Skip to content

Instantly share code, notes, and snippets.

@wincent
Last active July 17, 2026 13:06
Show Gist options
  • Select an option

  • Save wincent/2752d8d97727577050c043e4ff9e386e to your computer and use it in GitHub Desktop.

Select an option

Save wincent/2752d8d97727577050c043e4ff9e386e to your computer and use it in GitHub Desktop.
List of coding agent sandboxes 2026-05

Coding Agent Sandboxes — Comprehensive List

Compiled from awesome-lists (restyler/awesome-sandbox, webcoyote/awesome-AI-sandbox, bureado/awesome-agent-runtime-security) and a survey of vendor blogs / field guides published through 2026. Grouped by isolation primitive and then by deployment model.

1. OS-level primitives (no container, no VM)

These rely on kernel/userland features to constrain a normal host process. Lowest overhead, weakest boundary.

  • macOS Seatbelt / sandbox-exec — Apple's TrustedBSD-based MAC framework. Used directly by Codex CLI, Gemini CLI, and underneath Anthropic's srt.
  • Linux Landlock — Unprivileged filesystem/network LSM; default backend for Codex CLI on Linux.
  • Linux seccomp-bpf — Syscall filtering, layered into most other Linux sandboxes.
  • Linux namespaces + cgroups — Building blocks for almost every Linux sandbox.
  • Windows AppContainer / Restricted Tokens — Codex CLI's Windows backend.
  • bubblewrap — Unprivileged namespace sandbox; backs Flatpak and Anthropic's srt on Linux.
  • Firejail — Mature SUID namespace+seccomp sandbox for Linux desktops.
  • Minijail — Google/ChromeOS launcher built on namespaces + seccomp.
  • nsjail — Google's namespace+seccomp jail; used by Windmill for Python/Go.
  • Landlock Island — Landlock-powered CLI sandbox.
  • syd — Userspace syscall-intercepting Linux sandbox (ptrace-style).
  • cap-std — Capability-based stdlib for confining Rust programs.
  • jai — Copy-on-write overlay for home directory.

2. Application kernels (userspace syscall interception)

  • gVisor — Google's Go-based user-space kernel; powers Cloud Run, App Engine, Cloud Functions; optional runtime in Kata, Modal, etc.
  • bVisor — Bash-focused gVisor-style sandbox.

3. MicroVM runtimes (hardware-virtualized, container-fast)

  • Firecracker — AWS's KVM VMM; foundation of Lambda, Fargate, Fly.io, Vercel Sandbox, E2B, Sprites.
  • Cloud Hypervisor — Intel-led Rust VMM, alternative to Firecracker (used by Kata).
  • libkrun — Embeddable KVM library; powers microsandbox and Podman's VM mode.
  • Kata Containers — OCI-compatible runtime that puts each container in its own microVM.
  • Sysbox — Container runtime that runs systemd/Docker-in-Docker safely; used by Daytona for harder isolation.
  • QEMU — General-purpose; used by Lima/Tart/UTM workflows below.
  • Lima — Linux VMs on macOS; backbone of dev-sandbox wrappers.
  • Tart — Apple-Silicon native macOS/Linux VM tool; used by Chamber, yoloAI.
  • UTM — QEMU front-end for macOS/iOS.

4. Container runtimes commonly used as agent sandboxes

5. Language-runtime / WASM sandboxes

  • WebAssembly + WASI — Capability-based binary sandbox.
  • Wasmtime / Wasmer — Server-side WASM runtimes.
  • V8 Isolates — Per-script V8 heaps; powers Cloudflare Workers, Deno Deploy, Vercel Edge.
  • Deno — Permission-flagged JS/TS runtime; used by Windmill.
  • StackBlitz WebContainers — Browser-native Node.js on WASM.
  • just-bash (Vercel) — A simulated shell in TypeScript with no real OS at all, used for some agent flows.

