Skip to content

Enforce AWF firewall on MCP sibling containers to prevent docker exec bypass #10329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Enforce AWF firewall on MCP sibling containers to prevent docker exec bypass #10329

Copilot wants to merge 3 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 16, 2026
edited
Loading

MCP Gateway spawns sibling containers (safe-outputs, etc.) via Docker socket without inheriting proxy settings from AWF, allowing unrestricted network access via docker exec.

Changes

MCP Gateway container (pkg/workflow/mcp_servers.go)

  • Pass proxy environment variables (HTTP_PROXY, HTTPS_PROXY, http_proxy, https_proxy, NO_PROXY, no_proxy) to gateway container via -e flags

Safe-outputs container config (pkg/workflow/mcp-config.go, pkg/workflow/mcp_renderer.go)

  • Add proxy variables to container env configuration (JSON format for Copilot/Claude)
  • Add proxy variables to env_vars list (TOML format for Codex)

Flow

AWF agent container (has proxy vars via --env-all)
  ↓ docker run -e HTTP_PROXY ...
MCP Gateway container (receives proxy vars)
  ↓ env: { "HTTP_PROXY": "${HTTP_PROXY}" }
Safe-outputs sibling container (inherits proxy vars)

Commands executed inside safe-outputs container now respect firewall rules, including those run via docker exec.

Related: githubnext/gh-aw-firewall#130

Original prompt

This section details on the original issue you should resolve

<issue_title>[deep-report] Harden AWF firewall: enforce proxy/iptables on safe-outputs container to block docker exec escape</issue_title>
<issue_description>Description
Firewall escape testing confirmed that docker exec into the safe-outputs node:lts-alpine container allows unrestricted outbound access (example.com/google.com), bypassing AWF firewall rules. Apply proxy env vars and firewall rules to sibling containers (safe-outputs/MCP) or segment networks to ensure all containers enforce the same egress policy.

Expected Impact
Closes a critical firewall bypass vector and restores network policy enforcement across all AWF containers.

Suggested Agent
The Great Escapi or Workflow Health Manager

Estimated Effort
Medium (1-4 hours)

Data Source
DeepReport Intelligence Briefing 2026-01-16 (run 21071073449); discussion #10180

AI generated by DeepReport - Intelligence Gathering Agent

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 16, 2026 16:02
@mnkiefer
Initial plan for hardening AWF firewall on safe-outputs container
4561982 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Add proxy environment variables to MCP Gateway and safe-outputs conta…
85a2b3e 
…iner

- Pass HTTP_PROXY, HTTPS_PROXY, http_proxy, https_proxy, NO_PROXY, no_proxy to MCP Gateway container
- Pass same proxy vars to safe-outputs MCP server container (JSON and TOML formats)
- Ensures firewall rules apply to sibling containers spawned by MCP Gateway
- Closes critical firewall bypass vector via docker exec into safe-outputs container

Fixes githubnext/gh-aw-firewall#130

Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot AI changed the title [WIP] Harden AWF firewall to enforce proxy rules on safe-outputs container Enforce AWF firewall on MCP sibling containers to prevent docker exec bypass Jan 16, 2026
Copilot AI requested a review from mnkiefer January 16, 2026 16:17
@pelikhan
Copy link
Contributor

pelikhan commented Jan 18, 2026

@Mossaka needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[deep-report] Harden AWF firewall: enforce proxy/iptables on safe-outputs container to block docker exec escape

3 participants

@pelikhan @mnkiefer