Network Egress Rules

Detects model, agent, or evaluation configurations that can reach sensitive network locations.

Definition

The Network rule family turns findings on this surface into actionable records with rule ID, severity, CWE, OWASP LLM mapping, owner, release decision, and retest command.

LLM tools and model-loading code often run near credentials, internal APIs, and metadata services. Unsafe network access turns prompt injection into data exposure.

Canonical help URL

Supported inputs

YAML
JSON
Python
TypeScript
notebooks
model cards

Typical attack scenarios

A tool call reaches a cloud metadata service.
A config fetches model files from mutable HTTP URLs.
An agent can call private RFC1918 hosts during prompt-controlled browsing.

Detection logic

Sentinel ties Network evidence to reproducible signals such as file path, metadata, opcode, AST node, manifest field, dependency, or archive entry. The same signal should disappear when the finding is closed.

Triage

Do not read Network findings as scanner noise. Verify the evidence first, map the finding to a severity-based release decision, and then produce closure evidence with the same Sentinel command.

Operational checklist

Source: where did the file, manifest, prompt, archive, or dependency come from?
Impact: code execution, data leakage, supply chain, or resource consumption?
Control: allowlist, hash, sandbox, egress policy, or secret rotation?
Evidence: does the same rule category return clean after the fix?

Remediation

Remediation should change the risk boundary, not merely silence the finding: remove executable formats, pin source or hash, narrow tool permissions, rotate secrets, or add runtime sandboxing.

CI policy

sentinel-policy.yml

category: NET
fail_on:
  - CRITICAL
  - HIGH
ticket_on:
  - MEDIUM
retest: "sentinel scan ./project/"

Rule index

Rule ID	Severity	Title	CWE	Fix Hint
NET-METADATA-ENDPOINT	HIGH	Cloud Metadata Endpoint Access	CWE-918	Deny metadata service access from model and agent runtimes.
NET-PRIVATE-RANGE-EGRESS	MEDIUM	Private Network Egress	CWE-200	Constrain agent network access to approved hosts.
NET-UNPINNED-MODEL-URL	MEDIUM	Unpinned Remote Model URL	CWE-494	Download only hash-verified model artifacts.

NET-METADATA-ENDPOINT — Cloud Metadata Endpoint Access

HIGH

Rule ID	NET-METADATA-ENDPOINT
Category	NET
Severity	HIGH
CWE	CWE-918
OWASP LLM	LLM06 — Excessive Agency, LLM02 — Sensitive Information Disclosure
FP Risk	LOW
Owner	Application security and backend/agent owner
Release decision	Treat as a release gate; remediation or explicit risk acceptance is required.

Description

Detects code or tool configuration that can reach cloud instance metadata endpoints.

Why it matters

LLM tools and model-loading code often run near credentials, internal APIs, and metadata services. Unsafe network access turns prompt injection into data exposure.

When it fires

Sentinel fires this rule in the Network category when it sees urls or socket targets for 169.254.169.254, metadata.google.internal, or provider-specific metadata paths.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

URLs or socket targets for 169.254.169.254, metadata.google.internal, or provider-specific metadata paths.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is low. If evidence points directly to a file, opcode, secret pattern, path, or manifest field, treat it as real and require closure evidence.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Treat as a release gate; remediation or explicit risk acceptance is required.
Evidence: URLs or socket targets for 169.254.169.254, metadata.google.internal, or provider-specific metadata paths.
Closure: sentinel scan ./project/ must return clean output.

How to fix

Block metadata IP ranges, use IMDSv2 where applicable, and isolate agent network egress.

CLI

sentinel scan ./project/

Policy example

sentinel-policy.yml

rules:
  NET-METADATA-ENDPOINT:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel scan ./project/"

Expected output

NET-METADATA-ENDPOINT HIGH
Cloud Metadata Endpoint Access
Deny metadata service access from model and agent runtimes.

