CodeCargo logo

Core Concepts

CargoWall

What is CargoWall?

CargoWall is CodeCargo's eBPF-based Layer 4 firewall that controls network egress from your GitHub Actions workflow runs. It monitors and enforces network access policies on every outbound connection made during workflow execution, helping prevent data exfiltration and ensuring workflows only communicate with approved destinations.

Key Capabilities

  • Enforce Mode: Block unauthorized outbound connections in real time
  • Audit Mode: Monitor and log all network activity without blocking — ideal for rollout and assessment
  • Policy-Based Rules: Define allowed destinations by hostname, IP address, subnet, or port
  • Workflow Visualization: View security overlays on workflow run graphs showing per-job and per-step network activity
  • Multi-Level Assignment: Apply policies at the organization, repository, or individual workflow level

Overview Dashboard

The CargoWall hub is accessible from the organization sidebar under CargoWall. The landing page provides five switchable dashboard views, each with summary statistics and trend charts. Use the period selector (30, 60, or 90 days) to adjust the reporting window.

CargoWall overview dashboard

Enforcement

The default view focuses on policy enforcement outcomes:

  • Denied Connections — connections blocked by enforce-mode policies
  • Denial Rate (%) — percentage of total connections that were denied
  • Allowed Connections — connections that matched an allow rule
  • Runs Impacted — workflow runs where at least one connection was denied

Charts display Connections Over Time (allowed, denied, and would-deny trends) and Denial Rate Over Time. A Top Denied Destinations card shows the most frequently blocked hostnames.

Coverage

Shows how broadly CargoWall is deployed across your workflows:

  • Enforcement Coverage (%) — workflows running in enforce mode
  • Audit Coverage (%) — workflows running in audit mode
  • Unprotected Workflows — workflows with no CargoWall policy assigned
  • Policy Assignment (%) — repositories with at least one policy
  • Active Policies — total active policies in the organization

Activity

A general traffic overview for the selected period:

  • Total Runs — workflow runs analyzed
  • Total Connections — outbound network connections observed
  • Unique Destinations — distinct hostnames contacted
  • New Destinations — hostnames seen for the first time in this period
  • Connections per Run — average outbound connections per workflow run

Audit Readiness

Helps you evaluate the impact of switching audit-mode policies to enforce:

  • Would-Deny Connections — connections that would be blocked if audit switched to enforce
  • Would-Deny Rate (%) — percentage of audit connections that would be blocked
  • Projected Impact — additional connections blocked if all audit policies moved to enforce

A High-Risk Audit Workflows table lists workflows ranked by would-deny count so you can prioritize enforce rollout.

Longer-term trend charts for Denial Rate, Enforcement Coverage, New Destinations, and Would-Block counts over time. Useful for tracking security posture improvements.

Runs

The Runs tab lists all workflow runs that CargoWall has analyzed. You can filter by repository, workflow name, actor (GitHub user), and time range, and sort by any column.

CargoWall runs list

Run Detail

Click a run to open the detail view, which has two tabs:

Jobs Tab

  • Left sidebar: lists each job in the run with a status icon
  • Main panel: shows the selected job's network events

For each job you see summary stats — Destinations, Allowed, Denied (or Would Deny in audit mode), and Total connections. An events table lists every outbound connection with columns for Step, Process, Destination, Port, Status, and Timestamp. Use the search bar or "Show denied only" toggle to focus on policy violations.

CargoWall run detail with events

Visualizer Tab

A React Flow–based graph renders the workflow structure with a security overlay:

  • API-Driven Expansion: Matrix jobs are expanded using actual run data from the GitHub API, showing the exact job variants that executed
  • Security Indicators: Each job and step node displays network activity badges and policy enforcement status
  • Security Panel: Click any job or step to open a side panel showing its network events, unique destinations, and allow/deny breakdown
Workflow visualizer with CargoWall security overlay

Policies

Policies define which network destinations are allowed during workflow execution. Any connection that does not match a rule is denied by default.

CargoWall policy list with rules

Creating a Policy

  1. Click Create Policy on the Policies tab
  2. Enter a policy name
  3. Add rules to the policy

Policy Rules

Each rule specifies an allowed destination using one of these types:

Rule TypeDescriptionExample
HostnameDomain match (subdomains automatically included)github.com (also allows *.github.com)
IPSpecific IP address192.168.1.100
SubnetCIDR range10.0.0.0/8
PortOptional port restriction per rule443, 8080

Rules define allow actions. The implicit default is deny all — connections that don't match any rule are blocked (in enforce mode) or flagged (in audit mode).

Policy Groups

You can group multiple policies together into a Policy Group for easier bulk assignment. Create a group, then add one or more policies to it. Policy groups can be assigned to repositories or workflows just like individual policies.

Assignments

The Assignments tab controls where and how policies are applied, using a three-level hierarchy:

CargoWall policy assignments

Organization Level

Set a default mode (Enforce or Audit) and policy for the entire organization. All repositories and workflows inherit these settings unless overridden.

Repository Level

Override the organization defaults for specific repositories. Each repository can have its own mode and policy assignment. The assignments page shows aggregate statistics: percentage of workflows in enforce mode, audit mode, and unspecified.

Workflow Level

Override repository settings for individual workflows. This gives you fine-grained control — for example, enforce mode on production deployment workflows while keeping new workflows in audit mode.

At each level you can:

  • Select a mode: Inherit (from parent), Enforce, or Audit
  • Assign a policy or policy group
  • Enable or disable CargoWall for that entity

Using CargoWall in Your Workflows

To integrate CargoWall into your GitHub Actions workflows, add the CargoWall action:

- uses: code-cargo/cargowall-action@latest
  with:
    mode: enforce
    api-url: https://app.codecargo.com

Configuration options:

  • mode: enforce to block unauthorized connections, or audit to monitor without blocking
  • api-url: CodeCargo API endpoint for policy management
  • allowed-hosts (optional): Comma-separated list of permitted domains for inline policy — only needed if you are not using a SaaS-managed policy

Action Repository

The CargoWall GitHub Action is maintained in the code-cargo/cargowall-action repository. Always use the latest version for the most up-to-date security features.

Key Terminology

TermMeaning
EnforceDenied connections are blocked in real time
AuditDenied connections are logged but not blocked (test/assessment mode)
Would DenyConnections flagged in audit mode that would be blocked under enforce
CoveragePercentage of workflows with a CargoWall policy assigned
Denial RatePercentage of all observed connections that were denied
PolicyA set of allow rules; unmatched traffic is denied by default
Policy GroupA collection of policies for bulk assignment
Previous
Workflow Compliance
Next
Operators & Settings