Security●●Solid
Buildcage – Restrict outbound network access during Docker builds
Network allowlist firewall for Docker builds, zero Dockerfile changes, GitHub Actions ready.
Solve My ProblemNiche Gem
dash14
123mo ago
Back to browse
GitHub Repository
Secure your Docker builds against supply chain attacks — restrict outbound network access to only the domains you allow
5 starsJavaScript
Buildcage – Egress filtering for Docker builds (SNI-based, no MitM)
by dash14·Mar 8, 2026·2 points·0 comments
AI Analysis
●●●BangerSolve My ProblemNiche Gem
SNI-based egress filtering for Docker without TLS termination—real supply-chain attack surface control.
Strengths
- •SNI inspection approach preserves TLS integrity (no MitM, no cert injection)—elegant constraint forcing honest solution.
- •Solves a concrete, painful problem: supply-chain attacks via compromised dependencies during builds.
- •Drop-in integration with Docker Buildx and GitHub Actions; audit and restrict modes fit real operational workflows.
Weaknesses
- •Still early (4 stars, recent redesign from nginx→HAProxy suggests rapid iteration); rule syntax stability unproven.
- •UDP/non-TCP protocols blocked entirely—may miss some attack vectors but also limits operational scope.
Category
Target Audience
DevOps engineers, CI/CD operators handling sensitive builds, enterprise security teams
Similar To
Snyk · Chainguard · Wiz
Post Description
Hi HN,
I built Buildcage to solve a recurring problem at work: during Docker builds, tools like `npm install` and `pip install` can execute arbitrary code and make outbound connections to arbitrary hosts without visibility or control. A compromised dependency could silently exfiltrate build secrets or phone home to an attacker’s server — and you’d have no way to detect it.
Buildcage adds transparent outbound network control to Docker builds: you define which domains are allowed, and everything else is blocked and logged. No proxy injection, no certificate changes — HTTPS filtering is done via SNI inspection, so TLS stays untouched. It’s a drop-in layer for Docker Buildx and GitHub Actions.
I shared an earlier version about three weeks ago. Since then, I replaced the proxy layer (nginx → HAProxy), enabling interception of all TCP ports and adding IP allowlisting. I also redesigned the rule syntax to support wildcards, regex, and a unified host:port format.
Since Buildcage sits in your build pipeline, it’s reasonable to ask: how do you trust the tool itself? You can fork the repo and build the image yourself — I added a self-hosting guide for this. The docs also explicitly list what it defends against and what it can't prevent. Security tools should be honest about their limitations.
This is not a silver bullet — it's a last line of defense. If something slips through your other measures, at least it can't call home.
GitHub: https://github.com/dash14/buildcage
Feedback is very welcome. And if you find it useful, a GitHub star genuinely helps.
Similar Projects
Developer Tools●●●Banger
Rigor – Anti-Enshittification Proxy for Your AI Agents
uBlock Origin for LLM traffic that actually rewrites responses locally.
Big BrainSolve My Problem
waveywaves
301mo ago
AI/ML●Mid
Local AI stack (Docker, Ollama) that lets you build apps without Python
Low-code AI platform wrapped in Docker, but Open WebUI already does local AI simpler.
Ship It
aeberhart
102mo ago
Other●Mid
Arktur – explore architecture and building history around you (iOS)
Polished iOS app for architecture tours, but similar city guide apps already exist.
CozyNiche Gem
fjwater
201mo ago
Security●●Solid
Safe-install – Docker-first install-time hardening for pip and NPM
Dockerizes pip builds to stop credential theft during install.
Big BrainNiche Gem
khaeldur
202mo ago
Productivity●Mid
GTMJobs – a job board with GTM Engineer jobs ONLY
Filtered job board for GTM Engineers when LinkedIn and Otta already dominate this space.
Niche Gem
benchmarkapp
101mo ago