Four CO-RE eBPF programs hook connect, exec, file-open and DNS on your CI runners, correlate every event to the workflow step that caused it, and — in enforce mode — actively deny non-allowlisted egress.
What it does
4 kernel hooks
sys_enter_connect, sched_process_exec, security_file_open and getaddrinfo — CO-RE eBPF, amd64 + arm64, as a GitHub Action, K8s DaemonSet or systemd unit.
Step-correlated events
Every connect / exec / file / DNS event tied to the pipeline step that caused it, across 9 auto-detected CI platforms.
cgroup-BPF egress block
In enforce mode, cgroup/connect4 + connect6 actively deny non-allowlisted egress — the caller sees a standard EPERM.
Signed trace per job
Each job ends with a DSSE-signed SLSA in-toto v1 Statement — the run's behaviour, provable offline.
Static analysis of your pipeline definitions across six CI platforms — mapped to the OWASP Top 10 CI/CD risks, with concrete remediation on every finding.
Firewall verdicts, scan results and runtime traces wrapped in DSSE over SLSA-style in-toto Statements, signed with your keypair. A standalone verifier ships with the platform — no vendor portal required.
Multi-signal decisioning at admission time. Risky packages are rejected before they enter node_modules, site-packages or your local Maven repo — with a signed record of exactly why.