CargoWall Open-Sources the eBPF Firewall That Escaped Its LLM Cage

Frequently Asked

What is eBPF and why does it give CargoWall an advantage over traditional firewall rules for CI runners?

eBPF lets CargoWall attach a traffic classifier directly to the kernel's network stack without modifying the runner OS or requiring a sidecar process. Traditional iptables rules can be bypassed by processes with sufficient privilege or by raw socket usage; the eBPF TC egress classifier operates at a lower level and is harder for a compromised dependency to circumvent. For ephemeral GitHub Actions runners where you cannot install persistent agents, that kernel-level attachment is the only enforcement point that survives a supply chain compromise.

What should a security engineer actually do today if their pipelines use GitHub Actions with LLM agent steps?

Audit every outbound domain your agent steps contact and build an explicit allowlist — then enforce it at the network layer, not the application layer. CargoWall provides one path to that enforcement. Without it, any dependency pulled during a run can establish outbound connections your application-level guardrails never see. The Trivy attack is the clearest demonstration that application-layer trust is insufficient: the compromise happened below the level where most teams were monitoring.

Why do critics argue open-sourcing agent containment tools makes the attack surface worse, not better?

The counterargument is that publishing the allowlist enforcement mechanism also publishes its evasion surface — an attacker who studies CargoWall's DNS proxy logic knows exactly which query patterns to mimic to appear on the approved list. That critique has real weight for application-layer firewalls. It matters less for CargoWall's architecture because the enforcement happens at the resolved IP level in eBPF maps, not at the query string level — a spoofed query that returns an unapproved IP still gets blocked at egress.

Continue reading