Your Laptop Is the New Production Environment

A few years ago, the most powerful AI tools in a developer’s workflow helped write code. Today, they can do much more. It’s increasingly common to hand an AI agent a task like:

Read this repository, refactor the authentication service to match the new specification, run the test suite, and open a pull request if everything passes.

The agent reads files, analyzes dependencies, executes commands, modifies code, and interacts with external systems. In many cases, it can complete meaningful chunks of engineering work with minimal supervision. The shift sounds incremental until you realize something important: We’re no longer delegating suggestions. We’re delegating actions.

What’s interesting is that the biggest challenge increasingly isn’t whether agents can perform these tasks. In many cases, they already can. The harder question is whether developers trust them enough to delegate meaningful work. The bottleneck is shifting from capability to confidence.

While reading Srini Sekaran’s recent announcement introducing Docker AI Governance, one statement stood out:

“Your laptop is the new prod.”

The more I thought about it, the more it felt less like a marketing tagline and more like a useful way to understand what is changing about software development.

From Assistants to Agents

The last few years of developer tooling can be viewed as a progression. First, AI tools assisted developers by generating snippets and answering questions. Then, copilots emerged, helping developers complete larger tasks within existing workflows. Now we’re entering the era of agents. Unlike earlier tools, agents don’t just recommend actions. They increasingly perform them. Once software begins taking actions instead of offering suggestions, the governance conversation changes fundamentally.

A Small Observation From Building With Agents

One thing I’ve noticed while working on AI projects and experimenting with agent-based workflows is how quickly the trust boundary moves.

When I first started using AI tools, I mostly treated them like a second set of eyes. I’d ask questions about a codebase, sanity-check an approach, generate a small piece of code, or help make sense of documentation. The tools were useful, but they weren’t doing anything on their own. Every action still depended on me deciding what happened next. That changed as coding agents became more capable.

Tasks that previously involved copying code between windows increasingly became workflows where an agent could inspect a repository, modify files, run tests, and iterate on failures with minimal supervision. The productivity gains were undeniable, but so was the realization that the agent now had access to the same environment, credentials, and tooling that I did.

As a Docker Captain, this is what makes the current conversation around AI governance so interesting to me. The challenge isn’t simply that models are becoming more capable. It’s that they’re increasingly interacting with real systems rather than generating text in isolation.

Once an agent can execute actions on your behalf, the challenge is no longer just capability. Developers need confidence that the agent will operate within understood boundaries. Governance becomes important not only because it protects systems, but because it helps people trust the systems they are using.

Why Developers Still Hesitate

Most developers aren’t worried about whether agents can generate code. They’re worried about whether the agent will operate predictably once it starts interacting with real systems. That hesitation often comes from the fact that our existing trust models were designed around human operators, not autonomous software.

Most enterprise security controls evolved around a relatively simple assumption: humans perform actions and systems enforce controls around those actions. Source code flows through repositories. Changes pass through CI/CD pipelines. Production workloads run inside managed environments. Identity systems determine who can access what. Network controls restrict where workloads can communicate. The security stack works because work typically moves through predictable checkpoints. Organizations know where to observe activity, apply policy, and collect audit trails.

Agents Don’t Follow Those Checkpoints

AI agents introduce a different operating model. An agent running on a developer’s machine can inspect repositories, execute commands, install packages, access local files, query APIs, and interact with external tools all within a single session. More importantly, it often does so using the same permissions as the person operating it. From the organization’s perspective, a significant amount of work is shifting outside the systems that were originally designed to govern it. The laptop is no longer just where code is written. It is increasingly where decisions are executed.

Figure 1. Traditional security governs workflow checkpoints. Agent governance must account for execution at runtime.

A coding agent doesn’t need to wait for a pull request before interacting with a codebase. It can analyze and modify files long before a change reaches a repository. It can access credentials available to the local environment. It can connect to external services using the same permissions available to its operator.

Consider a common scenario: an agent is asked to investigate why an integration test is failing. To debug the issue, it might inspect configuration files, generate temporary scripts, install additional dependencies, execute diagnostic commands, and repeatedly rerun the test suite before a human ever reviews the result. None of these actions are unusual, but they illustrate how much activity can now occur directly within the developer’s environment.  This doesn’t make agents inherently unsafe. It does mean that many existing security assumptions deserve a second look.

Why Prompt-Based Guardrails Aren’t Enough

One common response is to rely on instructions. Tell the agent not to access sensitive files. Tell the agent not to call external services. Tell the agent not to perform risky actions. These instructions are useful, but they are fundamentally different from enforcement. A prompt can influence behavior. A runtime can restrict behavior. That distinction becomes increasingly important as agents gain more autonomy. Security has traditionally been strongest when controls exist below the application layer. Filesystem permissions don’t suggest restrictions; they enforce them. Network policies don’t ask whether traffic should be blocked; they block it. The same principle applies to AI agents. If an organization wants confidence in what an agent can and cannot do, those guarantees ultimately need to exist at the layer where actions are actually executed.

The Two Ways Agents Interact With The World

When I simplify the problem, most agent activity falls into two categories. The first is execution. Agents read files, modify code, install software, execute commands, and open network connections. The second is tool usage. Agents interact with external systems through APIs, integrations, and MCP tools. These might include GitHub, Jira, cloud platforms, internal services, communication tools, or customer systems. Both paths create tremendous value. Both paths can also introduce risk. Governing only one of them leaves a blind spot. An organization might carefully control external tool access while overlooking what an agent can execute locally. Or it might secure local execution while providing broad access to external systems. Effective governance requires visibility and control across both surfaces.

The Governance Challenge

The question for many organizations is no longer whether AI agents will be adopted, but how they can be adopted responsibly. That decision is already being made in engineering teams around the world because the productivity gains are real. The more important question is how organizations can embrace agent autonomy without sacrificing visibility, accountability, and control. Just as importantly, developers need confidence that they understand those boundaries. The easier it is to understand what an agent can access, execute, and modify, the easier it becomes to incorporate agents into everyday workflows. Traditional security models were built around infrastructure boundaries. Agent governance increasingly requires runtime boundaries.

Where is the agent running?

What can it access?

What can it execute?

Which tools can it invoke?

Which credentials can it use?

And can those controls be enforced consistently regardless of whether the agent is running on a laptop, in CI, or in production?

These questions are quickly becoming infrastructure questions, not merely AI questions. Because if AI agents are becoming active participants in software delivery, then the environments they operate in deserve the same level of attention that we have historically given to production systems.

The laptop is no longer just where software gets written. Increasingly, it’s where software acts. And that’s why “your laptop is the new prod” feels less like a prediction and more like a description of where modern development is already headed. The real challenge isn’t simply giving agents more autonomy. It’s creating environments where developers feel comfortable using that autonomy. Because the future of agentic development may depend less on what agents are capable of doing and more on what developers are willing to trust them to do.

In Part 2, we’ll explore what governance looks like at the runtime layer and why isolation, policy enforcement, and controlled tool access are becoming foundational building blocks for agentic systems.

