Docker builds can fetch from any server on the internet. A compromised dependency could silently exfiltrate your build secrets. Buildcage prevents this. Define allowed domains, and everything else is blocked. Your Dockerfiles stay the same — no proxy injection, no certificate changes. TLS is never intercepted. Drop-in builder for Docker Buildx and GitHub Actions. - Audit mode to discover dependencies - Restrict mode to enforce your allowlist - Self-hostable for full control Open source.

getviktor.com — An AI coworker that actually does the work

An AI coworker that actually does the work

Hello Hunters,

I built Buildcage to solve a problem we kept running into at work: when you `RUN npm install` in a Dockerfile, that command can connect to anywhere on the internet, with no visibility into where it goes. A compromised package could exfiltrate build secrets or phone home to an attacker's server.

Buildcage restricts outbound network access during Docker builds. Define allowed domains, and everything else is blocked and logged. Your Dockerfiles stay exactly the same.

This is not a silver bullet. If a malicious package comes through a legitimate registry, Buildcage can't catch it. The way I think about it: Buildcage is a last line of defense. If something slips through all your other measures, at least it can't call home to an attacker's server.

The project is fully open source. You can fork it into your own GitHub org and build the image yourself — for a security tool, I think that matters.

I'd love to hear your thoughts — whether it's about the approach, the limitations, or how this fits into your own workflow!

getviktor.com — An AI coworker that actually does the work

An AI coworker that actually does the work

I'd love to hear your thoughts — whether it's about the approach, the limitations, or how this fits into your own workflow!

Buildcage

Restrict outbound access in Docker builds on GitHub Actions

Restrict outbound access in Docker builds on GitHub Actions