Network Egress Audit
Purpose
Every external domain that CI workflows reach out to represents an attack surface. This document formalizes the allowed egress domains and requires explicit approval for new ones.
Allowed Egress Domains
| Domain | Used By | Purpose |
|---|---|---|
| github.com | All workflows | Git operations, API calls |
| api.github.com | github-script, auto-milestone | GitHub REST/GraphQL API |
| registry.npmjs.org | npm ci | Package installation |
| npmjs.com | npm ci | Package metadata |
| pypi.org | pip install | Python package installation |
| files.pythonhosted.org | pip install | Python package downloads |
| crates.io | MegaLinter (trivy) | Vulnerability database |
| ghcr.io | MegaLinter | Container image pull |
| chrisnewcomb.name | link-check | Link validation against live site |
| giscus.app | Deployed site | Comment system |
| static.cloudflareinsights.com | Deployed site | Web Analytics beacon |
Approval Process
To add a new egress domain:
- Open an issue explaining the need
- Document what workflow uses it and why
- Add it to this document in a PR
- Get approval before merging
Monitoring
New domains introduced in workflow files should be flagged during PR review. The scan_malware_patterns.py script catches suspicious URLs (curl/wget piped to shell) but does not audit all egress.
Review Schedule
This document should be reviewed quarterly and whenever a new workflow or CI tool is added.