Skip to main content

What Garnet Does

Garnet is a runtime egress firewall that monitors and blocks anomalous outbound network connections from your workloads.

Core Capability

Observes and controls outbound connections for any workload running on Linux runners or nodes. When your code runs—whether in CI/CD or production—Garnet:
  1. Monitors DNS queries and TCP/UDP connections via eBPF
  2. Correlates network activity with process and file lineage
  3. Baselines normal behavior per micro-context (e.g., specific workflow step)
  4. Detects unknown egress and surfaces it as Issues
  5. Blocks anomalous connections when Enforce mode is enabled

Where It Runs

GitHub Actions

Ubuntu-hosted runners and self-hosted Linux runnersProtects your CI/CD pipelines from supply chain attacks and malicious dependencies.

Kubernetes

Linux nodes via Helm DaemonSetNode-level visibility into all pods and containers (namespace/pod-level coming soon).

What Gets Detected

Unknown Egress

Any outbound connection to a domain/IP not seen in your baseline for that micro-context. Example: npm install during CI triggers connection to malicious-npm-mirror.com Result: Issue created, PR comment posted, connection blocked (if Enforce enabled).

Anomalous Patterns

Unusual connection frequency, port usage, or process ancestry. Example: A Python test suite spawns a process that connects to a crypto mining pool.

Telemetry Captured

Event TypeDetails
DNSQuery name, response IPs, process ancestry
ConnectDestination IP/port, protocol, process/file lineage
ProcessCommand, args, parent chain, working directory
FileRead/write events correlated with network activity
All telemetry is node-scoped today. Namespace and pod-level context will be added in future releases.

Use Cases

Supply Chain Security

Detect malicious packages that phone home during npm install, pip install, or build steps.

Data Exfiltration Prevention

Block unexpected connections from production workloads to external endpoints.

Crypto Mining Detection

Identify and terminate processes connecting to mining pools.

Zero Trust Egress

Enforce “known-good” egress only—block everything else.

What Garnet Does NOT Do

Not a WAF or ingress firewall. Garnet only monitors outbound (egress) traffic.Not pod-level yet. Current visibility is per-node; Kubernetes namespace/pod context is on the roadmap.Not a SIEM. Garnet surfaces high-signal Issues, not raw logs.

Next Steps

Scope & Compatibility

See supported platforms and current limitations