6. Hosted / SaaS sandbox platforms for coding agents

Platform Underlying tech Notes
E2B Firecracker microVMs The reference "AI agent sandbox"; SDKs in Python/JS; self-hostable.
Daytona OCI containers (+ optional Kata/Sysbox) Sub-90 ms cold start claim; AGPL core; persistent stateful workspaces.
Modal Sandboxes gVisor on KVM GPU-friendly; auto-shutdown when agent finishes.
Fly.io Sprites Firecracker microVMs Persistent 100 GB NVMe, ~300 ms checkpoint/restore, scale-to-zero.
Fly Machines Firecracker The general-purpose layer Sprites is built on; used as a backend by several agent products.
Vercel Sandbox Firecracker microVMs GA; filesystem snapshots; integrates with AI SDK / OpenAI Agents SDK.
Northflank Sandboxes Kata Containers on K8s BYOC, full-stack agent infra.
Blaxel microVM Claims ~25 ms cold start; agent-grade focus.
Runloop Devboxes microVMs Enterprise-targeted; OpenAI Agents SDK provider.
Freestyle VMs Full Linux VMs (nested virt) Sub-600 ms boot; bundles Git hosting + deploys.
Morph Sandbox SDK microVMs Codegen-focused; pairs with Fast Apply.
CodeSandbox SDK / Together Code Sandbox microVMs (~500 ms snapshot start) Persistent IDE-style sandboxes; up to 64 vCPU.
Replit Containers/VMs Long-running collaborative dev.
Beam Containers w/ GPUs Agent code execution + ML.
Cloudflare Workers / Sandboxes V8 Isolates (+ container preview) Edge-scale, ephemeral.
Bunnyshell K8s Ephemeral coding-agent envs.
Gitpod Flex / Coder Containers/VMs CDEs adopted as agent sandboxes; zero-trust runner model.
Perplexity Sandbox API Hosted Tool-callable from Perplexity Agent API.
OpenSandbox, Quilt, ComputeSDK, Zeroboot Various Tracked in Ry Walker's 14-platform comparison.

7. Self-hosted sandbox runtimes & SDKs

  • microsandbox — libkrun microVMs, sub-200 ms boot, MCP server, persistent or msx ephemeral mode.
  • AIO Sandbox — Docker image bundling shell, browser, files, Jupyter, VS Code, MCP.
  • Cleanroom — Buildkite's microVM sandbox with deny-by-default egress and credential proxy.
  • K7 — Self-hosted lightweight VM sandbox infra with API/SDK.
  • BoxLite — Embeddable VM sandbox with snapshots.
  • boxed — Multi-backend (Docker / Firecracker / WASM) execution engine.
  • smolVM — Local microVM manager.
  • coderunner — Hosted-style runner for untrusted AI code.
  • Kilntainers — MCP-oriented runtime over Docker/Podman/microVM/Wasm.
  • forgemax — MCP gateway with sandboxed code execution.

8. Local sandboxes built specifically for coding-agent CLIs

Multi-backend / multi-platform

  • Anthropic Sandbox Runtime (srt) — Official Anthropic OS-level sandbox: Seatbelt on macOS, bubblewrap on Linux, plus a network-filtering proxy. No container.
  • container-use (Dagger) — Per-agent containerized worktrees via MCP; parallel agents with Git branch review.
  • Sculptor (Imbue) — Desktop UI for running agents in isolated containers.
  • Conductor (Melty Labs) — Mac app orchestrating parallel Claude Code + Codex agents in isolated git worktrees.
  • cco — Thin launcher that picks a local sandbox backend.
  • yoloAI — Multi-backend runner over Seatbelt/Tart/Docker.
  • [boxed / BoxLite / Kilntainers] — see §7.

macOS-focused

  • Agent Safehouse — Deny-first Seatbelt profile system.
  • sandbox-shell — Seatbelt shell wrapper.
  • SandVault — Separate macOS user account + sandbox-exec hardening.
  • vibebox, yolobox — Fast local Seatbelt sandboxes.
  • Chamber — Tart-based ephemeral macOS VM for Claude/Codex.
  • ClodPod — VM workflow that maps host projects into a guest.
  • lima-devbox — Lima dev sandbox for Mac.

