diff --git a/pkg/workflow/data/ecosystem_domains.json b/pkg/workflow/data/ecosystem_domains.json
index afd120d02d..b0bdefa0eb 100644
--- a/pkg/workflow/data/ecosystem_domains.json
+++ b/pkg/workflow/data/ecosystem_domains.json
@@ -54,7 +54,8 @@
     "www.microsoft.com",
     "oneocsp.microsoft.com"
   ],
-  "dart": ["pub.dev", "pub.dartlang.org"],
+  "clojure": ["repo.clojars.org", "clojars.org"],
+  "dart": ["pub.dev", "pub.dartlang.org", "storage.googleapis.com"],
   "fonts": ["fonts.googleapis.com", "fonts.gstatic.com"],
   "github": [
     "*.githubusercontent.com",
@@ -66,9 +67,11 @@
     "codeload.github.com",
     "github.githubassets.com"
   ],
+  "elixir": ["hex.pm", "repo.hex.pm", "builds.hex.pm", "cdn.hex.pm", "fastly.hex.pm"],
   "go": ["go.dev", "golang.org", "proxy.golang.org", "sum.golang.org", "pkg.go.dev", "goproxy.io", "storage.googleapis.com"],
   "terraform": ["releases.hashicorp.com", "apt.releases.hashicorp.com", "yum.releases.hashicorp.com", "registry.terraform.io"],
   "haskell": ["haskell.org", "*.hackage.haskell.org", "get-ghcup.haskell.org", "downloads.haskell.org"],
+  "kotlin": ["ge.jetbrains.com", "packages.jetbrains.team", "kotlin.bintray.com"],
   "java": [
     "www.java.com",
     "jdk.java.net",
@@ -96,7 +99,8 @@
     "central.sonatype.com",
     "maven.google.com",
     "dl.google.com",
-    "repo.gradle.org"
+    "repo.gradle.org",
+    "downloads.gradle-dn.com"
   ],
   "linux-distros": [
     "deb.debian.org",
@@ -166,7 +170,9 @@
   ],
   "ruby": ["rubygems.org", "api.rubygems.org", "rubygems.pkg.github.com", "bundler.rubygems.org", "gems.rubyforge.org", "gems.rubyonrails.org", "index.rubygems.org", "cache.ruby-lang.org", "*.rvm.io"],
   "rust": ["crates.io", "index.crates.io", "static.crates.io", "sh.rustup.rs", "static.rust-lang.org"],
+  "scala": ["repo.scala-sbt.org", "scala-ci.typesafe.com", "repo.typesafe.com", "jitpack.io", "dl.bintray.com"],
   "swift": ["download.swift.org", "swift.org", "cocoapods.org", "cdn.cocoapods.org"],
+  "zig": ["ziglang.org", "pkg.machengine.org"],
   "github-actions": [
     "productionresultssa0.blob.core.windows.net",
     "productionresultssa1.blob.core.windows.net",
diff --git a/pkg/workflow/domains.go b/pkg/workflow/domains.go
index a3f12854f8..2e654f52df 100644
--- a/pkg/workflow/domains.go
+++ b/pkg/workflow/domains.go
@@ -154,6 +154,14 @@ var runtimeToEcosystem = map[string]string{
 	"bun":     "node",   // bun.sh is in the node ecosystem
 	"deno":    "node",   // deno.land is in the node ecosystem
 	"uv":      "python", // uv is a Python package manager
+	"clojure": "clojure",
+	"dart":    "dart",
+	"elixir":  "elixir",
+	"kotlin":  "kotlin",
+	"php":     "php",
+	"scala":   "scala",
+	"swift":   "swift",
+	"zig":     "zig",
 }
 
 // getDomainsFromRuntimes extracts ecosystem domains based on the specified runtimes
@@ -226,14 +234,17 @@ func getDomainsFromRuntimes(runtimes map[string]any) []string {
 //
 // # Supported ecosystem identifiers:
 //   - "defaults": basic infrastructure (certs, JSON schema, Ubuntu, package mirrors)
+//   - "clojure": Clojure/Clojars
 //   - "containers": container registries (Docker, GHCR, etc.)
