Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt

Use this file to discover all available pages before exploring further.

Allowlists are the primary tool for reducing triage noise. Rather than promoting a run every time a package connects to a CDN your infrastructure owns or reads a system library directory, you create an allowlist rule and those behaviors are silently filtered out before they ever appear as deviations. Rules are evaluated by the differ at analysis time — they also apply retroactively when you run fangs baseline promote, so allowlisted values never get baked into the baseline.

Rule Kinds

FANGS supports three allowlist kinds, each targeting a different deviation category:

cidr

Suppresses net_new_destination deviations whose IP address falls within the specified CIDR range. Value must be a valid CIDR in x.x.x.x/n notation.

path

Suppresses fs_new_path_read and fs_new_path_write deviations whose normalized path starts with the specified prefix. Value must be an absolute path beginning with /.

sni

Suppresses net_new_https_host deviations whose SNI value equals the specified hostname. Matching is case-insensitive. No structural validation — any string is accepted.

Scope

Every rule is either global or package-scoped:
ScopeWhen it applies
globalEvery run of every package
packageOnly runs of the named package
Omit -package for a global rule. Supply -package <name> to scope the rule to a single package.

Adding Rules

1
Add a Global CIDR Rule
2
Suppress all outbound connections into your internal network across every monitored package:
3
fangs allow add -kind cidr -value 10.0.0.0/8 -note 'internal network'
4
Values are validated with net.ParseCIDR — an invalid CIDR is rejected immediately.
5
Add a Global Path Prefix Rule
6
Suppress reads of shared library paths that appear in many packages’ install scripts:
7
fangs allow add -kind path -value /usr/local/lib/ -note 'shared libs'
fangs allow add -kind path -value /usr/share/zoneinfo/ -note 'timezone DB reads'
8
Path values must start with /. Prefix matching is applied after path normalization.
9
Add a Package-Scoped SNI Rule
10
Suppress a telemetry hostname for a specific package only:
11
fangs allow add \
  -kind sni \
  -value telemetry.example.com \
  -package axios \
  -note 'axios telemetry'
12
This rule fires only for runs of axios — other packages connecting to the same host are unaffected.

Listing and Removing Rules

# Show all entries (global + all package-scoped)
fangs allow list

# Filter to entries that apply to a specific package
fangs allow list -package axios
Output: 
ID        SCOPE    PACKAGE  KIND  VALUE          NOTE                  CREATED
a1b2c3d4  global   —        cidr  10.0.0.0/8     internal network      2025-01-10T09:00:00Z
b2c3d4e5  package  axios    sni   telemetry...   axios telemetry       2025-01-12T14:22:01Z
cfg001    global   —        path  /usr/lib/      shared library loads  2025-01-08T00:00:00Z
Remove by ID prefix (git-style short IDs work): 
fangs allow remove a1b2
If the prefix matches more than one entry, FANGS returns an error and asks for a longer prefix.
Entries with IDs prefixed with cfg are managed by config/orchestrator.yaml. You can remove them with fangs allow remove, but they reappear on the next orchestrator restart unless you also delete the corresponding line from the YAML file.

Config-File-Managed Rules

Rules can also be declared in config/orchestrator.yaml under the allow section. These are upserted at orchestrator startup with deterministic cfg-prefixed IDs that are stable across restarts: 
allow:
  paths:
    - value: "/usr/lib/"
      note: "shared library loads"
    - value: "/usr/share/zoneinfo/"
      note: "timezone DB reads"
  cidrs:
    - value: "10.0.0.0/8"
      note: "internal network"
  snis:
    - value: "telemetry.internal.example"
Config-file rules are global only. Per-package rules must be added with fangs allow add -package <name>.

Hardcoded CDN Allowlist

FANGS ships a built-in CDN allowlist (DefaultCDNAllowlist) that covers the major public CDN IP ranges:

Cloudflare

IPv4 and IPv6 ranges for Cloudflare’s CDN and edge network.

GitHub / Fastly

IP ranges used by GitHub Actions, GitHub Packages, and Fastly CDN.

Google / CloudFront

Google Cloud CDN ranges and Amazon CloudFront edge ranges.
These rules are always active and cannot be disabled or removed. They prevent the triage queue from filling up with npm registry traffic, which is fronted by CDNs and would otherwise produce a deviation on nearly every package’s first run.

Validation Summary

KindValidation
cidrParsed with Go’s net.ParseCIDR. Invalid CIDRs are rejected with an error.
pathMust start with /. Relative paths are rejected.
sniNo structural validation — any string is accepted. Matching is case-insensitive at evaluation time.

Interaction with Baseline Promote

Allowlists are applied during promotion as well as at analysis time. When you run fangs baseline promote <run-id>, the CLI applies the same allowlist filter the differ uses, so suppressed values are never merged into baseline_fingerprints. This means:
  • Adding a new allowlist rule and then re-promoting an old run cleans out the suppressed values retroactively.
  • You do not need to worry about allowlisted CIDRs or paths polluting the baseline and then later being flagged as “missing” if you remove the rule.

Build docs developers (and LLMs) love

Get started for freeTalk to us