Introduction

I have been looking into securing environments for AI Agents, many agents have YOLO type mode or auto-approval mode. Which runs the agent without permission guardrails, agents don’t have to ask permissions to run commands or change files. Something I am not fully comfortable with when it comes to my main machines and hearing some of the horror stories on the internet like ‘Claude deleted my production Database’. I didn’t want to let it loose with some protections from accidental deletions or damage.

I recently listened to the Hanselminutes episode with Docker President Mark Cavage that explored this exact topic. The conversation reinforced the benefits of sandboxing in the age of autonomous agents.

What Is Docker Sandbox?

Docker Sandbox is an experimental feature (available since Docker Desktop 4.58+) that creates highly isolated environments for running AI agents or any automated tools that execute potentially untrusted code. Unlike traditional Docker containers that provide isolation through kernel namespaces, Docker Sandbox uses microVMs (lightweight virtual machines) to create a much stronger security boundary.

The key difference is fundamental. Classic containers share the host kernel and rely on namespace isolation, which is strong but not impenetrable. Sandboxes run in separate virtual machines with their own guest kernel, typically using technologies like KVM or Firecracker. This means an agent running inside a sandbox cannot escape to affect your host system, even if it discovers a container escape vulnerability. Something Scott tried during the podcast episode.

Each sandbox includes its own private Docker daemon, so agents can build images, run containers, and execute code without touching your host Docker environment. Only the workspace directory you specify is mounted inside the sandbox—the rest of your file system remains completely inaccessible.

Why Sandboxing Matters for AI Agents

AI agents with direct system access can delete files, access credentials, modify configurations, or expose sensitive data. As agents gain the ability to run shell commands and install dependencies, the attack surface expands significantly. The temptation is to trust the agent because it’s “just helping,” but agents can make mistakes or be prompted in unexpected ways.

Docker Sandbox addresses these risks through isolation. Only your project workspace is visible—system files and other projects remain hidden. The sandbox appears to the agent as a complete development environment, but from the host’s perspective, it’s a contained workspace that cannot reach beyond its boundaries.

Running a Docker Sandbox

When you create a sandbox, you specify a workspace directory—typically your project folder. This directory is mounted into the sandbox VM and becomes the agent’s working area. The agent can work within this workspace, but cannot traverse up to access parent directories. Your home directory and system files are completely inaccessible.

Sandboxes are persistent per workspace. Tools or packages installed inside a sandbox remain available for future runs, allowing agents to build up a consistent environment over time. You interact with sandboxes using docker sandbox run, docker sandbox ls, and docker sandbox rm commands.

Practical Use Cases

Docker Sandbox is particularly valuable in several scenarios:

Running AI Coding Agents: When using agents like GitHub Copilot, Claude Code, or custom MCP-based agents that execute code, sandboxes provide a safety net. The agent can run tests, build projects, and validate changes without risking damage to my development environment.

Testing Unfamiliar Code: When evaluating open source projects or reviewing external pull requests, running code in a sandbox eliminates worry about malicious payloads or unintended side effects.

Development Experimentation: Trying out new tools or testing configurations becomes risk-free in a sandbox. If something breaks, simply delete the sandbox and start fresh.

Security Testing: For vulnerability research or penetration testing, sandboxes provide a controlled environment where you can safely run exploits without risking your actual machine.

Limitations

Platform Maturity: The features in Docker Sandbox is experimental, I expect over time the eco-system will mature and a more standard way to work with sandboxed agents will be created. But for now the features my shift and change under your feet as new features and fixes come in.

Not Absolute Security: While microVMs provide strong isolation, no security technology is perfect. On the podcast episode, they tried to get the AI to escape the sandbox environment, but it was not successful. This is encouraging for now, but it doesn’t mean there won’t be escape paths discovered in the future. Sandboxes are a mitigation layer, not a guarantee against all attacks.

Performance Overhead: Running in a VM introduces some overhead compared to native execution. I did notice a slow down in Claude and GitHub Copilot’s agent response, it still got the work done, all be it slower than on my native system.

Getting Started with Docker Sandbox

If you want to experiment with Docker Sandbox, here’s a basic workflow:

# Create and enter a Claude Code sandbox for your project
docker sandbox run claude /path/to/your/project

# The workspace parameter is optional and defaults to your current directory if not supplied
cd ~/my-project
docker sandbox run copilot

The sandbox provides a full shell environment with its own Docker daemon, networking, and isolated filesystem. Any changes you make inside the sandbox persist for that workspace but remain isolated from your host system.

My Perspective on Sandboxing and AI Agents

I have been working with AI agents in my development workflow for several months now, and Docker Sandbox addresses a real concern I have had about giving agents more autonomy. The ability to delegate tasks to an agent that can execute code, install packages, and modify files is incredibly powerful, but it requires trust in the agent’s judgment and safety mechanisms.

Sandboxes shift the trust equation. I no longer need to trust that the agent will always make correct decisions or that its guardrails will catch every edge case. Instead, I trust the sandbox isolation layer, which is a more verifiable and controllable security boundary.

The conversation with Mark Cavage on Hanselminutes highlighted how Docker sees sandboxing as foundational infrastructure for the “agent era.” As agents move from suggesting code to actively executing in development environments, the question “where can it safely run?” becomes as important as “what can it generate?”

This resonates with my experience. Early AI tools focused on generation—autocomplete, code suggestions, documentation. Modern agents are increasingly about execution—running tests, deploying changes, refactoring code. That shift demands different security thinking, and sandboxing provides a practical answer.

Conclusion

Docker Sandbox represents a pragmatic response to the security challenges introduced by autonomous AI agents. Providing stronger isolation than traditional containers, sandboxes protect development environments from unintended consequences, accidental damage, or malicious code.

I have found Docker Sandbox addresses a genuine concern in my workflows, and I would recommend experimenting with it if you’re using AI agents for code execution. The security boundary it provides makes it safer to delegate tasks to agents, explore unfamiliar code, and test experimental tools without risking your development environment.

Further Reading

• Docker Sandbox Documentation
• Hanselminutes Episode: Run Your AI Agent in a Sandbox with Docker President Mark Cavage
• Docker Sandboxes Deep Dive
• Everything About Docker AI Sandboxes