Quelle: https://blog.docker.com/feed/

The Immortal Mind

A Manifesto for Organizational Intelligence That SurvivesA Different QuestionFor centuries, humanity has asked a single question:How do we preserve knowledge?We built libraries. We built archives. We built databases. We built clouds.And yet knowledge continues to disappear.Engineers retire. Teams reorganize. Projects are abandoned. Companies are acquired. Entire decades of hard-won experience vanish with the people who created it.The problem is not storage.The problem is continuity.Infrastructure Can Already Heal ItselfWe have been building self-healing digital infrastructure with OpenKubes.Git stores the desired state. Kubernetes reconciles reality back to that state. Servers fail. Clusters disappear. Entire environments get rebuilt from scratch — automatically, without human intervention.Infrastructure survives because it remembers what it should be.We call this the Immortal Platform.Git is the contract.Kubernetes is the enforcer.Target recovery time: under ten minutes. No runbook. No 3am call. No tribal knowledge required.When we built this, we thought we were solving an infrastructure problem.We were actually solving the beginning of a much larger problem.What About Intelligence?Organizations face a different kind of failure — one that no monitoring system detects, no alert fires for, and no on-call engineer gets paged about.The slow disappearance of organizational intelligence.What happens when the engineer who designed the system retires?Who remembers why that architectural decision was made in 2019?Who remembers the three failed approaches before the solution that worked?Who remembers the lessons from the production incident that took down the factory floor for six hours?Most organizations have no answer.Their infrastructure is documented. Their intelligence is not.We have spent ten years building and operating Kubernetes platforms across automotive plants, financial institutions, industrial facilities, and government agencies. We have seen the same pattern repeat itself dozens of times: a new team inherits a platform built by people who are no longer there. They spend months — sometimes years — reverse-engineering decisions that took the original team weeks to make. They repeat mistakes that were already made and documented somewhere no one can find. They abandon patterns that worked because nobody explained why they were there.The cost is not just time. It is confidence. Every inherited system that lacks its original context becomes a system nobody fully trusts, nobody fully understands, and nobody wants to touch.This is not a technology problem. This is a memory problem.The Immortal MindOpenKubes AI begins with a simple idea:Knowledge should be as durable as infrastructure.The founding principle of OpenKubes is that the platform owns contracts, not components. Infrastructure components come and go — the contracts they fulfill persist. The Immortal Mind extends that same principle to knowledge: decisions, context, and lessons are contracts too. Individual people, teams, and documents come and go — the organizational intelligence they carry must persist.If we can build infrastructure that heals itself — that reads a desired state from Git, reconciles toward it, and recovers from failure without human intervention — then we can build intelligence systems that do the same.Not storing documents in a folder that nobody reads.Not writing runbooks that become outdated before the ink dries.But genuinely living knowledge — continuously updated, continuously reconciled, continuously connected to the systems and decisions it describes.Just as Kubernetes reconciles infrastructure to its desired state, future AI systems can continuously reconcile organizational knowledge to its current reality.Git is the contract.Kubernetes is the enforcer.AI is the memory.To be precise about what we mean: the memory itself does not live inside a model. It lives in Git, in architecture decision records, in the knowledge graph, and in the context that evolves with the platform. AI is what connects, understands, and makes that memory accessible. Models will come and go. The organizational memory must endure.The Architecture of Organizational ImmortalityOpenKubes AI envisions four foundational layers — not as a product announcement, but as an architectural direction:Layer 1: Knowledge GraphA structured, living representation of organizational knowledge.People. Systems. Projects. Decisions. Failures. Lessons. Relationships. Dependencies. Evolution.Not a static diagram. A continuously updated graph that reflects the current state of the organization and its history — connected to the actual infrastructure it describes.When a cluster is deployed, the knowledge graph knows why. When an architectural decision is made, it is captured — not in a document folder nobody will find, but in a structured, queryable, AI-accessible form.Not a mockup: the OpenKubes knowledge graph, extracted from Git by a 200-line script — every decision, component, and commit, connected.Explore the interactive version: https://kubernauts.de/en/openkubes/openkubes_knowledge_graph_force_layout.htmlLayer 2: Context StoreGitOps for knowledge.Architecture decision records. Runbooks. Postmortem analyses. Design rationale. Lessons learned. Every significant decision — versioned, auditable, and connected to the code and infrastructure it influenced.Not documentation as an afterthought. Documentation as infrastructure — with the same discipline, the same tooling, the same lifecycle.When you git blame a Kubernetes manifest, you can trace it back to the incident that caused it. When you ask why a system is designed the way it is, the answer is a git log away.This is not theory. It is how OpenKubes is already built: every architectural decision lives as a versioned ADR in the platform repository, and every deviation from upstream in our deployment guides is recorded with its reason and its operational impact. The Context Store simply makes that discipline queryable — and permanent.Layer 3: Model RuntimeOpen AI runtimes deployed anywhere — on the same infrastructure that runs your workloads.Cloud. Edge. Air-gapped factory floors. Sovereign government infrastructure.The intelligence follows the workload. Not locked in a vendor’s cloud. Not dependent on an external API that may change, disappear, or become unavailable in an air-gapped facility.The same platform engineering principles that make OpenKubes infrastructure sovereign make OpenKubes AI intelligence sovereign.Layer 4: Immortal Platform IntegrationThe platform heals itself. The intelligence remembers itself. The system continuously rebuilds both.When a cluster fails and is reprovisioned on fresh bare metal, the AI layer knows the history of that cluster — every deployment, every incident, every change. The infrastructure is new. The memory is intact.Beyond AutomationIt is important to say clearly what this is not.This is not a vision of autonomous machines replacing human engineers.This is not digital immortality for individuals.This is not artificial general intelligence.This is preservation of organizational intelligence.A future where critical knowledge no longer disappears when individuals leave.A future where the organization remembers — not just what it built, but why it built it.The engineer retires. The knowledge stays.The team disbands. The context remains.The company is acquired. The intelligence survives.Why This Matters for Industrial SystemsIn a factory, a hospital, a power grid, or a government agency — the stakes of lost knowledge are not measured in developer productivity.They are measured in production downtime, patient safety, grid stability, and national security.We have seen what happens when a factory floor loses the engineer who understood the control system. We have seen what happens when a hospital’s IT team inherits infrastructure nobody documented. We have seen what happens when a critical system needs to be rebuilt and nobody remembers the original architecture rationale.The infrastructure survived. The intelligence did not. The consequences were real.This is why OpenKubes AI is not a feature.It is a responsibility.The Complete VisionWhen we look at where OpenKubes is going, we see a platform designed not merely for uptime — but for continuity:OpenKubes IMP → Infrastructure survivesOpenKubes AI → Knowledge survivesOpenKubes Robotics → Actions surviveThe Robotics layer is not hypothetical. Open-RMF — the open robotics middleware framework for fleet management, traffic coordination, task dispatching, and simulation — runs today as a reference robotics workload on the OpenKubes platform, deployed through the same GitOps-based operational model as everything else, consistently across local, edge, bare-metal, and public cloud environments.Together these layers form something that has never existed before:A platform where systems, knowledge, and actions persist — regardless of hardware failures, software updates, team changes, or the passage of time.Infrastructure that heals itself. Intelligence that remembers itself. Systems that evolve themselves.An InvitationThis manifesto is not a product announcement.It is a direction.OpenKubes AI does not exist yet as a shipping product. But the architectural foundation does — in the Git repositories, the Crossplane compositions, the Cluster API providers, the running robotics reference workload, and the knowledge accumulated across ten years of building and operating critical Kubernetes infrastructure.The Immortal Mind is where that foundation leads.If you are building systems that cannot afford to forget — factory automation platforms, critical infrastructure, sovereign AI systems, industrial knowledge management — we want to build this with you.Not for you. With you.Because the most important knowledge to preserve is the knowledge we build together.Git is the contract. Kubernetes is the enforcer. AI is the memory.Together, they create systems that do not merely survive failure. They learn from it.???? github.com/openkubes/openkubes ???? OpenKubes Platform Presentation ???? blog.kubernauts.io ???? OpenKubes Roadmap: OK-30 Immortal PlatformArash Kaffamanesh is the founder of Clouds Sky GmbH & Kubernauts GmbH and has been building and operating Kubernetes platforms for over ten years across automotive, industrial, financial, and healthcare environments. He is the creator of OpenKubes — the open platform for self-healing sovereign Kubernetes infrastructure.The Immortal Mind was originally published in Kubernauts on Medium, where people are continuing the conversation by highlighting and responding to this story.
Quelle: blog.kubernauts.io

