[daily-firewall-report] Daily Firewall Report - 2026-04-13

[github-actions[bot]]

Executive Summary

This report covers firewall activity across all agentic workflows in the github/gh-aw repository for 2026-04-13. A total of 49 workflows were analyzed across 54 runs, monitoring 1,958 network requests. Of those, 218 were blocked (11.1% block rate), spanning 6 unique blocked domains (or domain categories). The dominant pattern is a large volume of requests blocked under the catch-all (unresolved / ephemeral) category (-), suggesting workflows making connection attempts to unresolvable or internal addresses. A small number of named domains (ChatGPT, Google Source, an invalid test domain) were also blocked, indicating appropriate enforcement of network policies.

⚠️ Note: Only 1 day of data is available (2026-04-13). Historical trend data will grow as this report is run regularly.

---

Key Metrics

Metric	Value
📅 Report Date	2026-04-13
🔬 Workflows Analyzed	49
🏃 Total Runs	54
🌐 Total Network Requests	1,958
✅ Allowed Requests	1,740 (88.9%)
🚫 Blocked Requests	218 (11.1%)
🔒 Unique Blocked Domains	6
🟢 Workflows with 0 Blocks	36
🔴 Workflows with Blocks	13

---

Top Blocked Domains

#	Domain	Blocked Count	Category	Workflows Affected
1	(unresolved / ephemeral) -	204	Connection Anomaly	Daily Syntax Error Quality Check, Daily Community Attribution Updater, Daily CLI Tools Exploratory Tester, Architecture Diagram Generator, Daily CLI Performance Agent, Daily MCP Tool Concurrency Analysis, Documentation Unbloat, Glossary Maintainer
2	ab.chatgpt.com:443	5	AI Services (Blocked)	Schema Feature Coverage Checker, AI Moderator
3	chatgpt.com:443	3	AI Services (Blocked)	Schema Feature Coverage Checker, AI Moderator
4	go.googlesource.com:443	3	Development (Source Control)	Dependabot Dependency Checker
5	invalid.example.invalid:443	2	Test/Sentinel Domain	CI Cleaner, jsweep - JavaScript Unbloater
6	proxy.golang.org:443	1	Development (Go Modules)	Schema Feature Coverage Checker

Note on (-) domain: The - entry represents requests where the destination hostname was not resolved or logged — typically ephemeral tunnel connections, failed DNS lookups, or squid's internal state. These are blocked by policy and are not a security concern by themselves, but high volumes may indicate workflows trying to access resources not in their allowlist.

---

📈 Firewall Activity Trends

Request Patterns

📎 Chart: Firewall Request Trends — available in the workflow run artifacts

The firewall processed 1,958 requests today with an 11.1% block rate. The majority of blocked traffic (204 of 218 blocks, or 93.6%) falls under the unresolved/ephemeral category, which is expected in agentic workflows that may probe connections or encounter DNS failures. Legitimate AI API traffic (Anthropic, GitHub Copilot, OpenAI) was consistently allowed.

Top Blocked Domains

📎 Chart: Blocked Domains Frequency — available in the workflow run artifacts

The clearest actionable signal comes from chatgpt.com and ab.chatgpt.com being blocked in the AI Moderator and Schema Feature Coverage Checker workflows. These workflows appear to be attempting access to ChatGPT endpoints, which are outside their configured allowlists. The go.googlesource.com block in Dependabot Dependency Checker may indicate a legitimate Go dependency fetch path that could be added to the allowlist.

---

View Detailed Request Patterns by Workflow

Workflow: Daily Syntax Error Quality Check (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	63	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	85	0%	AI Services

• Total blocked requests: 63 / 148 (42.6%)
• Note: High block rate from unresolved connections — may indicate workflow trying to access external tools not on allowlist

---

Workflow: Daily Community Attribution Updater (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	49	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	65	0%	AI Services

• Total blocked requests: 49 / 114 (43.0%)

---

Workflow: Daily CLI Tools Exploratory Tester (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	31	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	25	0%	AI Services

• Total blocked requests: 31 / 56 (55.4%)

---

Workflow: Architecture Diagram Generator (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	26	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	27	0%	AI Services
github.com:443	0	2	0%	Development

• Total blocked requests: 26 / 55 (47.3%)

---

Workflow: Daily CLI Performance Agent (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	17	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	19	0%	AI Services

• Total blocked requests: 17 / 36 (47.2%)

---

Workflow: Daily MCP Tool Concurrency Analysis (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	16	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	21	0%	AI Services

• Total blocked requests: 16 / 37 (43.2%)

---

Workflow: Schema Feature Coverage Checker (1 run, failed)

Domain	Blocked	Allowed	Block Rate	Category
chatgpt.com:443	3	0	100%	AI Services (Blocked)
ab.chatgpt.com:443	2	0	100%	AI Services (Blocked)
proxy.golang.org:443	1	0	—	Go Modules
api.openai.com:443	0	3	0%	AI Services
github.com:443	0	0	—	Development

• Total blocked requests: 5 / 8 (62.5%) — highest block rate across all workflows
• Run failed — likely related to blocked domain access

