diff --git a/shared.go b/shared.go
index ab53337e..ed53159c 100644
--- a/shared.go
+++ b/shared.go
@@ -29146,6 +29146,11 @@ func loadGithubWorkflows(url, username, password, userId, branch, orgId string)
 
 	log.Printf("Starting load of %s with branch %s", url, branch)
 
+	if err := checkAllowedUrl(url); err != nil {
+		log.Printf("[ERROR] Blocked workflow git clone URL: %s", err)
+		return err
+	}
+
 	cloneOptions := &git.CloneOptions{
 		URL: url,
 	}
@@ -29293,6 +29298,11 @@ func listGithubWorkflowsInfo(url, username, password, branch, orgId string) ([]R
 		}
 	}
 
+	if err := checkAllowedUrl(url); err != nil {
+		log.Printf("[ERROR] Blocked workflow git clone URL: %s", err)
+		return nil, err
+	}
+
 	cloneOptions := &git.CloneOptions{URL: url}
 	if len(username) > 0 && len(password) > 0 {
 		cloneOptions.Auth = &http2.BasicAuth{Username: username, Password: password}
@@ -29495,6 +29505,11 @@ func importSingleRemoteWorkflow(url, username, password, branch, originalWorkflo
 		}
 	}
 
+	if err := checkAllowedUrl(url); err != nil {
+		log.Printf("[ERROR] Blocked workflow git clone URL: %s", err)
+		return err
+	}
+
 	cloneOptions := &git.CloneOptions{URL: url}
 	if len(username) > 0 && len(password) > 0 {
 		cloneOptions.Auth = &http2.BasicAuth{Username: username, Password: password}
@@ -37464,3 +37479,22 @@ func ListProcesses() ([]ProcessInfo, error) {
 		return nil, fmt.Errorf("unsupported platform: %s", runtime.GOOS)
 	}
 }
+
+func checkAllowedUrl(rawUrl string) error {
+	parsedUrl, err := url.Parse(rawUrl)
+	if err != nil {
+		return fmt.Errorf("invalid git url: %s", err)
+	}
+
+	host := strings.ToLower(parsedUrl.Hostname())
+
+	if parsedUrl.Scheme != "https" {
+		return fmt.Errorf("unsupported git url scheme")
+	}
+
+	if host != "github.com" && host != "gitlab.com" && host != "bitbucket.org" && host != "dev.azure.com" {
+		return fmt.Errorf("unsupported git host")
+	}
+
+	return nil
+}