-
Notifications
You must be signed in to change notification settings - Fork 194
Expand file tree
/
Copy pathpipelock.example.yaml
More file actions
110 lines (96 loc) · 3.5 KB
/
Copy pathpipelock.example.yaml
File metadata and controls
110 lines (96 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Pipelock configuration for Docker Compose
# See https://github.com/luckyPipewrench/pipelock for full options.
#
# Recent additions through 2.8: default-on flight recorder receipts, safe-by-
# default receipt verification, request-policy scoring, request-body prompt-
# injection blocking, SPIFFE-strict inbound mediation envelopes, scanner
# attribution on MCP block receipts, wedge-detection health watchdog,
# learn-and-lock behavioural contracts, trusted domains, redirect profiles,
# MCP `defer` authorization, `pipelock explain`, `pipelock keys status`,
# `pipelock support bundle`, verified `pipelock update`, and `pipelock doctor`
# checks for inert exemptions.
# Run `pipelock assess init --config <file>` to create an assessment workspace.
# Run `pipelock audit score --config <file>` for a security posture score (0-100).
# Run `pipelock doctor` to verify configured protections are actually enforceable.
version: 1
mode: balanced
# Trusted domains: allow services whose public DNS resolves to private IPs.
# Prevents SSRF scanner from blocking legitimate internal traffic.
# trusted_domains:
# - "api.internal.example.com"
# - "*.corp.example.com"
forward_proxy:
enabled: true
max_tunnel_seconds: 300
idle_timeout_seconds: 60
websocket_proxy:
enabled: false
max_message_bytes: 1048576
max_concurrent_connections: 128
scan_text_frames: true
allow_binary_frames: false
forward_cookies: false
strip_compression: true
max_connection_seconds: 3600
idle_timeout_seconds: 300
origin_policy: rewrite
dlp:
scan_env: true
include_defaults: true
response_scanning:
enabled: true
action: warn
include_defaults: true
mcp_input_scanning:
enabled: true
action: block
on_parse_error: block
mcp_tool_scanning:
enabled: true
action: warn
detect_drift: true
mcp_tool_policy:
enabled: false
action: warn
# Redirect profiles: route matched tool calls to audited handler programs
# instead of blocking. The handler returns a synthetic MCP response.
# redirect_profiles:
# safe-fetch:
# exec: ["/pipelock", "internal-redirect", "fetch-proxy"]
# reason: "Route fetch calls through audited proxy"
mcp_session_binding:
enabled: true
unknown_tool_action: warn
tool_chain_detection:
enabled: true
action: warn
window_size: 20
max_gap: 3
# Request body scanning (pipelock 2.5+): detect prompt-injection payloads in
# outbound request bodies (JSON, form-encoded, raw text, WebSocket frames).
# In enforce mode, prompt-injection findings hard-block non-provider
# destinations even when action is "warn". Trusted provider hosts (OpenAI,
# Anthropic, etc.) remain exempt via the response_scanning exemption list.
request_body_scanning:
enabled: true
action: warn
max_body_bytes: 5242880
scan_headers: true
header_mode: sensitive
# Health watchdog (pipelock 2.4+): /health returns 503 when any subsystem
# heartbeat goes stale. Enabled by default; set expose_subsystems true to
# include a per-subsystem boolean map in /health responses.
health_watchdog:
enabled: true
interval_seconds: 2
expose_subsystems: false
# Flight recorder (pipelock 2.7+): signed, hash-chained action receipts.
# Enabled by default, but inert until both `dir` and `signing_key_path` are set.
# For Docker Compose, mount ./pipelock-evidence and ./pipelock-keys as shown in
# compose.example.ai.yml, then uncomment these paths.
flight_recorder:
enabled: true
require_receipts: false
redact: true
# dir: /var/lib/pipelock/evidence
# signing_key_path: /etc/pipelock/keys/flight-recorder-signing.key