Kubernetes Anywhere. Make it. — How We Built OpenKubes with Crossplane and Cluster API

By Arash Kaffamanesh · Kubernauts GmbHMost Kubernetes stories start the same way.A team deploys their first cluster. Everything works. Then comes the second cluster. And the third. Then a request from the industrial IoT team. Then the edge deployments. Then someone asks about AWS. Suddenly, you are managing eight different tools, twelve different workflows, and nobody really knows what runs where.We have been living this story for ten years across automotive, industrial, financial, and healthcare environments. And a few months ago, we decided to do something about it.We built OpenKubes.The Problem We Were SolvingThe question we kept hearing was not “can we run Kubernetes?” — everyone can run Kubernetes today.The real question was: “Can we run it the same way everywhere?”Same process for on-premises bare metal and AWS. Same day-two operations for an edge factory site and a cloud-native microservices platform. Same team, same tooling, same mental model — regardless of where the workload runs.That is a much harder problem.What We BuiltOpenKubes is not a new Kubernetes distribution. It is a platform engineering toolkit — a thin, opinionated layer on top of proven open-source projects that your team already knows.At its core, OpenKubes combines three ideas:One: Everything is a Kubernetes resource. Clusters, virtual machines, ingress controllers, TLS certificates — all declared as YAML, all reconciled by Crossplane. No manual steps, no imperative scripts that only the senior engineer understands.Two: Everything is operated via make. Not because Make is glamorous, but because it is universal. Any engineer on any machine can run make deploy cluster=ok1 without reading a 40-page runbook first.Three: The platform abstracts the provider, not the operator. You still own your infrastructure. OpenKubes just makes sure you can describe it once and apply it anywhere.The Technology Behind ItWe chose two CNCF projects as the foundation:Crossplane acts as the platform API layer. It extends Kubernetes with custom resource definitions that represent your infrastructure as first-class objects. Want to create a virtual machine? Apply a OpenKubesVMClaim. Want a complete Kubernetes cluster with CNI, load balancer, and ingress? Apply a KubeVirtClusterClaim. Crossplane handles the rest.Cluster API (CAPI) handles the Kubernetes cluster lifecycle. It models clusters, control planes, and worker nodes as Kubernetes objects — which means GitOps, drift detection, and reconciliation work out of the box.Together they give you something remarkable: infrastructure that heals itself. If a node disappears, Cluster API recreates it. If a Helm release drifts from its desired state, Crossplane reconciles it. The platform is always moving toward the state you declared, not the state it happens to be in.What It Looks Like in PracticeHere is what deploying a production-ready Kubernetes cluster looks like today with OpenKubes:make deploy cluster=ok1 # ~2 minutes → Kubernetes clustermake kubeconfig cluster=ok1 # ~5 seconds → kubeconfig savedmake manager-deploy cluster=ok1 # ~30 seconds → Headlamp UImake ingress-setup cluster=ok1 # ~30 seconds → Traefik ingressmake cert-setup cluster=ok1 # ~90 seconds → Let's Encrypt TLSFour minutes later, https://headlamp.openkubes.ai returns HTTP/2 200 with a valid TLS certificate.No manual steps. No YAML written by hand. No undocumented tribal knowledge.This is what platform engineering looks like when it is working.The Lessons We LearnedAbstractions only work when they are consistent. The moment you have two ways to do the same thing, engineers will find both of them and combine them in ways you did not anticipate. Every operation in OpenKubes goes through make. That constraint is a feature.Crossplane compositions are powerful but unforgiving. Writing a Go-template composition that creates a KubeVirt DataVolume, Service, and VirtualMachine atomically across two clusters took longer than expected. But once it worked, it never needed to be touched again. The investment pays off over time.Nested virtualization has limits. Running KubeVirt inside KubeVirt VMs (our lab setup) means MetalLB Layer 2 advertisement does not propagate to the physical network. We solved this by routing through the INFRA cluster’s existing MetalLB LoadBalancer — no MetalLB on workload clusters at all. Sometimes the pragmatic solution is better than the theoretically correct one.Platform engineering is product engineering. The Makefile is not just a convenience. It is the user interface of the platform. Every target is a feature. Every error message is UX copy. Every ✅ at the end of a command is a tiny moment of delight. Treat it that way.Where We Are GoingOpenKubes v1.0.4 is available today on GitHub — Community Preview, Apache 2.0.The roadmap has three clear directions:OpenKubes Anywhere — the same make deploy interface for EKS, AKS, and GKE. One platform API, multiple cloud providers. The user should never need to know which Cluster API provider is running underneath.OpenKubesMetal — bare metal lifecycle management via Metal3. For the factory floors, industrial edge sites, and sovereign cloud environments where virtualization is not an option.OpenKubes Robotics — Kubernetes for autonomous systems. Open-RMF, ROS2, fleet orchestration, and industrial AI — all managed through the same platform model.The vision is simple:Deploy a complete robot factory site from Git.We are not there yet. But we know exactly where we are going.Try ItOpenKubes is open source and available today:???? github.com/openkubes/openkubes???? OpenKubes Platform PresentationIf you are running Kubernetes in production — especially across mixed environments — we would love to hear from you.Platform Engineering. Sovereign Infrastructure. Kubernetes Anywhere.Arash Kaffamanesh is the founder of Clouds Sky GmbH & Kubernauts GmbH and has been building and operating Kubernetes platforms for over ten years across automotive, industrial, financial, and healthcare environments.Kubernetes Anywhere. Make it. — How We Built OpenKubes with Crossplane and Cluster API was originally published in Kubernauts on Medium, where people are continuing the conversation by highlighting and responding to this story.
Quelle: blog.kubernauts.io

