4ebc0afdca
Co-authored-by: hubwriter <hubwriter@github.com> Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com> Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: felix <guntrip@github.com> Co-authored-by: Felix Guntrip <stevecat@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Laura Coursen <lecoursen@github.com> Co-authored-by: Tim Rogers <timrogers@github.com> Co-authored-by: Sarah Schneider <sarahs@users.noreply.github.com> Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com> Co-authored-by: Nhu Do <nhu-do@github.com> Co-authored-by: Ellie Bennett <34038869+elliebennett@users.noreply.github.com> Co-authored-by: Janice <janiceilene@github.com> Co-authored-by: Melanie Yarbrough <11952755+myarb@users.noreply.github.com> Co-authored-by: Sarah Schneider <sarahs@github.com> Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com> Co-authored-by: Sunbrye Ly <56200261+sunbrye@users.noreply.github.com> Co-authored-by: Steve Ward <steveward@github.com> Co-authored-by: Vanessa <vgrl@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> Co-authored-by: Kate Catlin <KateCatlin@users.noreply.github.com> Co-authored-by: Claire W <78226508+crwaters16@users.noreply.github.com>
60 lines
4.2 KiB
Markdown
60 lines
4.2 KiB
Markdown
---
|
|
title: Customizing or disabling the firewall for Copilot coding agent
|
|
shortTitle: Customize the agent firewall
|
|
intro: "Learn how to control the domains and URLs that {% data variables.copilot.copilot_coding_agent %} can access."
|
|
versions:
|
|
feature: copilot
|
|
topics:
|
|
- Copilot
|
|
type: how_to
|
|
---
|
|
|
|
> [!NOTE]
|
|
> {% data reusables.copilot.coding-agent.preview-note-text %}
|
|
>
|
|
> For more information about {% data variables.copilot.copilot_coding_agent %}, see [AUTOTITLE](/copilot/using-github-copilot/using-copilot-coding-agent-to-work-on-tasks/about-assigning-tasks-to-copilot).
|
|
|
|
## Overview
|
|
|
|
By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.
|
|
|
|
Limiting access to the internet helps to manage data exfiltration risks, where surprising behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions given to it, could lead to code or other sensitive information being leaked to remote locations.
|
|
|
|
The default firewall rules allow access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %} or to download dependencies.
|
|
|
|
If {% data variables.product.prodname_copilot_short %} tries to make a request which is blocked by the firewall, a warning is added to the pull request body (if {% data variables.product.prodname_copilot_short %} is creating a pull request for the first time) or to a comment (if {% data variables.product.prodname_copilot_short %} is responding to a pull request comment). The warning shows the blocked address and the command that tried to make the request.
|
|
|
|
|
|
|
|
## Allowlisting additional hosts in the agent's firewall
|
|
|
|
You can allowlist additional addresses in the agent's firewall by setting the `COPILOT_AGENT_FIREWALL_ALLOW_LIST_ADDITIONS` {% data variables.product.prodname_actions %} variable to a comma-separated list. In that list, you can include:
|
|
|
|
* **Domains** (for example, `packages.contoso.corp`), in which case traffic will be allowed to that domain and any subdomains.
|
|
|
|
**Example**: `packages.contoso.corp` would allow traffic to `packages.contoso.corp` and `prod.packages.contoso.corp`, but not `artifacts.contoso.corp`.
|
|
|
|
* **URLs** (for example, `https://packages.contoso.corp/project-1/`), in which case traffic will only be allowed on the specified scheme (`https`) and host (`packages.contoso.corp`), and limited to the specified path and descendant paths.
|
|
|
|
**Example**: `https://packages.contoso.corp/project-1/` would allow traffic to `https://packages.contoso.corp/project-1/` and `https://packages.contoso.corp/project-1/tags/latest`, but not `https://packages.consoto.corp/project-2`, `ftp://packages.contoso.corp` or `https://artifacts.contoso.corp`.
|
|
|
|
## Overwriting the firewall allowlist
|
|
|
|
By default, the firewall allows access to a number of hosts that are commonly used to download dependencies or that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}.
|
|
|
|
To completely clear this default allowlist and start again from scratch, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` {% data variables.product.prodname_actions %} variable to a comma-separated list of hosts.
|
|
|
|
For example, to _only_ allow access to `packages.contoso.corp` and `artifacts.contoso.corp`, set the `COPILOT_AGENT_FIREWALL_ALLOW_LIST` variable to `packages.contoso.corp,artifacts.contoso.corp`.
|
|
|
|
### Disabling the firewall
|
|
|
|
> [!WARNING]
|
|
> Disabling the firewall will allow {% data variables.product.prodname_copilot_short %} to connect to any host, increasing risks of exfiltration of code or other sensitive information.
|
|
|
|
The firewall is enabled by default. To disable the firewall, set the `COPILOT_AGENT_FIREWALL_ENABLED` {% data variables.product.prodname_actions %} variable to `false`.
|
|
|
|
## Further reading
|
|
|
|
* [AUTOTITLE](/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#creating-configuration-variables-for-a-repository)
|
|
* [AUTOTITLE](/copilot/customizing-copilot/customizing-the-development-environment-for-copilot-coding-agent)
|