Pipelock Launches as Open-Source Firewall for AI Agents
A new open-source security tool called Pipelock has been released to provide a network-level firewall for AI coding agents, preventing unauthorized data exfiltration and credential theft.

AI coding agents, which often operate with shell access and access to sensitive environment variables, represent a significant security risk. Because these agents frequently possess unrestricted internet connectivity, a single compromised tool call can lead to the exfiltration of API keys and other credentials to attacker-controlled domains. To mitigate this, developer Joshua Waldrep has released Pipelock, an open-source security harness designed to act as a firewall specifically for AI agents Help Net Security.
Pipelock functions as a single Go binary, approximately 20 megabytes in size, that sits outside the agent process at the egress boundary. By utilizing capability separation, the agent process is restricted from direct network access, while the Pipelock proxy manages network traffic without having access to the agent's secrets. This architecture relies on deployment-level controls—such as Docker internal networks, Kubernetes NetworkPolicy, or iptables—to enforce isolation, ensuring that a compromised or poisoned agent cannot bypass the security layer Help Net Security.
The core of the system is an 11-layer scanner pipeline that inspects all traffic flowing through the proxy. This pipeline includes protections against SSRF, path traversal, and CRLF injection, alongside domain blocklisting and rate limiting. The system's Data Loss Prevention (DLP) layer is capable of identifying 48 different credential patterns, including cryptocurrency private keys and API tokens, using checksum validators to minimize false positives. Furthermore, the system employs encoding-aware decoding to detect attempts at obfuscation, such as base64 or Unicode evasion Help Net Security.
Pipelock is designed to fail closed, meaning that any traffic that results in parse errors, timeouts, or contains unscannable compressed content is automatically blocked. The proxy supports a wide range of protocols, including HTTP forward proxy traffic, WebSocket frames, and the Model Context Protocol (MCP). To ensure accountability, the tool generates audit logs that are hash-chained and tamper-evident, with optional Ed25519 signatures, and produces CycloneDX 1.6 agent bills of materials Help Net Security.
The project aims to establish a standard for agent attestation. Pipelock provides compliance mappings for frameworks including the OWASP Agentic AI Top 10, the EU AI Act, and NIST 800-53, with SARIF v2.1.0 output for integration into GitHub Code Scanning. Waldrep intends for the signed evidence format to become public infrastructure, encouraging other vendors and open-source projects to adopt the format for independent validation of agent behavior Help Net Security.
As AI agents become more deeply integrated into development workflows, the need for robust, non-cooperative security controls is increasing. Unlike middleware or SDK-based solutions that rely on the agent to voluntarily invoke security checks, Pipelock's position at the network egress point provides a more resilient defense against malicious or misaligned agent activity. The project is currently available on GitHub Help Net Security.