Why AI Agents Need Isolation

AI coding agents are quickly becoming part of everyday development workflows. Today, AI tools can write and execute code, install dependencies, debug repositories, interact with APIs, automate terminal tasks, and modify project files. What once required constant developer involvement can increasingly be delegated to AI-assisted workflows. 

This shift is exciting, but it also changes an important assumption in software development: Should AI-generated code run directly on your machine? As AI agents become more capable, developers need safer ways to experiment, automate, and execute AI-assisted workflows.

That is where isolation becomes important. Docker Sandbox (sbx) introduces a more secure execution model for AI workflows by combining sandbox isolation, microVM-based protection, customizable environments, secure credential handling, and controlled network access. This article explores why isolation matters for AI agents, what Docker SBX changes, and how Sandbox Kits help create safer AI development environments.

The Shift From AI Assistance to AI Action

For years, AI developer tools mostly acted as assistants. They suggested code, explained concepts, or answered questions. Modern AI agents are different. Instead of only suggesting code or answering questions, they can run terminal commands, install packages, edit repositories, access external services, execute generated scripts, and interact directly with development environments. This shift moves AI systems from passive assistance toward active participation in software workflows. That creates new possibilities for productivity. It also introduces new risks.

AI systems generate outputs probabilistically. Even strong models can make mistakes, misunderstand context, or generate unsafe commands. A generated command might:

remove important files

expose credentials

install malicious dependencies

modify configurations unexpectedly

access sensitive local data

In traditional workflows, developers directly control these actions. With AI agents, developers increasingly supervise actions generated by the model itself. That changes the security model.

Why Isolation Matters

The core idea is simple: AI-generated actions should not automatically receive unrestricted access to a developer’s host machine. Isolation creates a controlled boundary between the host system, the AI agent, generated code, and the external tools and services the agent may interact with. This explicitly helps reduce accidental filesystem damage, credential exposure, unrestricted network access, persistence risks, and unsafe experimentation. 

One example discussed frequently in the Docker SBX community is running:

bash
sudo rm -rf /*

inside a sandbox while the host machine remains protected. The example is intentionally dramatic, but it highlights an important point: AI-generated commands should execute inside environments designed to contain mistakes safely. Isolation is not just a security feature. It is becoming an important part of responsible AI-assisted development.

A New Approach to AI Agent Isolation

Containers already provide lightweight isolation and are foundational to modern development workflows. But AI workloads introduce additional considerations. A common question raised around Docker SBX is:

Why use microVMs instead of standard containers alone? Traditional containers share the host kernel.

For many workloads, that model works extremely well. 

However, AI agents may execute untrusted code, interact with external repositories, dynamically generate commands, access APIs and credentials, and automate sensitive workflows. These workflows can benefit from stronger isolation boundaries. Docker SBX introduces a microVM-based approach designed to provide additional protection while still maintaining a developer-friendly experience. 

