Daily Firewall Report - 2026-03-28

[github-actions[bot]]

Firewall activity analysis for March 28, 2026 covering the past 7 days of agentic workflow runs. 40 firewall-enabled workflow runs across 35 unique workflows were analyzed. The overall block rate was 27.1%, driven almost entirely by a single workflow (Schema Consistency Checker) attempting to access proxy.golang.org — a legitimate Go module proxy that should be added to the allowlist. Excluding that outlier, the block rate drops to ~4%, which is within a healthy range.

📊 Key Metrics

Metric	Value
Workflows Analyzed	35 unique workflows, 40 runs
Total Network Requests	1,946
✅ Allowed Requests	1,419 (72.9%)
🚫 Blocked Requests	527 (27.1%)
Block Rate	27.1%
Unique Blocked Domains	7

📈 Firewall Activity Trends

Request Patterns

All firewall activity is concentrated on 2026-03-28. The spike in blocked requests (507) is almost entirely attributable to the Schema Consistency Checker workflow accessing proxy.golang.org 507 times — a legitimate Go build dependency that is not in the current allowlist. This indicates the workflow needs a network permission update, not a security concern.

Top Blocked Domains

The blocked domain landscape is dominated by proxy.golang.org. The remaining blocked domains represent AI service endpoints (chatgpt.com, ab.chatgpt.com) accessed by the Codex engine and legitimate cloud storage (storage.googleapis.com) accessed by the GPL Dependency Cleaner.

🚫 Top Blocked Domains

#	Domain	Total Blocks	Category	Workflows
1	proxy.golang.org	507	Go/Dev Tools	Schema Consistency Checker
2	ab.chatgpt.com	7	AI Services	Changeset Generator, Smoke Codex
3	storage.googleapis.com	4	Google/GCP	GPL Dependency Cleaner (gpclean)
4	chatgpt.com	4	AI Services	Changeset Generator, Smoke Codex
5	github.com	2	GitHub	Changeset Generator
6	api.github.com	2	GitHub	Changeset Generator
7	invalid.example.invalid	1	Test/Invalid	jsweep - JavaScript Unbloater

🛡️ Policy Rule Attribution

All analyzed runs use a consistent 7-rule policy (no SSL Bump, no DLP):

📋 Policy Configuration: 7 rules, SSL Bump disabled, DLP disabled

Rule	Action	Description
deny-unsafe-ports	🔴 deny	Deny requests to non-standard ports (only 80, 443 allowed)
deny-connect-unsafe-ports	🔴 deny	Deny CONNECT/HTTPS to unsafe ports
deny-raw-ipv4	🔴 deny	Deny raw IPv4 address access (bypass prevention)
deny-raw-ipv6	🔴 deny	Deny raw IPv6 address access (bypass prevention)
allow-both-plain	🟢 allow	Allow HTTP/HTTPS to listed domains
allow-both-regex	🟢 allow	Allow HTTP/HTTPS matching allowlist regex patterns
deny-default	🔴 deny	Default deny — all traffic not matching any allow rule

All blocked requests were caught by deny-default (traffic not matching any allow rule), which is the expected behavior. There are no safety-bypass attempts via raw IP addresses or unsafe ports detected.

View Detailed Request Patterns by Workflow

Schema Consistency Checker (1 run — run §23677407220)

Domain	Blocked	Allowed	Block Rate	Category
proxy.golang.org	507	0	100%	Go/Dev Tools

• Total requests: 565 | Allowed: 58 | Blocked: 507
• Root cause: The workflow performs Go module resolution which requires proxy.golang.org, but this domain is not in the allowlist.
• Action needed: Add proxy.golang.org (and optionally sum.golang.org) to the workflow's network.allowed list.

---

Changeset Generator (2 runs — §23683927149, §23684090945)

Domain	Blocked	Allowed	Block Rate	Category
ab.chatgpt.com	4	0	100%	AI Services
chatgpt.com	2	0	100%	AI Services
github.com	2	0	100%	GitHub
api.github.com	2	0	100%	GitHub

• Total requests: 40 | Allowed: 30 | Blocked: 10
• Note: github.com and api.github.com blocks in the Changeset Generator (Codex engine) suggest the workflow relies on direct GitHub API calls outside the GitHub MCP server. The AI service endpoints (chatgpt.com) indicate the Codex engine attempting to access its backend.