-//   - "dotnet": .NET and NuGet ecosystem
 //   - "dart": Dart/Flutter ecosystem
+//   - "dotnet": .NET and NuGet ecosystem
+//   - "elixir": Elixir/Hex
 //   - "github": GitHub domains (*.githubusercontent.com, github.githubassets.com, etc.)
+//   - "github-actions": GitHub Actions blob storage domains
 //   - "go": Go ecosystem
-//   - "terraform": HashiCorp/Terraform
 //   - "haskell": Haskell ecosystem
 //   - "java": Java/Maven/Gradle
+//   - "kotlin": Kotlin/JetBrains
 //   - "linux-distros": Linux distribution package repositories
 //   - "node": Node.js/NPM/Yarn
 //   - "perl": Perl/CPAN
@@ -242,8 +253,10 @@ func getDomainsFromRuntimes(runtimes map[string]any) []string {
 //   - "python": Python/PyPI/Conda
 //   - "ruby": Ruby/RubyGems
 //   - "rust": Rust/Cargo/Crates
+//   - "scala": Scala/SBT
 //   - "swift": Swift/CocoaPods
-//   - "github-actions": GitHub Actions blob storage domains
+//   - "terraform": HashiCorp/Terraform
+//   - "zig": Zig
 func GetAllowedDomains(network *NetworkPermissions) []string {
 	if network == nil {
 		domainsLog.Print("No network permissions specified, using defaults")
@@ -295,16 +308,19 @@ func GetAllowedDomains(network *NetworkPermissions) []string {
 var ecosystemPriority = []string{
 	"node-cdns", // before "node" — more specific CDN sub-ecosystem
 	"rust",      // before "python" — crates.io/index.crates.io/static.crates.io are native Rust domains
+	"clojure",
 	"containers",
 	"dart",
 	"defaults",
 	"dotnet",
+	"elixir",
 	"fonts",
 	"github",
 	"github-actions",
 	"go",
 	"haskell",
 	"java",
+	"kotlin",
 	"linux-distros",
 	"node",
 	"perl",
@@ -312,8 +328,10 @@ var ecosystemPriority = []string{
 	"playwright",
 	"python",
 	"ruby",
+	"scala",
 	"swift",
 	"terraform",
+	"zig",
 }
 
 // GetDomainEcosystem returns the ecosystem identifier for a given domain, or empty string if not found.
diff --git a/pkg/workflow/domains_test.go b/pkg/workflow/domains_test.go
index 0e2426f513..dbfc660779 100644
--- a/pkg/workflow/domains_test.go
+++ b/pkg/workflow/domains_test.go
@@ -852,11 +852,11 @@ func TestGetDomainsFromRuntimes(t *testing.T) {
 			expectEmpty: true,
 		},
 		{
-			name: "elixir has no ecosystem mapping",
+			name: "elixir runtime adds elixir ecosystem domains",
 			runtimes: map[string]any{
 				"elixir": map[string]any{"version": "1.15"},
 			},
-			expectEmpty: true,
+			expectContains: []string{"hex.pm", "repo.hex.pm"},
 		},
 	}
 
diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-test-tools.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-test-tools.golden
index 6162b9897f..10c6ac5f0b 100644
--- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-test-tools.golden
+++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-test-tools.golden
@@ -472,7 +472,7 @@ jobs:
         timeout-minutes: 5
         run: |
           set -o pipefail
-          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.apache.org,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,cdn.azul.com,cdn.jsdelivr.net,central.sonatype.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dl.google.com,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.java.net,download.oracle.com,esm.sh,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,host.docker.internal,index.crates.io,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,static.crates.io,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \
+          sudo -E awf --env-all --container-workdir "${GITHUB_WORKSPACE}" --allow-domains '*.githubusercontent.com,*.jsr.io,*.pythonhosted.org,adoptium.net,anaconda.org,api.adoptium.net,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.foojay.io,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,api.npms.io,api.nuget.org,api.snapcraft.io,archive.apache.org,archive.ubuntu.com,azure.archive.ubuntu.com,azuresearch-usnc.nuget.org,azuresearch-ussc.nuget.org,binstar.org,bootstrap.pypa.io,builds.dotnet.microsoft.com,bun.sh,cdn.azul.com,cdn.jsdelivr.net,central.sonatype.com,ci.dot.net,codeload.github.com,conda.anaconda.org,conda.binstar.org,crates.io,crl.geotrust.com,crl.globalsign.com,crl.identrust.com,crl.sectigo.com,crl.thawte.com,crl.usertrust.com,crl.verisign.com,crl3.digicert.com,crl4.digicert.com,crls.ssl.com,dc.services.visualstudio.com,deb.nodesource.com,deno.land,dist.nuget.org,dl.google.com,dlcdn.apache.org,dot.net,dotnet.microsoft.com,dotnetcli.blob.core.windows.net,download.eclipse.org,download.java.net,download.oracle.com,downloads.gradle-dn.com,esm.sh,files.pythonhosted.org,get.pnpm.io,github-cloud.githubusercontent.com,github-cloud.s3.amazonaws.com,github.com,github.githubassets.com,go.dev,golang.org,googleapis.deno.dev,googlechromelabs.github.io,goproxy.io,gradle.org,host.docker.internal,index.crates.io,jcenter.bintray.com,jdk.java.net,json-schema.org,json.schemastore.org,jsr.io,keyserver.ubuntu.com,lfs.github.com,maven.apache.org,maven.google.com,maven.oracle.com,maven.pkg.github.com,nodejs.org,npm.pkg.github.com,npmjs.com,npmjs.org,nuget.org,nuget.pkg.github.com,nugetregistryv2prod.blob.core.windows.net,objects.githubusercontent.com,ocsp.digicert.com,ocsp.geotrust.com,ocsp.globalsign.com,ocsp.identrust.com,ocsp.sectigo.com,ocsp.ssl.com,ocsp.thawte.com,ocsp.usertrust.com,ocsp.verisign.com,oneocsp.microsoft.com,packagecloud.io,packages.cloud.google.com,packages.microsoft.com,pip.pypa.io,pkg.go.dev,pkgs.dev.azure.com,plugins-artifacts.gradle.org,plugins.gradle.org,ppa.launchpad.net,proxy.golang.org,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.bower.io,registry.npmjs.com,registry.npmjs.org,registry.yarnpkg.com,repo.anaconda.com,repo.continuum.io,repo.gradle.org,repo.grails.org,repo.maven.apache.org,repo.spring.io,repo.yarnpkg.com,repo1.maven.org,s.symcb.com,s.symcd.com,security.ubuntu.com,services.gradle.org,skimdb.npmjs.com,static.crates.io,storage.googleapis.com,sum.golang.org,telemetry.enterprise.githubcopilot.com,ts-crl.ws.symantec.com,ts-ocsp.ws.symantec.com,www.java.com,www.microsoft.com,www.npmjs.com,www.npmjs.org,yarnpkg.com' --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --enable-host-access --image-tag 0.20.2 --skip-pull --enable-api-proxy \
             -- /bin/bash -c '/usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --add-dir "${GITHUB_WORKSPACE}" --disable-builtin-mcps --allow-all-tools --allow-all-paths --share /tmp/gh-aw/sandbox/agent/logs/conversation.md --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"${GH_AW_MODEL_DETECTION_COPILOT:+ --model "$GH_AW_MODEL_DETECTION_COPILOT"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
         env:
           COPILOT_AGENT_RUNNER_TYPE: STANDALONE