Pipelock Ships Open-source Agent Firewall for AI Agents

Pipelock, an open-source agent firewall developed by Joshua Waldrep under the PipeLab project, inserts an enforcement layer between AI agents and the network to block credential leaks and prompt injection, according to Help Net Security and the project repository. Help Net Security reports that version 2.3.0 shipped with class-preserving request redaction and generic SSE streaming response scanning. The GitHub repository and package listings describe Pipelock as a single Go binary of roughly 20 megabytes with 22 dependencies, distributed under an Apache 2.0 license, and include SLSA build provenance and a CycloneDX SBOM for releases.

Pipelock runs as an inline proxy that inspects outbound and inbound traffic, covering HTTP, WebSocket, and MCP tool calls, per the GitHub README and the mcp.aibase listing. The project implements an 11-layer scanning pipeline described by Help Net Security that includes scheme enforcement, CRLF injection detection, path traversal blocking, domain blocklisting, data loss prevention (DLP), entropy analysis, SSRF protection, rate limiting, URL length checks, and per-domain data budgets. The DLP layer matches 48 credential patterns and uses four checksum validators (Luhn, mod-97, ABA, WIF) plus encoding-aware decoding to reduce false positives, as reported by Help Net Security.

The repository and ecosystem listings document multiple proxy modes: forward proxy (intercepts processes honoring HTTPS_PROXY), fetch proxy (for dedicated fetch tools), and an MCP proxy for tool calls. The project provides features listed in package pages including an emergency stop switch, audit logging, and SIEM integration (conare.ai; mcp.aibase). The README also lists integrations and compatibility with developer tooling and agent runtimes such as Claude Code, OpenAI Agents SDK, Google ADK, AutoGen, CrewAI, LangGraph, Cursor, and IDEs (GitHub).

Industry-pattern observations: agent-external egress proxies apply capability separation that reduces direct attack surface for credential exfiltration by forcing network traffic through an enforcement point. Public reporting and the project design emphasize that capability separation requires deployment-level network isolation mechanisms, for example container network namespaces, iptables rules, or Kubernetes NetworkPolicy. Observers working with agents typically treat HTTPS_PROXY as a convenient start but not a sufficient enforcement boundary.

reporting frames Pipelock as part of a growing category of agent-focused security controls that combine egress DLP, inbound content scanning, and tool-integrity checks. Public explainers on agent firewalls note three camps of controls-allowlist/control-plane, inline egress inspection, and runtime attestation-and position agent-external proxies like Pipelock in the inline inspection camp. For practitioners, an open-source, single-binary tool with provenance and SBOM lowers the barrier to experimentation and local deployment when compared with commercial offerings, while still requiring correct network isolation to be effective.

practitioners evaluating agent firewalls will monitor a few operational signals: how reliably the DLP handles false positives across common encodings and checksum-validated patterns; how the project integrates with orchestration tooling for enforcing network isolation; and whether downstream agent SDKs provide harder enforcement hooks that make proxy placement tamper-evident. Also watch community adoption indicators such as GitHub stars, container image pulls, and third-party attestations or integrations with SIEM and orchestration platforms.

Editorial analysis: for practitioners:

• •Evaluate whether your deployment can ensure the agent process cannot bypass the proxy at the network level before relying on egress inspection.
• •Test the DLP patterns and checksum validators against representative secrets and encodings used in your environment to measure false positives and negatives.
• •Verify provenance and SBOM claims as part of supply-chain hygiene; the project provides SLSA attestations and CycloneDX SBOMs for releases per the repository.

Help Net Security quotes Joshua Waldrep: "Most agent-security tools still need the agent to cooperate. They are SDKs, decorators, middleware, or wrapper APIs the agent has to call. Those controls only work while the agent keeps calling them," and he added that a steered or poisoned agent can skip controls, which motivated placing enforcement at the egress boundary.

Overall, Pipelock aggregates several defensive controls into an agent-external enforcement point and documents compatibility with popular agent runtimes, while relying on deployment-level network isolation to realize its threat model, according to project documentation and reporting.