From e0280b2af9ec974ae5f1fb884f609fdd748a67cc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 23:10:47 +0000 Subject: [PATCH 1/2] Initial plan From 86af170ba07510d4511d53705f507c3c85367af2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 15 Jan 2026 23:20:54 +0000 Subject: [PATCH 2/2] docs: remove docker-in-docker references Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- docs-site/src/content/docs/index.md | 18 +----------------- .../src/content/docs/reference/ssl-bump.md | 2 -- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/docs-site/src/content/docs/index.md b/docs-site/src/content/docs/index.md index a5ad00f2c..9f84cc9ce 100644 --- a/docs-site/src/content/docs/index.md +++ b/docs-site/src/content/docs/index.md @@ -3,7 +3,7 @@ title: Agentic Workflow Firewall description: Network firewall for AI agents with domain whitelisting - control egress HTTP/HTTPS traffic using Squid proxy and Docker containers. --- -A network firewall designed specifically for AI agents and agentic workflows. Control which domains your AI agents can access while maintaining full filesystem access and Docker-in-Docker capabilities. +A network firewall designed specifically for AI agents and agentic workflows. Control which domains your AI agents can access while maintaining full filesystem access in a containerized environment. :::tip[Part of GitHub Next] This project is part of GitHub Next's explorations of [Agentic Workflows](https://github.com/githubnext/gh-aw). Learn more on the [GitHub Next website](https://githubnext.com/projects/agentic-workflows/)! ✨ @@ -16,7 +16,6 @@ When AI agents like GitHub Copilot CLI run with access to tools and MCP servers, **Key Capabilities:** - **Domain Allowlist & Blocklist**: Allow specific domains and block exceptions with wildcard pattern support - **URL Path Filtering**: Restrict access to specific URL paths with [SSL Bump](/gh-aw-firewall/reference/ssl-bump/) -- **Docker-in-Docker Enforcement**: Spawned containers inherit firewall restrictions - **Host-Level Protection**: Uses iptables DOCKER-USER chain for defense-in-depth - **Zero Trust**: Block all traffic by default, allow only what you explicitly permit - **Full Auditability**: Comprehensive logging of all allowed and blocked traffic @@ -126,18 +125,6 @@ sudo awf \ --prompt "Search arXiv for papers on AI safety" ``` -### Docker-in-Docker - -Spawned containers automatically inherit firewall restrictions: - -```bash -sudo awf \ - --allow-domains api.github.com,registry-1.docker.io,auth.docker.io \ - -- docker run --rm curlimages/curl -fsS https://api.github.com/zen -``` - -The spawned container's network traffic is also filtered through the firewall. - ## How It Works The firewall uses a containerized architecture with three security layers: @@ -153,7 +140,6 @@ The firewall uses a containerized architecture with three security layers: │ ┌──────────────────────────────┐ │ │ │ Copilot Container │ │ │ │ • Full filesystem access │ │ -│ │ • Docker-in-Docker support │ │ │ │ • iptables NAT redirection │ │ │ └──────────┬───────────────────┘ │ │ │ All HTTP/HTTPS │ @@ -240,8 +226,6 @@ Works with wildcards: `https://*.secure.example.com` The firewall uses Docker's **DOCKER-USER iptables chain** to enforce rules at the host level. This means: - All containers on the firewall network are subject to filtering -- Spawned containers cannot bypass the firewall -- Protection works even with Docker-in-Docker - No container-level configuration needed ### Comprehensive Logging diff --git a/docs-site/src/content/docs/reference/ssl-bump.md b/docs-site/src/content/docs/reference/ssl-bump.md index 0bcee4c1c..063d1e390 100644 --- a/docs-site/src/content/docs/reference/ssl-bump.md +++ b/docs-site/src/content/docs/reference/ssl-bump.md @@ -158,8 +158,6 @@ Each awf execution uses a unique CA certificate. Old session certificates become - The session CA is injected only into the agent container's trust store - Host system trust stores are NOT modified -- Spawned containers inherit the modified trust store -- This means spawned containers can also have HTTPS traffic intercepted ### Traffic Visibility