Erik is the founder of Cloud Posse and creator of Atmos. With over a decade of experience helping teams adopt Terraform at scale, he is passionate about open-source infrastructure tooling and developer experience.
The Atmos Pro GitHub App now calls GitHub from a stable, published set of dedicated egress IPs. We've pinned our GitHub App's own IP allow list to those same addresses, which makes them the canonical, inheritable list for organizations that enable GitHub's IP allow-listing on their side.
On GitHub Enterprise Cloud, you can enable an organization-level IP allow list and turn on inheritance from installed GitHub Apps. When you do, your org's allow list automatically picks up Atmos Pro's egress IPs the moment you install us — no copy-paste, no drift as our IPs evolve.
This is the path we recommend. Enable it once and your allow list stays in sync with the App.
If you can't use automatic inheritance — because you're not on GitHub Enterprise Cloud, or you're allow-listing outside of GitHub (for example at a network perimeter) — you can find Atmos Pro's current egress IPs in Workspace Settings → Security and configure them manually wherever you need them.
For customers who enable a default-deny IP allow list on their GitHub organization — either on GitHub Enterprise Cloud with App inheritance, or by adding our IPs manually wherever they allow-list — the result is a meaningful defense-in-depth control: even if an App credential leaked or a runtime were compromised, GitHub would reject requests to your org from any IP outside our published range.
The control is only effective once the org-side allow list is in place. The App-side pinning on its own publishes the canonical IP list and makes inheritance possible; it does not, by itself, block leaked credentials from being used against orgs that haven't enabled IP allow-listing.
For more on the controls we run across the platform, see our security overview.
|