Skip to main content
Get Garnet monitoring your workloads and protecting against malicious egress traffic.

What Garnet Does

Garnet is a runtime egress firewall that monitors and controls outbound network connections from your code.

Monitor Egress

Captures all outbound network connections from your workloads

Detect Threats

Identifies suspicious and malicious connection attempts

Auto-Block Attacks

Automatically blocks known malicious connections in real-time

Alert Your Team

Get notifications in Slack when threats are detected

How It Works

Your Code Runs → Jibril Agent Monitors Connections →
Garnet Platform Analyzes Traffic → Malicious Activity Detected? →
Connection Blocked + Alert Sent to Slack
Simple: Install the agent, and Garnet automatically protects your workloads from malicious outbound connections.

Prerequisites

  • GitHub Actions
  • Kubernetes
  • Runner: Ubuntu-hosted or self-hosted Linux
  • Access: Write access to .github/workflows/ and repository secrets
  • Network: Outbound HTTPS to api.garnet.ai
macOS and Windows runners are not supported. Garnet requires Linux eBPF capabilities.

Step 1: Get API Token

1

Sign in to Dashboard

Navigate to dashboard.garnet.ai and sign in.
2

Generate Token

Go to Settings → API Tokens and click Create Token.
3

Copy Token

Copy the token immediately—it won’t be shown again.

Step 2: Install Garnet Agent

  • GitHub Actions
  • Kubernetes

Add Repository Secret

  1. Go to your GitHub repo → Settings → Secrets and variables → Actions
  2. Click New repository secret
  3. Name: GARNET_API_TOKEN
  4. Value: Paste your API token from Step 1
  5. Click Add secret

Add Garnet Action to Workflow

Create or update .github/workflows/ci.yml:
name: CI with Garnet

on: [push, pull_request]

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Start Garnet monitoring
      - name: Start Garnet
        uses: garnet-labs/garnet-action@v1
        env:
          GARNET_API_TOKEN: ${{ secrets.GARNET_API_TOKEN }}

      # Your existing build steps
      - name: Install dependencies
        run: npm install

      - name: Run tests
        run: npm test

      - name: Build
        run: npm run build
Add the Garnet action before your build steps to monitor all network activity.

Verify Installation

Push a commit to trigger the workflow. In the logs, you should see:
✓ Garnet agent started
✓ Connected to Garnet Platform

Step 3: View Detections

Once the agent is running, Garnet automatically monitors all outbound connections.
1

Open Dashboard

Navigate to dashboard.garnet.ai/issues
2

View Security Events

You’ll see any detected threats or suspicious activity here.Each detection shows:
  • Destination: The domain/IP that was contacted
  • Process: What triggered the connection
  • Verdict: Allowed, Blocked, or Flagged for review
3

Review Details

Click any issue to see full details including the process chain and connection metadata.
Issue detail view showing detected egress event

Step 4: Configure Slack Alerts

Get real-time notifications in Slack when Garnet detects threats.
1

Open Slack Settings

In the dashboard, go to Settings → Integrations → Slack
2

Connect Slack

Click Connect Slack and authorize Garnet for your workspace
3

Choose Channel

Select the channel where you want alerts posted (e.g., #security-alerts)
4

Configure Alert Types

Choose which events trigger notifications:
  • Critical: Known malicious activity (recommended)
  • High: Suspicious patterns
  • All: Every detected anomaly
5

Test Alert

Click Send Test Alert to verify your Slack integration is working
Tip: Start with “Critical” alerts only to avoid noise, then adjust based on your needs.

How Protection Works

Automatic Threat Blocking

Garnet automatically blocks connections to:
  • Known malicious IPs/domains - Based on threat intelligence feeds
  • Crypto miners - Detects and blocks cryptocurrency mining attempts
  • C2 servers - Blocks command & control callback attempts
  • Data exfiltration - Stops unauthorized data transfers

Real-Time Detection

Garnet monitors for suspicious patterns:
  • Unexpected connections during build/install steps
  • Connections to newly registered domains
  • Unusual DNS queries
  • Supply chain attack indicators

Alerts & Response

When a threat is detected:
  1. Connection is blocked (if known malicious)
  2. Alert is created in the dashboard
  3. Slack notification sent (if configured)
  4. Process details captured for investigation

Enable GitHub PR Comments (Optional)

For GitHub Actions users: Get automatic PR comments when threats are detected.

Add Workflow Permission

Update your workflow to include pull-requests: write: 
name: CI with Garnet

on: [push, pull_request]

permissions:
  pull-requests: write  # Required for PR comments

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: garnet-labs/garnet-action@v1
        env:
          GARNET_API_TOKEN: ${{ secrets.GARNET_API_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      # Your build steps...
Now security detections will appear as PR comments automatically.

Next Steps

View Dashboard

Monitor your agents and review security events

Configure Alerts

Set up Slack, webhooks, or email notifications

Review Events

Browse all network activity from your workloads

Manage Agents

View agent status and health across your infrastructure

Troubleshooting

Check:
  • API token is correct in your secret/env var
  • Outbound HTTPS to api.garnet.ai is allowed
  • Agent logs show no errors
GitHub Actions: Review workflow run logs for the Garnet action stepKubernetes: Run kubectl logs -l app=jibril -n garnet --tail=100
This is normal if:
  • Your workloads aren’t making suspicious connections
  • All connections are to legitimate services
Garnet only creates alerts for suspicious or malicious activity.
Common causes:
  • Missing or invalid GARNET_API_TOKEN secret
  • Runner is not Ubuntu/Linux
  • Network connectivity issues
Fix: Verify secret exists and regenerate token if needed
Check: Node resources and security policies
kubectl describe pod -n garnet
kubectl get events -n garnet --sort-by='.lastTimestamp'
Common causes:
  • Insufficient node resources
  • Pod Security Policy blocking privileged pods
Fix: Adjust resource requests or security policies
Check:
  • Slack app is authorized for your workspace
  • Channel exists and Garnet bot is invited
  • Alert threshold is configured correctly
Fix: Disconnect and reconnect Slack integration, send test alert

Get Help

Need assistance? We’re here to help: