{"id":38788004,"url":"https://github.com/koalalab-inc/bolt","last_synced_at":"2026-01-17T12:35:42.951Z","repository":{"id":222466020,"uuid":"756874644","full_name":"koalalab-inc/bolt","owner":"koalalab-inc","description":"Secure GitHub actions with 1 line of code","archived":false,"fork":false,"pushed_at":"2024-04-09T18:16:04.000Z","size":1321,"stargazers_count":7,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-09T22:21:13.812Z","etag":null,"topics":["cicd","devops","devsecops","egress-filtering","egress-gateway","github-actions","hardening","owasp-top-10","sdlc-security","security-tools","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://www.koalalab.com/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koalalab-inc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-02-13T13:33:45.000Z","updated_at":"2024-07-30T18:00:31.626Z","dependencies_parsed_at":"2024-04-01T12:45:28.477Z","dependency_job_id":"ba4eff42-3dbf-4895-934e-ef3ee0dd0f5f","html_url":"https://github.com/koalalab-inc/bolt","commit_stats":null,"previous_names":["koalalab-inc/bolt"],"tags_count":33,"template":false,"template_full_name":"actions/javascript-action","purl":"pkg:github/koalalab-inc/bolt","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fbolt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fbolt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fbolt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fbolt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koalalab-inc","download_url":"https://codeload.github.com/koalalab-inc/bolt/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fbolt/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28508473,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T11:50:55.898Z","status":"ssl_error","status_checked_at":"2026-01-17T11:50:55.569Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","devops","devsecops","egress-filtering","egress-gateway","github-actions","hardening","owasp-top-10","sdlc-security","security-tools","supply-chain-security"],"created_at":"2026-01-17T12:35:40.422Z","updated_at":"2026-01-17T12:35:42.943Z","avatar_url":"https://github.com/koalalab-inc.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Bolt](assets/imgs/bolt-header-dark.png)\n[![OSSF-Scorecard Score](https://img.shields.io/ossf-scorecard/github.com/koalalab-inc/bolt?label=openssf%20scorecard)](https://api.securityscorecards.dev/projects/github.com/koalalab-inc/bolt)\n![GitHub License](https://img.shields.io/github/license/koalalab-inc/bolt)\n\n# BOLT:Secure GitHub Actions Runtime with 1 line of code\n\nBOLT is an egress-filter and runtime security tool for your GitHub Actions\nenvironment.\n\n### Usage\n\nAdd this step to jobs in your GitHub workflow file(s) to secure your runner:\n\n```yaml\n- name: Setup Bolt\n  uses: koalalab-inc/bolt@v1\n```\n\nBOLT is packaged as a GitHub Action, which means you can easily add it to your\nworkflows and start controlling the egress traffic from your pipelines.\n\n\u003e [!NOTE]\n\u003e\n\u003e Supports both public and private repositories\n\n## Why use BOLT?\n\nTher aftermath of\n[Solarwinds breach](https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach)\nhas led to\n[an increase in software supply chain attacks](https://linuxfoundation.eu/newsroom/the-rising-threat-of-software-supply-chain-attacks-managing-dependencies-of-open-source-projects).\n\nCI/CD pipelines are the infrastructure of which the software is built, they are\nthe keys to the cloud kingdom, and are high-leverage attack surfaces.\n\n[OWASP top 10 CI/CD](https://owasp.org/www-project-top-10-ci-cd-security-risks/)\nand\n[CISA+NSA's joint guidance on defending CI/CD](https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joint-guidance-defending-continuous-integrationcontinuous-delivery-cicd)\nare really great starting points to understand the threat vectors surrounding\nCI/CD. An adaption of the same for GitHub environment would look a little like:\n\n![CI:CD Threat Vectors](https://github.com/user-attachments/assets/99ed2591-6f8f-45f0-b6be-5e8133c19f96)\n\nand specifically focussing on the CI runtime threat vectors(and their solution):\n\n![CI Runtime Threat Vectors](https://github.com/user-attachments/assets/c115b4d1-d42c-4e72-85a4-b61eeda83371)\n\nBOLT covers both the threat vectors by\n\n1. Transparent Egress filtering mechanism which allows traffic only to trusted\n   domains\n2. Detection of actions with Sudo permissions to prevent against file-tampering\n   during build time.\n\n## How to use Bolt - Video Introduction\n\nhttps://github.com/koalalab-inc/bolt/assets/2908925/7bf51186-e673-4bed-9b56-ae15c7ab9154\n\n## Usage\n\nYou can start using Bolt by adding the `koalalab-inc/bolt` action as the first\nstep in the jobs you want to monitor. The action will install and start the Bolt\nservice on the runner. Checkout the configuration options and defaults\n[here](#Configure).\n\n```yaml\n- name: Setup Bolt\n  uses: koalalab-inc/bolt@v1\n```\n\n![bolt-usage-before-after.png](assets/imgs/bolt-usage-before-after.png)\n\n## Configure\n\nYou can configuree the Bolt action using inputs. Here is an example of how to\nconfigure the action.\n\n```yaml\n- name: Setup Bolt\n  uses: koalalab-inc/bolt@v1\n  with:\n    mode: 'audit'\n    egress_rules: |\n      - name: 'Allow GitHub subs'\n        destination: '*.github.com'\n        action: 'allow'\n    disable_passwordless_sudo: 'false'\n    default_policy: 'block-all'\n    allow_http: 'false'\n    graceful: 'true'\n```\n\n| Option                      | Description                                                                                           |\n| --------------------------- | ----------------------------------------------------------------------------------------------------- |\n| `mode`                      | Configure the mode of operation for the Bolt gateway. It can be `audit` or `active`. Default: `audit` |\n| `egress_rules`              | A list of custom egress rules to be applied. Default: `[]`.                                           |\n| `disable_passwordless_sudo` | Whether to disable passwordless sudo or not. Default: `false`                                         |\n| `allow_http`                | Whether to allow non-secure HTTP requests or not. Default: `false`                                    |\n| `default_policy`            | It can be either `block-all` or `allow-all`. Default: `block-all`                                     |\n| `graceful`                  | Whether to gracefully fail in case of unsupported platforms or not. Default: `true`                   |\n\n## Custom Egress Policy\n\nYou can define custom egress rules to control the egress traffic from your\npipelines. Here is an example of how to define custom egress rules.\n\nIn `audit` mode, the Bolt gateway will log the egress traffic as per the defined\nrules. In `active` mode, the Bolt gateway will enforce the defined rules.\n\nEgress rule options: | Option | Description |\n---------------------------------|--------------------------------- | `name` | A\nname for the rule | | `destination` | The destination domain or IP address. `*`\nwilcard is supported in destination. | | `action` | The action to be taken. It\ncan be `allow` or `block` |\n\nIt is an ordered list of rules. The first rule that matches the destination will\nbe applied.\n\n```yaml\n- name: Setup Bolt\n  uses: koalalab-inc/bolt@v1\n  with:\n    mode: 'audit'\n    default_policy: 'block-all'\n    allow_http: 'false'\n    egress_rules: |\n      - name: 'Allow GitHub subdomains'\n        destination: '*.github.com'\n        action: 'allow'\n      - name: 'Block api subdomain'\n        destination: 'api.example.com'\n        action: 'block'\n      - name: 'Allow other subdomains'\n        destination: '*.example.com'\n        action: 'allow'\n```\n\n## Report in workflow logs\n\nOnce the job is over, bolt will add a egress traffic report to the job summary.\nThe report will show the egress traffic and the rules that were applied. A\nsample report is shown below.\n\n\u003chr\u003e\n\n\u003ch2\u003e⚡ Egress Report - powered by Bolt\u003c/h2\u003e\n\n\u003cdetails open\u003e\n  \u003csummary\u003e\n\u003ch3\u003e🛠️ Bolt Configuration\u003c/h3\u003e\n\n  \u003c/summary\u003e\n\u003ctable\u003e\u003ctr\u003e\u003ctd\u003eMode\u003c/td\u003e\u003ctd\u003eaudit\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eAllow HTTP\u003c/td\u003e\u003ctd\u003efalse\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eDefault Policy\u003c/td\u003e\u003ctd\u003eblock-all\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n\u003c/details\u003e\n    \n\u003ch3\u003e📝 Egress rules\u003c/h3\u003e\n\u003cpre lang=\"yaml\"\u003e\u003ccode\u003e- destination: google.com\n  action: block\n  name: Block Google\n- destination: ifconfig.me\n  action: allow\n  name: Allow ifconfig.me\u003c/code\u003e\u003c/pre\u003e\n\n\u003ch3\u003eEgress Traffic\u003c/h3\u003e\n\u003cblockquote\u003eNOTE: Running in Audit mode. Unknown/unverified destinations will be blocked in Active mode.\u003c/blockquote\u003e\n\n\u003cdetails open\u003e\n  \u003csummary\u003e\n\u003ch4\u003e🚨 Unknown Destinations\u003c/h4\u003e\n\n  \u003c/summary\u003e\n\u003ctable\u003e\u003ctr\u003e\u003cth\u003eDestination\u003c/th\u003e\u003cth\u003eScheme\u003c/th\u003e\u003cth\u003eRule\u003c/th\u003e\u003cth\u003eAction\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003ewww.google.com\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eDefault Policy - block-all\u003c/td\u003e\u003ctd\u003eUnknown Destination\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n\u003c/details\u003e\n    \n\u003cdetails\u003e\n  \u003csummary\u003e\n\u003ch4\u003e✅ Known Destinations\u003c/h4\u003e\n\n  \u003c/summary\u003e\n\u003ctable\u003e\u003ctr\u003e\u003cth\u003eDestination\u003c/th\u003e\u003cth\u003eScheme\u003c/th\u003e\u003cth\u003eRule\u003c/th\u003e\u003cth\u003eAction\u003c/th\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003egithub.com\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eReqd by Github Action\u003c/td\u003e\u003ctd\u003e✅\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003epipelinesghubeus6.actions.githubusercontent.com\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eReqd by Github Action\u003c/td\u003e\u003ctd\u003e✅\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eresults-receiver.actions.githubusercontent.com\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eReqd by Github Action\u003c/td\u003e\u003ctd\u003e✅\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eifconfig.me\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eAllow ifconfig.me\u003c/td\u003e\u003ctd\u003e✅\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003eapi.github.com\u003c/td\u003e\u003ctd\u003ehttps\u003c/td\u003e\u003ctd\u003eReqd by Github Action\u003c/td\u003e\u003ctd\u003e✅\u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n\n\u003c/details\u003e\n    \u003ca href=\"https://www.koalalab.com\"\u003eView detailed analysis of this run on Koalalab!\u003c/a\u003e\n\u003chr\u003e\n\nThis report was generated using this workflow file:\n[bolt-sample.yml](examples/bolt.yml)\n\n\u003chr\u003e\n\n\u003e [!NOTE]\n\u003e\n\u003e We have removed SSL inspection features from Bolt. It had some compatibility\n\u003e issues with certain package managers. We will soon release a new version with\n\u003e improved SSL inspection capabilities.\n\n## Usage and Limitations\n\nBOLT is available to use for private as well as public repository on GitHub\nhosted ubuntu runners. Contact us if you want to use BOLT on self-hosted\nrunners.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoalalab-inc%2Fbolt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoalalab-inc%2Fbolt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoalalab-inc%2Fbolt/lists"}