Linux-focused

  • Fence — Native command sandbox without containers.
  • Matchlock — AI-agent Linux sandbox.
  • Microbox — Lightweight ephemeral Linux sandboxes.
  • Nono — Capability-oriented kernel-backed sandbox.
  • sandbox-run — Per-project bubblewrap wrapper.
  • shai — Sandboxing shell for AI coding agents.
  • sucoder — Unix-permissions-based containment.
  • treebeard — Ephemeral Git-worktree sandbox with CoW + network gating.
  • agentsafe / nervos — Per-task Firecracker microVMs.
  • bunkervm — Tiny Linux VM "safe machine" for agents.
  • Greywall — Local sandbox with live network controls.
  • vibebin — Persistent Incus/LXC platform.

Container-wrapper CLIs around specific agents

  • ClaudeBox — Docker Claude Code env with allowlists.
  • sandclaude — Opinionated Docker wrapper for Claude Code.
  • claude-code-devcontainer — Hardened devcontainer template.
  • codex-lockbox — Docker sandbox with firewall rules for Codex CLI.
  • codex-container-sandbox — Podman wrapper exposing only the repo + bind mounts.
  • packnplay — Docker-backed command sandbox with worktrees.
  • agentbox — Containerized agent sandbox with privilege drop and firewalling.
  • EdgeBox — Local GUI sandbox with desktop exposed to the agent.

9. Built-in sandboxes shipped with major agents

  • OpenAI Codex CLI — Default-on. Seatbelt on macOS, Landlock + seccomp on Linux, restricted tokens on Windows. Modes: read-only, workspace-write, danger-full-access.
  • Anthropic Claude Code — Sandboxed bash tool backed by @anthropic-ai/sandbox-runtime (Seatbelt / bubblewrap + network proxy). Cloud sessions ("Claude Code for web") run in full microVMs.
  • Google Gemini CLI — Seatbelt on macOS or Docker/Podman containers via .gemini/sandbox.Dockerfile.
  • GitHub Copilot Coding Agent / Workspace — Runs each task in an ephemeral cloud sandbox VM.
  • Cursor / Devin / Cognition — Each ships its own hosted sandbox/VM per task (Devin uses dedicated cloud VMs).
  • Replit Agent — Runs inside a Replit VM/container.

10. Policy / approval / audit layers (often paired with the above)

  • Cupcake — OPA/Rego hook enforcement for coding agents.
  • nah — Deterministic allow/ask/block guard for Claude Code.
  • predicate-secure — Policy-based authz + post-run verification.
  • claude-rule-enforcer — Behavior rules for Claude Code.
  • shannot — Human-in-the-loop approval flow.
  • punkgo-jack — Merkle-logged audit/receipt layer for hook events.
  • deepclause-sdk — DML-style runtime authorization SDK.

Further reading

@madarco

madarco commented Jun 6, 2026

Copy link
Copy Markdown

Great catalog. One more for the self-hosted runtimes / local CLI sandbox section: AgentBox (https://github.com/madarco/agentbox, MIT) — a CLI that runs coding agents in parallel, each teleported into its own sandboxed box: local Docker (FUSE overlay) or cloud VMs via Hetzner/Daytona/Vercel/E2B, with sub-1s starts from checkpoints, a per-box browser + VS Code, and git credentials kept on the host. Works with Claude Code, Codex, and OpenCode.

@solar-flare99

Copy link
Copy Markdown

This is great! We would love for you to checkout immunity-agent, a runtime security layer for coding agents to nudge them and write secure code (like secret management, prompt injection defense and choosing right open source packages). Completely deterministic, and we're having about 600+ devs already using it

@Ar9av

Ar9av commented Jun 16, 2026

Copy link
Copy Markdown

Candidate for the Policy/audit layers category: PrismorSec/immunity-agent. Hooks into Claude Code's PreToolUse/PostToolUse lifecycle, enforces a signed threat feed, and blocks, warns, or redacts tool calls at runtime. Apache 2.0.

@FelixSchwarz

Copy link
Copy Markdown

bunkervm seems to be removed from github?

@torarnv

torarnv commented Jul 4, 2026

Copy link
Copy Markdown

Apple container should probably be in the list, both as MicroVM and container runner?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment