Coding agents like Claude Code, Gemini CLI, Codex, Kiro, and OpenCode are changing how developers work. But as these agents become more autonomous with capabilities like deleting repos, modifying files, and accessing secrets, developers face a real problem: how do you give agents enough access to be useful without adding unnecessary risk to your local environment?
A More Effective Way to Run Local Coding Agents Safely.
We’re working on an approach that lets you run coding agents in purpose-built, isolated local environments. Local sandboxes from Docker that wrap agents in containers that mirror your local workspace and enforce strict boundaries across all the coding agents you use. The idea is to give agents the access they need while maintaining isolation from your local system.
Today’s experimental release runs agents as containers inside Docker Desktop’s VM, but we will be switching to running them inside of dedicated microVMs for more defense in depth and to improve the experience of agents executing Docker containers securely.
What’s Available Now (Experimental Preview).
This is an experimental preview. Commands may change and you shouldn’t rely on this for production workflows yet.
Here’s what you get today:
Container-based isolation: Agents can run code, install packages, and modify files within a bind mounted workspace directory.
Filesystem isolation: Process containment, resource limits, and filesystem scoping, protecting your local system.
Broad agent support: Native support for Claude Code and Gemini CLI, with more coding agents support coming soon.
Why We Are Taking this Approach.
We don’t think the operating system-level approaches have the right long-term shape:
They sandbox only the agent process itself, not the full environment the agent needs. This means the agent constantly needs to access the host system for basic tasks (installing packages, running code, managing dependencies), leading to constant permission prompts that interrupt workflows.
They aren’t consistent across platforms.
Container-based isolation is designed for exactly the kind of dynamic, iterative workflows that coding agents need. You get flexibility without brittleness.
Although this structure is meant to be general-purpose, we’re starting for specific, pre-configured coding agents. Rather than trying to be a solution for all kinds of agents out of the box, this approach lets us solve real developer problems and deliver a great experience. We’ll support other use cases in the future, but for now, coding agents are where we can make the biggest impact.
Here’s How You Can Try It.
Today’s experimental preview works natively with Claude Code and Gemini CLI. We’re building for other agents developers use.
With Docker Desktop 4.50 and later installed, run: docker sandbox run <agent>
This creates a new isolated environment with your current working directory bind mounted.
What’s Next.
Better support and UX for running multiple agents in parallel
Granular network access controls
Granular token and secret management for multi-agent workflows
Centralized policy management and auditability
MicroVM-based isolation architecture
Support for additional coding agents
Try It and Share Your Feedback.
We’re building this alongside developers. As you experiment with Docker Sandboxes, we want to hear about your use cases and what matters most to your workflow.
Send your feedback to: coding-sandboxes-feedback@docker.com
We believe sandboxing should be how every coding agent runs, everywhere. This is an early step, and we need your input to get there. We’re building toward a future where there’s no compromise: where you can let your agents run free while protecting everything that matters.
Quelle: https://blog.docker.com/feed/
Published by