---

Workflow: Dependabot Dependency Checker (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
go.googlesource.com:443	3	0	100%	Source Control
api.githubcopilot.com:443	0	allowed	0%	AI Services
github.com:443	0	allowed	0%	Development
pkg.go.dev:443	0	allowed	0%	Go Registry
proxy.golang.org:443	0	allowed	0%	Go Modules
registry.npmjs.org:443	0	allowed	0%	npm
storage.googleapis.com:443	0	allowed	0%	CDN
sum.golang.org:443	0	allowed	0%	Go Checksums

• Total blocked requests: 3 / 35 (8.6%)
• go.googlesource.com is a legitimate Go module source — consider allowlisting

---

Workflow: AI Moderator (2 runs analyzed)

Domain	Blocked	Allowed	Block Rate	Category
chatgpt.com:443	1–2	0	100%	AI Services (Blocked)
ab.chatgpt.com:443	1–2	0	100%	AI Services (Blocked)
api.openai.com:443	0	allowed	0%	AI Services
github.com:443	0	allowed	0%	Development

• Total blocked: 2 / 5 (40.0%)
• Accessing ChatGPT browser domains while only api.openai.com is whitelisted

---

Workflow: CI Cleaner (1 run, failed)

Domain	Blocked	Allowed	Block Rate	Category
invalid.example.invalid:443	1	0	100%	Sentinel/Test Domain

• Total blocked: 1 / 54 (1.9%)
• invalid.example.invalid is a sentinel domain used in network policy validation tests — expected behavior

---

Workflow: Documentation Unbloat (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	1	0	100%	Connection Anomaly
api.anthropic.com:443	0	57	0%	AI Services

• Total blocked: 1 / 58 (1.7%)

---

Workflow: Glossary Maintainer (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
(unresolved) -	1	0	100%	Connection Anomaly
api.githubcopilot.com:443	0	allowed	0%	AI Services
github.com:443	0	allowed	0%	Development
registry.npmjs.org:443	0	allowed	0%	npm

• Total blocked: 1 / 84 (1.2%)

---

Workflow: jsweep - JavaScript Unbloater (1 run analyzed)

Domain	Blocked	Allowed	Block Rate	Category
invalid.example.invalid:443	1	0	100%	Sentinel/Test Domain
api.githubcopilot.com:443	0	allowed	0%	AI Services
github.com:443	0	allowed	0%	Development

• Total blocked: 1 / 38 (2.6%)
• invalid.example.invalid sentinel domain — expected behavior

---

View Complete Blocked Domains List

All unique blocked domains observed (alphabetically sorted):

Domain	Total Blocks	Workflows
- (unresolved/ephemeral)	204	Daily Syntax Error Quality Check, Daily Community Attribution Updater, Daily CLI Tools Exploratory Tester, Architecture Diagram Generator, Daily CLI Performance Agent, Daily MCP Tool Concurrency Analysis, Documentation Unbloat, Glossary Maintainer
ab.chatgpt.com:443	5	Schema Feature Coverage Checker, AI Moderator
chatgpt.com:443	3	Schema Feature Coverage Checker, AI Moderator
go.googlesource.com:443	3	Dependabot Dependency Checker
invalid.example.invalid:443	2	CI Cleaner, jsweep - JavaScript Unbloater
proxy.golang.org:443	1	Schema Feature Coverage Checker

---

Security Recommendations

1. 🔧 Consider allowlisting go.googlesource.com in Dependabot Dependency Checker
The Go toolchain sometimes fetches module source from go.googlesource.com as an alternative mirror. Adding it to the allowlist alongside proxy.golang.org and sum.golang.org would reduce false blocks.

2. 🚨 Investigate ChatGPT domain access in AI Moderator and Schema Feature Coverage Checker
Both workflows are attempting to connect to chatgpt.com and ab.chatgpt.com (ChatGPT browser-facing endpoints), while only api.openai.com is allowlisted. These runs should be investigated:

• If the workflow intends to use the ChatGPT API, it should use api.openai.com directly (already allowed).
• If these attempts are caused by a browser automation or redirection, the workflow may need to be updated to avoid browser-initiated connections to ChatGPT.

3. 📊 High unresolved connection rates in exploratory workflows
Several workflows (Daily CLI Tools Exploratory Tester at 55.4%, Architecture Diagram Generator at 47.3%, Daily CLI Performance Agent at 47.2%) have high rates of unresolved - blocks. These workflows may be:

• Running tools that probe multiple endpoints
• Having their AI agent attempt to access tools not in the allowlist
• Experiencing DNS resolution failures for allowed domains

Consider reviewing the prompts/configurations for these workflows to reduce wasted connection attempts.

4. ✅ Sentinel domain blocks are expected
Blocks on invalid.example.invalid:443 in CI Cleaner and jsweep are expected behavior — these are deliberate test domain probes used to validate firewall policy enforcement is working correctly.

5. 🔍 Schema Feature Coverage Checker needs investigation
This workflow had the highest block rate (62.5%) and its run failed. The blocked proxy.golang.org access (which is normally allowed in other workflows) and ChatGPT domain attempts suggest a misconfiguration in the workflow's network policy or an unintended dependency on external services.

---

References:

• §24341961220 — This report's workflow run

Generated by Daily Firewall Logs Collector and Reporter · ● 2M · ◷

• expires on Apr 16, 2026, 12:06 PM UTC

[github-actions[bot]]

This discussion has been marked as outdated by Daily Firewall Logs Collector and Reporter.

A newer discussion is available at Discussion #26205.