eb230073ec
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Sarita Iyer <66540150+saritai@users.noreply.github.com>
4.4 KiB
title, shortTitle, intro, versions, topics, type, redirect_from
| title | shortTitle | intro | versions | topics | type | redirect_from | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| Customizing or disabling the firewall for Copilot coding agent | Customize the agent firewall | Learn how to control the domains and URLs that {% data variables.copilot.copilot_coding_agent %} can access. |
|
|
how_to |
|
Note
{% data reusables.copilot.coding-agent.preview-note-text %}
Firewall configuration has moved to the {% data variables.copilot.copilot_coding_agent %} settings page. Previous configurations saved as Actions variables will be maintained on that page.
Overview
By default, {% data variables.product.prodname_copilot_short %}'s access to the internet is limited by a firewall.
Limiting access to the internet helps to manage data exfiltration risks, where surprising behavior from {% data variables.product.prodname_copilot_short %}, or malicious instructions given to it, could lead to code or other sensitive information being leaked to remote locations.
The default firewall rules allow access to a number of hosts that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %} or to download dependencies.
If {% data variables.product.prodname_copilot_short %} tries to make a request which is blocked by the firewall, a warning is added to the pull request body (if {% data variables.product.prodname_copilot_short %} is creating a pull request for the first time) or to a comment (if {% data variables.product.prodname_copilot_short %} is responding to a pull request comment). The warning shows the blocked address and the command that tried to make the request.
Allowlisting additional hosts in the agent's firewall
You can allowlist additional addresses in the agent's firewall.
{% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %}
-
In the "Code & automation" section of the sidebar, click {% data variables.product.prodname_copilot_short %} then {% data variables.copilot.copilot_coding_agent_short %}.
-
Click Custom allowlist
-
Add the addresses you want to include in the allow list. You can include:
-
Domains (for example,
packages.contoso.corp). Traffic will be allowed to the specified domain and any subdomains.Example:
packages.contoso.corpwill allow traffic topackages.contoso.corpandprod.packages.contoso.corp, but notartifacts.contoso.corp. -
URLs (for example,
https://packages.contoso.corp/project-1/). Traffic will only be allowed on the specified scheme (https) and host (packages.contoso.corp), and limited to the specified path and descendant paths.Example:
https://packages.contoso.corp/project-1/will allow traffic tohttps://packages.contoso.corp/project-1/andhttps://packages.contoso.corp/project-1/tags/latest, but nothttps://packages.consoto.corp/project-2,ftp://packages.contoso.corporhttps://artifacts.contoso.corp.
-
-
Click Add Rule.
-
After validating your list, click Save changes.
Overwriting the recommended firewall allowlist
By default, the firewall allows access to a number of hosts that are commonly used to download dependencies or that {% data variables.product.prodname_copilot_short %} uses to interact with {% data variables.product.github %}.
To disable this, toggle the Recommended allowlist setting off.
To use the recommended allowlist in addition to your own allowlist, keep the Recommended allowlist setting on, and add your additional addresses in the Custom allowlist page.
Disabling the firewall
Warning
Disabling the firewall will allow {% data variables.product.prodname_copilot_short %} to connect to any host, increasing risks of exfiltration of code or other sensitive information.
The firewall is enabled by default. To disable the firewall, toggle the Enable firewall setting to off.