent can optionally sign via Fulcio and log to Rekor instead of using a local keypair. Useful when you want public-verifiability without managing your own key infrastructure.
← Previous
Signed bypass
Next →
Four kernel hooks