Overview

IronCD is a hosted CI/CD platform that serves as a drop-in replacement for GitHub Actions. It runs your existing workflows on hardened, isolated infrastructure and filters all network traffic based on your declared policy.

The goal is simple: make supply chain attacks and secret exfiltration things of the past.

How It Works

IronCD is installed as a GitHub application. IronCD runs your Actions workflows on a dedicated virtual machine with strict network controls and real-time monitoring. Every outbound connection is checked against your .ironcd/policy.yml, ensuring builds can only reach the destinations you’ve approved such as registries, mirrors, or internal services. Everything else gets blocked.

Migration is easy - just update your runner label and add a policy file:


# .github/workflows/build.yml
on: [push]
jobs:
  build:
    runs-on: [ironcd-2cpu-ubuntu-2404]
    steps:
      - run: make test
 
# .ironcd/policy.yml
mode: enforce
allow:
  - preset: all-https

Next Steps

Check out the docs below to help you get started:

Quickstart Policy Files Reference Security Reference