How to restrict network connections to explicitly allowed endpoints

You can restrict network connections to explicitly allowed endpoints using two approaches:

• Job-Level Restrictions

• Cluster-Level Restrictions

Job-Level Block Policy

There are two ways to enforce network restrictions at the job level:

1. Manual Workflow File Updates

2. Using Policy Store

1. Manual Workflow File Updates

This approach does not require access to the StepSecurity backend. All configurations live within the workflow file itself, allowing you to maintain your existing change management processes and developer workflows.

Follow this interactive demo to see how to restrict network connections using job level block policy:

2. Using Policy Store

Use the Policy Store if:

• You don’t want endpoint definitions cluttering your workflow files

• When you want to apply the same policy across multiple workflows, repositories, or your entire organization

This method centralizes policy management and promotes reuse, consistency, and maintainability across your organization.

Follow this interactive demo to see how to restrict network connections using policy store:

Cluster-Level Block Policy

When deploying ARC Harden-Runner, you can enforce network restrictions at the cluster level using the reserve Helm parameter.

By specifying a list of allowed endpoints:

• An egress policy is applied automatically

• The policy is enforced for all GitHub Actions runs on the cluster

• No changes are required in your workflow files