← All docs

Run in CI

How agentjail can protect agents running unattended in CI — and what is not yet available.

In local development, you are usually nearby when an agent runs. In CI, you are not. An agent triggered by a pull request, a scheduled job, or an automated release pipeline can run for minutes before anyone notices something went wrong, and by then the damage is done.

agentjail is designed to be the guard that stays in place when you are not watching — but a wired CI integration path does not exist yet. The install command is macOS-only and there is currently no mechanism for installing agentjail inside a Linux CI runner or wiring the hook from a CI job step. This page describes what is available today and the direction planned for the future.

Why CI is different

When an agent runs unattended:

  • There are no permission prompts to pause execution. The agent proceeds without checking.
  • Any mistake — a bad path, a leaked secret, a force-push to the wrong remote — executes immediately.
  • The blast radius can be larger than in a local session because CI agents often have broader credentials (deploy keys, cloud tokens, registry access).

What is available today: the strict policy sample

agentjail ships a sample config at samples/configs/policy-strict.yaml that is recommended for CI/CD or any max default-deny environment. If you are already running agentjail locally (macOS) and want to validate what a strict policy looks like before a CI path exists, that file is the reference starting point.

Enable it with:

agentjail policy list          # see available rulesets
agentjail policy enable <name> # enable the strict ruleset

CI integration: not yet available

A supported mechanism for running agentjail inside GitHub Actions, GitLab CI, CircleCI, or other CI environments does not exist yet. Specifically:

  • The install script and agentjail install command target macOS (launchctl-based daemon).
  • There is no --ci flag, Docker image, or GitHub Action published by agentjail.
  • agentjail install --for codex and --for cursor (which CI pipelines might use) are stubs that exit with “not yet implemented”.

When CI integration is available it will appear in the changelog and the Claude Code integration guide will be updated accordingly.

What happens on a denial (once wired)

When agentjail blocks a tool call, agentjail-hook exits 2 and prints a structured reason. The agent receives the block message, stops, and typically logs an explanation. A CI job that fails loudly on a blocked call is better than one that silently succeeds on a destructive one.

See also