Example

Bad

requests.get("http://169.254.169.254/latest/meta-data/iam/security-credentials/")

Good

# Egress allowlist
allowed_hosts = ["api.vendor.example"]

Related rules

NET-PRIVATE-RANGE-EGRESS: Private Network Egress
NET-UNPINNED-MODEL-URL: Unpinned Remote Model URL

NET-PRIVATE-RANGE-EGRESS — Private Network Egress

MEDIUM

Rule ID	NET-PRIVATE-RANGE-EGRESS
Category	NET
Severity	MEDIUM
CWE	CWE-200
OWASP LLM	LLM06 — Excessive Agency
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Finds agent or scanner configurations that can reach internal RFC1918 or localhost targets.

Why it matters

LLM tools and model-loading code often run near credentials, internal APIs, and metadata services. Unsafe network access turns prompt injection into data exposure.

When it fires

Sentinel fires this rule in the Network category when it sees outbound allowlists include 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost, or link-local ranges.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

Outbound allowlists include 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost, or link-local ranges.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: Outbound allowlists include 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, localhost, or link-local ranges.
Closure: sentinel scan ./project/ must return clean output.

How to fix

Use deny-by-default egress, scoped proxy rules, and separate internal tooling from prompt-controlled paths.

CLI

sentinel scan ./project/

Policy example

sentinel-policy.yml

rules:
  NET-PRIVATE-RANGE-EGRESS:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel scan ./project/"

Expected output

NET-PRIVATE-RANGE-EGRESS MEDIUM
Private Network Egress
Constrain agent network access to approved hosts.

Example

Bad

requests.get("http://169.254.169.254/latest/meta-data/iam/security-credentials/")

Good

# Egress allowlist
allowed_hosts = ["api.vendor.example"]

Related rules

NET-METADATA-ENDPOINT: Cloud Metadata Endpoint Access
NET-UNPINNED-MODEL-URL: Unpinned Remote Model URL

NET-UNPINNED-MODEL-URL — Unpinned Remote Model URL

MEDIUM

Rule ID	NET-UNPINNED-MODEL-URL
Category	NET
Severity	MEDIUM
CWE	CWE-494
OWASP LLM	LLM03 — Supply Chain
FP Risk	MEDIUM
Owner	Application security and backend/agent owner
Release decision	Assign an owner, fix within the sprint, and attach the retest command to the issue.

Description

Reports model downloads from mutable URLs without hashes, immutable versions, or signed manifests.

Why it matters

LLM tools and model-loading code often run near credentials, internal APIs, and metadata services. Unsafe network access turns prompt injection into data exposure.

When it fires

Sentinel fires this rule in the Network category when it sees http(s) model url with latest, main, master, branch refs, or missing sha256 verification.. The finding should be reported with reproducible evidence such as file name, metadata, opcode, AST node, or manifest field.

Evidence format

HTTP(S) model URL with latest, main, master, branch refs, or missing sha256 verification.

Expected evidence

The report should include the affected file or manifest path, observed signal, rule ID, severity, owner, and retest command required for closure.

False-positive notes

False-positive probability is medium. Verify source, expected use, and owner first; add an allowlist if needed, but do not remove evidence from the report.

Triage

Operational checklist

Owner: Application security and backend/agent owner.
Decision: Assign an owner, fix within the sprint, and attach the retest command to the issue.
Evidence: HTTP(S) model URL with latest, main, master, branch refs, or missing sha256 verification.
Closure: sentinel scan ./project/ must return clean output.

How to fix

Pin to immutable commits or release versions and verify checksums before loading.

CLI

sentinel scan ./project/

Policy example

sentinel-policy.yml

rules:
  NET-UNPINNED-MODEL-URL:
    owner: "Application security and backend/agent owner"
    fail_on: ["CRITICAL", "HIGH"]
    retest: "sentinel scan ./project/"

Expected output

NET-UNPINNED-MODEL-URL MEDIUM
Unpinned Remote Model URL
Download only hash-verified model artifacts.

Example

Bad

requests.get("http://169.254.169.254/latest/meta-data/iam/security-credentials/")

Good

# Egress allowlist
allowed_hosts = ["api.vendor.example"]

Related rules

NET-METADATA-ENDPOINT: Cloud Metadata Endpoint Access
NET-PRIVATE-RANGE-EGRESS: Private Network Egress

References

PreviousGGUF NextSymbols