Domain-based CI Job Firewall

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Problem to solve

Due to the increase presence of supply chain attacks, there needs to be ways to help customers mitigate these attacks to help ensure their code is safe and also ensure their runners are only being used for their intended purposes.

Supply Chain Attacks
Unwanted CI Workloads (crypto mining)

Intended users

Devon (DevOps Engineer)

User experience goal

Allow the user to specify a given domain where their CI Job can reach out to so that any malicious package is incapable of sending data to unapproved locations.

Proposal

By default, all CI Jobs (and their services) have limited outgoing network access:

Internal IP Ranges
GitLab Host

Any job requiring an external service will need to be declared by domain name or IP Address within the job definition. This would be implemented for both the Docker-based jobs and Kubernetes jobs. This could easily be implemented by leveraging iptables to block all domains except explicitly stated and default domains and IP Addresses. CoreOS has a golang iptables library.

In order to ensure a non-breaking change, this would be rolled out to projects without existence of any CI Pipelines only (including all new projects).

Further details

Here is a sample YAML Job Definition where the resources: syntax is added, specifying domains that are allowed to be reached out to.

build:
  script:
  - pip install -r requirements.txt
  - python setup.py
  resources:
  - pypi.org
  - github.com

Additionally, we could introduce a capability to all teams to specify that only domains specified on the 'default' branch are available.

For GitLab's Shared Runners, it may be best to only allow a clear set of "approved" domains regardless of what is in the YAML.

Permissions and Security

Documentation

Availability & Testing

Available Tier

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Sep 04, 2025 by 🤖 GitLab Bot 🤖