DEV.co
Open-Source Security · luckyPipewrench

pipelock

Pipelock is an open-source AI agent firewall that inspects HTTP, WebSocket, MCP, and A2A traffic for secret exfiltration, SSRF, and prompt injection. It sits inline between agents and the network, blocks threats, and generates cryptographically signed audit receipts that prove content-aware security decisions.

Source: GitHub — github.com/luckyPipewrench/pipelock
742
GitHub stars
87
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryluckyPipewrench/pipelock
OwnerluckyPipewrench
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars742
Forks87
Open issues9
Latest releasev3.0.0 (2026-06-23)
Last updated2026-07-08
Sourcehttps://github.com/luckyPipewrench/pipelock

What pipelock is

Written in Go, Pipelock implements an 11-layer URL scanner (DLP patterns, entropy analysis, DNS rebinding prevention), bidirectional MCP scanning with 65 credential patterns and 29 injection patterns (6-pass normalization), process sandboxing via Landlock/seccomp on Linux and sandbox-exec on macOS, and mediator-signed action receipts for verifiable egress control (VEC).

Quickstart

Get the pipelock source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/luckyPipewrench/pipelock.gitcd pipelock# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Securing AI agent egress in multi-tenant or untrusted agent environments

Deploy as a transparent proxy or MCP wrapper to enforce network boundaries, prevent credential exfiltration (API keys, tokens, seeds), and generate signed audit evidence that persists outside the agent runtime for compliance and incident investigation.

DLP and prompt-injection defense for IDE-integrated AI agents

Protect IDE plugins and LLM-powered development tools (Claude Code, Cline, Cursor) from leaking secrets or accepting malicious responses; works with VS Code, JetBrains, Zed, and OpenCode via proxy or MCP interception.

Verifiable egress control and compliance attestation

Generate cryptographically signed action receipts for every network boundary crossing; third-party verifiers can audit what traffic was allowed/blocked without trusting the agent or vendor, meeting auditability requirements for regulated workloads.

Implementation considerations

  • Decide deployment topology: transparent proxy (network routing), MCP wrapper (`pipelock mcp proxy`), or `pipelock sandbox` CLI wrapping. Each has different setup cost and coverage.
  • Review and customize the 65 built-in DLP credential patterns and 29 prompt-injection patterns; false positives (blocking legitimate URLs with substrings matching patterns) may require tuning per environment.
  • On Linux, Landlock + seccomp sandboxing requires kernel support (Linux 6.2+); verify kernel version and LSM availability in production. Use `--best-effort` mode in containers if namespace creation is restricted.
  • Process receipts asynchronously; signed action receipts are emitted but receipt verification and off-chain audit log ingestion must be implemented by the consumer (not bundled in the core project).
  • Plan for rule and pattern updates; 65 credential patterns and injection defenses will require periodic review and refresh as threats evolve; no automatic update mechanism is mentioned in the data.

When to avoid it — and what to weigh

  • You need pre-built, production-grade enterprise support contracts — Apache 2.0 core is free-to-use but unsupported; enterprise ELv2 tier exists (not clearly detailed in README) but commercial SLA/support terms are not published in the data provided. Requires review with the maintainers.
  • Your agents run on non-Linux/non-macOS systems without proxy routing capability — Sandboxing relies on Landlock LSM and seccomp (Linux) or sandbox-exec (macOS); Windows and BSD support is not mentioned. Container-mode `--best-effort` falls back to proxy-only routing without kernel enforcement.
  • You require zero operational overhead or zero configuration — Pipelock requires setup (pipelock init), inline proxy/MCP wrapper deployment, configuration management, and periodic rule/pattern updates. `pipelock check` is easy, but production deployment demands architecture review.
  • Your threat model excludes supply-chain or runtime-agnostic agent compromise — Pipelock mediates egress traffic but does not prevent agent compromise at build time, dependency injection, or model-level instruction injection before the agent is deployed. It is a boundary control, not a full agent hardening solution.

License & commercial use

Apache-2.0 (Apache License 2.0) for core; Enterprise tier uses ELv2 (Elastic License v2). Apache 2.0 is a permissive OSI license allowing commercial use, modification, and distribution with attribution and liability disclaimer. ELv2 is source-available but not OSI-approved; commercial terms and restrictions are not detailed in the data provided.

Core Apache-2.0 permits commercial use without explicit vendor approval, but enterprise features and commercial support are behind ELv2, which is not OSI-approved and imposes use restrictions. Before relying on ELv2 features or integrations for revenue-generating products, obtain a signed license agreement from the maintainers. Unknown whether ELv2 sublicensing or derivative distribution is permitted for proprietary deployments.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityNeeds review
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Pipelock implements defense-in-depth (DLP pattern matching, entropy analysis, SSRF/DNS-rebinding prevention, prompt-injection normalization) and assumes trust in the mediator and cryptographic signature scheme for receipts. Threat coverage: exfiltration (65 patterns), SSRF (via allowlists/denylist + DNS rebinding checks), prompt injection (29 patterns, 6-pass normalization). Not covered: agent compromise before network mediation, supply-chain poisoning, model-level jailbreaks, or timing/side-channel attacks. Kernel-level sandbox (Landlock/seccomp) enforcement relies on OS kernel; privilege escalation in kernel or agent process privilege at invocation time are out of scope. Receipt signatures use an unspecified cryptographic primitive (verify against action-receipt spec at pipelab.org). No formal security audit results are provided in the data.

Alternatives to consider

Anthropic Workbench (proprietary)

Vendor-native isolation and egress control for Claude-based agents; tightly integrated but closed-source and limited to Anthropic's ecosystem.

OpenWrt/pfSense + custom DLP rules

Network-layer filtering and DLP via custom rules; very low level and requires significant operational expertise; no signed attestation or prompt-injection defense.

Zork (proprietary agent sandbox, if available)

Specialized agent sandboxing; unknown feature parity, maintenance status, and licensing; likely not open-source.

Software development agency

Build on pipelock with DEV.co software developers

Start with `pipelock init` to discover your agent config and test detections in minutes. Review docs and join the community on GitHub to deploy signed egress control.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

pipelock FAQ

Does Pipelock prevent all secret exfiltration?
Pipelock scans URLs and payloads against 65 credential patterns (API keys, tokens, seeds, financial IDs) and runs pattern matching before DNS resolution. However, encoded exfiltration (custom encoding not in the 29 injection patterns), side-channel attacks, or timing-based covert channels are not addressed. Pipelock is a defense-in-depth control, not a guarantee.
Can I use Pipelock without modifying my agent code?
Yes, via transparent proxy routing (`pipelock sandbox` wraps a process) or MCP server wrapping (`pipelock mcp proxy`). No agent code changes are needed, but deployment topology and network configuration must change.
What happens if Pipelock blocks a legitimate request?
A request is logged and blocked based on URL scanner rules. Review the rule that triggered (DLP pattern, entropy, SSRF, domain blocklist) and adjust allowlists or pattern exclusions in the config. No built-in bypass or interactive approval flow is mentioned in the data.
Is Pipelock suitable for production compliance workloads?
Apache-2.0 core is production-ready (CI/security badges, OpenSSF Silver), but compliance requirements (support SLA, audit trails, formal security audit, commercial liability) depend on enterprise ELv2 licensing and vendor agreements. Requires legal review before use in regulated environments.

Software developers & web developers for hire

Adopting pipelock is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Secure Your AI Agent Egress Today

Start with `pipelock init` to discover your agent config and test detections in minutes. Review docs and join the community on GitHub to deploy signed egress control.