Docker Sandboxes (sbx): Running AI Coding Agents in Fully Isolated MicroVMs
Docker Sandboxes (sbx) is Docker’s dedicated security tool for running autonomous AI coding agents — Claude Code, Gemini CLI, GitHub Copilot, and others — inside fully isolated MicroVM environments. This post covers the core security architecture, essential CLI commands, and customization options, so you can evaluate whether sbx belongs in your AI-assisted development workflow.
Table of Contents
What Is Docker Sandboxes?
Docker Sandboxes (sbx) is a dedicated security tool built by Docker to run autonomous AI coding agents inside fully isolated environments. Instead of standard containers that share the host machine’s kernel, sbx spins up an entirely independent lightweight MicroVM for each agent session. This guarantees that even if an AI agent runs a destructive command like rm -rf /, your host operating system and sensitive local data remain completely safe.
You can download binaries directly from the official Docker sbx-releases GitHub Repository.
Core Security Architecture
Hardware Virtualization
Each sandbox operates inside its own MicroVM with a dedicated Linux kernel and private Docker daemon. The agent can execute complex workflows — including docker build — without ever accessing your host’s Docker socket.
Masked Credential Injection
Your actual LLM API keys (e.g., Anthropic or OpenAI keys) are stored securely in your host machine’s OS keychain via the built-in Docker Sandboxes Secrets Manager. A host-side proxy intercepts traffic and injects authorization headers on the fly, meaning the AI agent can never read, log, or exfiltrate your raw API keys.
Strict Network Policies
Network access is deny-by-default. When you first authenticate, you choose a configuration — Open, Balanced, or Locked Down — and outbound traffic is restricted via a host-side firewall, preventing unauthorized egress from inside the sandbox.
Branch Mode Isolation
Instead of letting an agent modify your active workspace files directly, sbx can automatically isolate code edits into hidden, dedicated Git branches. This shifts the AI into a strict “contributor” role, allowing you to review all changes before they reach your main repository.
Essential CLI Commands
The sbx command-line utility lets you provision, execute, and govern your isolated workspaces:
| Command | Description |
|---|---|
sbx login | Authenticates your environment via Docker Auth and sets your default network security posture |
sbx secret set <provider> | Stores API credentials securely in your local system keychain |
sbx run <agent-name> . | Provisions a MicroVM, mounts the current working directory, and launches an interactive AI agent session |
sbx policy allow network <domain> | Expressly whitelists a trusted domain or API endpoint through the firewall gateway |
sbx ls | Displays a live list of all running sandboxes, along with their stable system IDs |
sbx stop <sandbox-id> | Halts a running sandbox session while retaining its package states and directory changes |
sbx rm <sandbox-id> | Permanently deletes the MicroVM workspace and tears down its associated work trees |
sbx diagnose | Runs an automated diagnostics suite to check for version conflicts, daemon issues, or broken authentication paths |
Customizing Sandboxes
For complex pipelines, you can tailor environments beyond the factory defaults using two declarative formats detailed in the Docker Sandboxes Customization Docs.
Templates
Write a standard Dockerfile to bake specialized binaries, system dependencies, or command-line utilities into a custom base image, then register it with:
sbx template save .
Kits
Kits are declarative spec.yaml files used to package an agent’s workflow. They define the exact runtime tools, environment configurations, and security parameter boundaries an agent receives the moment it boots — giving you reproducible, auditable agent environments.