6b49adcf86
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
6.6 KiB
title, shortTitle, intro, versions, topics, redirect_from, contentType, category
| title | shortTitle | intro | versions | topics | redirect_from | contentType | category | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Customizing or disabling the firewall for GitHub Copilot coding agent | Customize the agent firewall | Learn how to control the domains and URLs that {% data variables.copilot.copilot_coding_agent %} can access. |
|
|
|
how-tos |
|
Note
Firewall configuration has moved to the {% data variables.copilot.copilot_coding_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.
Overview
By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.
Limiting access to the internet helps to manage data exfiltration risks, where surprising behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions given to it, could lead to code or other sensitive information being leaked to remote locations.
The firewall always allows access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}. By default, a recommended allowlist is also enabled to allow the agent to download dependencies.
If {% data variables.product.prodname_copilot_short %} tries to make a request which is blocked by the firewall, a warning is added to the pull request body (if {% data variables.product.prodname_copilot_short %} is creating a pull request for the first time) or to a comment (if {% data variables.product.prodname_copilot_short %} is responding to a pull request comment). The warning shows the blocked address and the command that tried to make the request.
Limitations
The agent firewall has important limitations that affect its security coverage.
- Only applies to processes started by the agent: The firewall only applies to processes started by the agent via its Bash tool. It does not apply to Model Context Protocol (MCP) servers or processes started in configured {% data variables.product.prodname_copilot_short %} setup steps.
- Only applies within the {% data variables.product.prodname_actions %} appliance: The firewall only operates within the {% data variables.product.prodname_actions %} appliance environment. It does not apply to processes running outside of this environment.
- Bypass potential: Sophisticated attacks may bypass the firewall, potentially allowing unauthorized network access and data exfiltration.
These limitations mean that the firewall provides a layer of protection for common scenarios, but should not be considered a comprehensive security solution.
Understanding the recommended firewall allowlist
The recommended allowlist, enabled by default, allows access to:
- Common operating system package repositories (for example, Debian, Ubuntu, Red Hat).
- Common container registries (for example, Docker Hub, Azure Container Registry, AWS Elastic Container Registry).
- Packages registries used by popular programming languages (C#, Dart, Go, Haskell, Java, JavaScript, Perl, PHP, Python, Ruby, Rust, Swift).
- Common certificate authorities (to allow SSL certificates to be validated).
- Hosts used to download web browsers for the Playwright MCP server.
For the complete list of hosts included in the recommended allowlist, see AUTOTITLE.
Disabling the recommended allowlist
You can choose to turn off the recommended allowlist. Disabling the recommended allowlist is likely to increase the risk of unauthorized access to external resources.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %}
- In the "Code & automation" section of the sidebar, click {% data variables.product.prodname_copilot_short %} then {% data variables.copilot.copilot_coding_agent_short %}.
- Toggle the Recommended allowlist setting off.
To use the recommended allowlist in addition to your own allowlist, keep the Recommended allowlist setting on, and add your additional addresses in the Custom allowlist page.
Allowlisting additional hosts in the agent's firewall
You can allowlist additional addresses in the agent's firewall.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %}
-
In the "Code & automation" section of the sidebar, click {% data variables.product.prodname_copilot_short %} then {% data variables.copilot.copilot_coding_agent_short %}.
-
Click Custom allowlist
-
Add the addresses you want to include in the allowlist. You can include:
-
Domains (for example,
packages.contoso.corp). Traffic will be allowed to the specified domain and any subdomains.Example:
packages.contoso.corpwill allow traffic topackages.contoso.corpandprod.packages.contoso.corp, but notartifacts.contoso.corp. -
URLs (for example,
https://packages.contoso.corp/project-1/). Traffic will only be allowed on the specified scheme (https) and host (packages.contoso.corp), and limited to the specified path and descendant paths.Example:
https://packages.contoso.corp/project-1/will allow traffic tohttps://packages.contoso.corp/project-1/andhttps://packages.contoso.corp/project-1/tags/latest, but nothttps://packages.consoto.corp/project-2,ftp://packages.contoso.corporhttps://artifacts.contoso.corp.
-
-
Click Add Rule.
-
After validating your list, click Save changes.
Disabling the firewall
Warning
Disabling the firewall will allow {% data variables.product.prodname_copilot_short %} to connect to any host, increasing risks of exfiltration of code or other sensitive information.
The firewall is enabled by default. To disable the firewall, toggle the Enable firewall setting to off.