buildcage – Restrict outbound network access during Docker builds on GitHub Actions

Summary: buildcage limits outbound connections during Docker builds by enforcing an allowlist of domains, preventing unauthorized data exfiltration without altering Dockerfiles or intercepting TLS. It integrates with Docker Buildx and GitHub Actions as a drop-in builder and supports audit and restrict modes.

What it does

buildcage blocks all outbound network requests except those to defined allowed domains during Docker builds, logging blocked attempts. It operates without proxy injection or certificate changes, preserving existing Dockerfiles.

Who it's for

It is designed for developers and teams using Docker builds in CI environments like GitHub Actions who need to control network access to reduce security risks.

Why it matters

It prevents compromised dependencies from silently exfiltrating build secrets by restricting network access during builds, serving as a last line of defense against unauthorized external connections.