I am forcing myself to stay out of the loop, and I am looking at ways to sandbox coding agents running without supervision. I do have my own container based setup but I am curious to see what’s everyone else cooking. This is what I found so far:
docker sandbox https://docs.docker.com/ai/sandboxes/
- create a microvm with a private docker daemon inside
- agents run in containers inside the microvm
- the use case for this seems to be coding agents that need to orchestrate containers, removing the hassle to mount the host docker socket into a container
https://github.com/trailofbits/claude-code-devcontainer
- it’s an opinionated devcontainer to run coding agents
- no network isolation by default, delegate to user setting up iptables
https://katacontainers.io/blog/Kata-Containers-Agent-Sandbox-Integration/ https://github.com/kubernetes-sigs/agent-sandbox
- coding agent sandbox for kubernetes
- support both gVisor and Kata Containers
https://github.com/strongdm/leash
- depends on
dockeror equivalent - it enforces what the agent is allowed to do by monitoring system calls (eBPF) and applying policies defined in Cedar (I was not familiar)
- it bundles a mitm HTTP proxy for allow/deny hosts and do secrets injection on API calls so that the agent never get to see secrets
https://github.com/instavm/coderunner
- not really a sandbox for coding agent, but a sandboxing service that coding agents can use to run code
The sandboxing dimensions are roughly filesystem/host isolation, network isolation and secrets management. What I see is missing is a focus on user experience.