Docker builds can fetch from any server on the internet. A compromised dependency could silently exfiltrate your build secrets. buildcage prevents this. Define allowed domains, and everything else is blocked. Your Dockerfiles stay the same — no proxy injection, no certificate changes. TLS is never intercepted. Drop-in builder for Docker Buildx and GitHub Actions. - Audit mode to discover dependencies - Restrict mode to enforce your allowlist - Self-hostable for full control Open source.