Pipelock: the open-source firewall for AI agents that isolates credentials and traffic

Pipelock, the open-source firewall developed by Joshua Waldrep in the PipeLab project, introduces a critical solution to mitigate risks related to AI agents with access to shell, API keys, and unlimited internet connectivity. These agents represent a single point of failure where a single compromised call can expose credentials to domains controlled by attackers. Version 2.3.0 of Pipelock integrates a new request redaction feature preserving classes and a generic scanner for SSE streaming.

Quick Answer

Pipelock is an open-source firewall that adds an enforcement layer between AI agents and the network, isolating credentials and traffic. It uses an 11-level scanning pipeline and covers 48 credential patterns, including API keys and cryptocurrency private keys. The solution is distributed under the Apache 2.0 license and implements an audit system with hash-chained logs and Ed25519 signatures.

Architecture and scanning pipeline

Pipelock is presented as a single 20 MB Go binary with 22 dependencies. Its architecture is based on capability separation: the agent process holds the secrets but has no direct network access, while the proxy manages connectivity without accessing the secrets. Communication between the two zones crosses a scanning boundary.

Network isolation is based on distribution-level controls such as network namespaces, iptables, Docker internal networks, or Kubernetes NetworkPolicy. Waldrep emphasizes that Pipelock differs from traditional agent security tools that require agent cooperation. The latter can be bypassed by manipulated agents, while Pipelock operates at the egress boundary, similar to how TLS handles trust on the web.

11-level scanning pipeline

Each request goes through a scanning pipeline that covers:

  • Schema enforcement
  • CRLF injection detection
  • Path traversal blocking
  • Domain blocklist
  • Data loss prevention (DLP)
  • Path and subdomain entropy analysis
  • SSRF protection
  • Rate limiting
  • URL length control
  • Data budget per domain

The DLP level covers 48 credential patterns, including API keys, tokens, financial account numbers, and cryptocurrency private keys. It uses four checksum validators (Luhn, mod-97, ABA, and WIF) to reduce false positives. Response scanning applies 25 injection detection patterns with six normalization steps for zero-width characters, homoglyphs, and leetspeak. The system operates in fail-closed mode, automatically blocking timeouts, parsing errors, oversize bodies, and uncompressible content.

Coverage and audit functionality

The proxy scans HTTP forward proxy traffic, CONNECT tunnels, WebSocket frames in both directions, streamable HTTP transports, and Model Context Protocol stdio messages. It produces hash-chained logs with integrity proofs and optional Ed25519 signatures, as well as signed assessment bundles and agent bills of materials in CycloneDX 1.6 format.

Compliance mappings include OWASP MCP Top 10, OWASP Agentic AI Top 10, MITRE ATT&CK technique IDs, EU AI Act runtime controls, SOC 2 control families, and NIST 800-53. The SARIF v2.1.0 output integrates with GitHub Code Scanning.

Roadmap and availability

Waldrep announced that the signed proof receipt format is already implemented and distributed with a reference Python that independently recompiles the canonical preimage and validates the signature. The goal is to turn this format into a public infrastructure for agent attestation, with SDKs for multiple languages and broader transport coverage.

Pipelock is freely available on GitHub.

Implications for cryptocurrency security

One of the most relevant aspects of Pipelock concerns the protection of cryptocurrency private keys. The system is capable of detecting and blocking the transmission of these sensitive credentials through its scanning pipeline. This represents an important step forward in the security of AI agents operating in the cryptocurrency sector, where the loss of private keys can result in significant financial losses.

Pipelock's ability to handle complex credential patterns, such as private keys, is made possible by the four checksum validators implemented. These validators significantly reduce false positives, allowing the system to operate with a high level of precision. This is particularly important in a context where the security of financial transactions is critical.

Integration with other security tools

Pipelock does not operate in isolation but is designed to integrate with other existing security tools. For example, the SARIF v2.1.0 output is compatible with GitHub Code Scanning, allowing Pipelock users to leverage the code analysis features already available on this platform. This facilitates the adoption of the firewall even in already established environments.

The compliance mappings included in the system cover a wide range of security standards, including OWASP MCP Top 10, MITRE ATT&CK, and NIST 800-53. This makes Pipelock a versatile tool, suitable for different business and regulatory contexts. Compliance with these standards is particularly relevant for organizations operating in regulated sectors, where security is an absolute priority.

Benefits for developers

For developers working with AI agents, Pipelock offers a solution that does not require significant modifications to existing code. The firewall operates at the egress boundary level, meaning that agents do not need to be modified to integrate it. This reduces the time and effort required to implement advanced security measures.

The signed proof receipt format implemented by Waldrep represents an additional advantage for developers. This format allows verifying the integrity of agent operations, providing a solid basis for agent attestation. The ability to independently recompile the canonical preimage and validate the signature offers an additional level of trust in the system's security.

Challenges and future considerations

Despite the numerous advantages, the adoption of Pipelock presents some challenges. The complexity of integration with existing infrastructures can be an obstacle for some organizations. Additionally, the need to keep the scanning patterns and checksum validators up to date requires continuous commitment from the development team.

Waldrep mentioned the intention to turn the signed proof receipt format into a public infrastructure for agent attestation. This goal requires collaboration with other vendors and open-source projects, which could involve coordination and standardization challenges. However, if achieved, this project could have a significant impact on the global security of AI agents.

Pipelock represents an important innovation in the field of AI agent security. Its ability to isolate credentials and traffic, combined with an advanced scanning pipeline and integration with established security standards, makes it a valuable tool for developers and organizations working with AI agents. Despite the challenges related to adoption and maintenance, Pipelock's potential to improve AI agent security is undeniable.

For anyone interested in exploring Pipelock's capabilities further, the source code is freely available on GitHub. This offers the opportunity to contribute to the project and adapt it to specific security needs.

Editorial Note and Disclaimer

The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.

GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not provide real-time information.

The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the misuse of the information published.

In the Crypto sector, every investment involves risks: readers are invited to always inform themselves autonomously before making any decision.