---

Smoke Codex (2 runs — §23683927184, §23684090980)

Domain	Blocked	Allowed	Block Rate	Category
ab.chatgpt.com	3	0	100%	AI Services
chatgpt.com	2	0	100%	AI Services

• Total requests: 35 | Allowed: 30 | Blocked: 5
• This is expected — Codex engine attempting to reach ChatGPT domains. These are blocked as per policy.

---

GPL Dependency Cleaner / gpclean (1 run — §23677733325)

Domain	Blocked	Allowed	Block Rate	Category
storage.googleapis.com	4	0	100%	Google/GCP

• Total requests: 43 | Allowed: 39 | Blocked: 4
• storage.googleapis.com is used for some npm/Go artifact downloads. May be a legitimate dependency.

---

jsweep - JavaScript Unbloater (1 run — §23677438752)

Domain	Blocked	Allowed	Block Rate	Category
invalid.example.invalid	1	0	100%	Test/Invalid

• Total requests: 48 | Allowed: 47 | Blocked: 1
• Test/invalid domain access — likely from a test fixture or malformed URL in analyzed code. Not a security concern.

View Complete Blocked Domains List (All 7 Unique Domains)

Domain	Total Blocks	Date First Seen	Workflows
ab.chatgpt.com	7	2026-03-28	Changeset Generator, Smoke Codex
api.github.com	2	2026-03-28	Changeset Generator
chatgpt.com	4	2026-03-28	Changeset Generator, Smoke Codex
github.com	2	2026-03-28	Changeset Generator
invalid.example.invalid	1	2026-03-28	jsweep - JavaScript Unbloater
proxy.golang.org	507	2026-03-28	Schema Consistency Checker
storage.googleapis.com	4	2026-03-28	GPL Dependency Cleaner (gpclean)

🔧 Security Recommendations

1. 🟡 Add proxy.golang.org to Schema Consistency Checker

Priority: High — The Schema Consistency Checker workflow made 507 blocked requests to proxy.golang.org. This is the official Go module proxy, used automatically by go commands for dependency resolution. This is the #1 source of blocked traffic and should be allowlisted.

Suggested fix in the workflow frontmatter:

network:
  allowed:
    - proxy.golang.org
    - sum.golang.org

2. 🟡 Review storage.googleapis.com in GPL Dependency Cleaner

Priority: Medium — storage.googleapis.com may be needed for Go module downloads or npm artifact retrieval. Investigate whether this domain is required and add it to the allowlist if so.

3. ✅ ChatGPT / OpenAI Domains — Expected Behavior

ab.chatgpt.com and chatgpt.com blocks in Changeset Generator and Smoke Codex are expected — the Codex engine attempts to reach its backend, which is correctly blocked by policy. No action needed.

4. ⚠️ GitHub API Blocks in Changeset Generator

github.com and api.github.com were blocked in Changeset Generator. If this workflow requires GitHub API access, it should use the GitHub MCP server (tools.github.toolsets: [default]) rather than direct HTTP calls. Using direct API calls bypasses authentication controls.

5. ✅ Policy Rules — No Unnecessary Rules

All 7 policy rules are actively in use. The deny-default rule is doing most of the work (catching unlisted domains), which is correct behavior. No rules need removal.

6. ✅ No Security Bypass Attempts Detected

Zero blocked requests via raw IPv4/IPv6 addresses or unsafe ports — no bypass attempts detected across all 40 runs.

---

References:

• §23677407220 — Schema Consistency Checker (507 blocked)
• §23683927149 — Changeset Generator run 1
• §23684090945 — Changeset Generator run 2

AI generated by Daily Firewall Logs Collector and Reporter · history

• expires on Mar 31, 2026, 11:51 AM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Firewall Logs Collector and Reporter.

A newer discussion is available at Discussion #23441.