Another recurring question has been: Why did Docker build its own VMM instead of using Firecracker?

The reasoning shared publicly is that Docker wanted an approach that works across Windows and Mac environments in addition to Linux-focused deployment scenarios. The goal is simple: AI tooling should remain accessible across developer operating systems while improving isolation for modern AI workflows.

Understanding Docker SBX

Docker SBX focuses on creating isolated environments for AI-assisted development. The platform emphasizes secure execution, sandboxed environments, controlled networking,  safer credential handling and customizable workflows. One particularly interesting part of SBX is how credentials are managed. According to the official documentation, credentials stay on the host and are routed through a proxy instead of directly entering the sandbox VM.

This matters because AI agents increasingly interact with APIs, model gateways, cloud services, development platforms, and external tooling. Reducing direct credential exposure helps improve the safety of these workflows. The official documentation also explains how the proxy-managed credential system works. Inside the sandbox, the agent works with a sentinel placeholder value. The proxy then replaces the outgoing authentication header with the real credential before the request leaves the sandbox environment. This means the real secret never directly enters the VM. That design reflects an increasingly important principle for AI tooling: safer execution environments matter just as much as model capability.

Sandbox Kits: Where Isolation Becomes Practical 

While exploring Docker SBX, one thing that stood out to me was that isolation is only part of the story. Running AI agents inside an isolated environment provides a stronger security boundary, but teams still need a practical way to configure, secure, and standardize those environments. That is where Sandbox Kits play an important role.

According to Docker’s documentation, a Kit can package tools, environment variables, credentials, network rules, files, startup commands, and even memory instructions for an agent into a single reusable specification. Rather than manually configuring every sandbox, teams can define these capabilities once and reuse them across projects and teams. 

What makes Kits particularly interesting is that they are not simply templates or setup scripts. Docker SBX applies and enforces Kit-defined capabilities at runtime. This means that tooling requirements, network policies, proxy-managed credentials, and agent guidance can travel with the sandbox environment itself rather than relying on manual configuration.

This becomes increasingly valuable as AI agents take on more responsibility. An organization may want every AI coding agent to start with approved tools, access only specific services, authenticate through proxy-managed credentials, and follow internal development standards. Without a reusable mechanism, maintaining those controls consistently across environments can quickly become difficult.

Sandbox Kits help address that challenge by turning environment configuration into a reusable artifact. Teams can package their requirements once and apply them repeatedly, creating more consistent and secure AI workflows while preserving the isolation boundaries provided by Docker SBX. MicroVM isolation provides the foundation, while Sandbox Kits help turn that foundation into repeatable day-to-day AI workflows.

Sandbox Kits Make AI Workflows Practical

One of the most interesting additions to Docker SBX is Sandbox Kits. Kit packages reusable customizations for sandbox environments. According to the official documentation, Kits can install tools, configure environment variables, inject files, run startup commands, control allowed domains, and manage credentials through proxy-based injection. This allows teams to create repeatable AI environments tailored to their workflows. For example, a team could create a secure AI coding environment, a research sandbox, a data science workspace, a controlled API testing setup, or an internal experimentation environment.

Kits as Reusable AI Environment Blueprints

Sandbox Kits are useful not only for customizing individual sandboxes but also for creating consistent AI environments that can be reused across teams and projects. Instead of manually configuring environments every time an AI agent is launched, teams can create reusable Kits that package tools, network policies, credentials, files, startup logic, and agent instructions into a single definition. Docker SBX then applies and enforces those capabilities when the sandbox runs.

For example, an engineering team could create a coding-focused Kit that installs approved development tools, restricts outbound access to trusted services, injects shared configuration files, and provides secure access to internal APIs through proxy-managed credentials. Every AI coding session would start with the same controls and capabilities. Similarly, a research team could create an evaluation Kit that installs benchmark tooling, configures required dependencies, injects project instructions through agent memory, and standardizes how experiments are executed. This helps improve reproducibility while maintaining isolation.

Another interesting capability is agent memory. Docker Kits can append instructions and guidance to files such as AGENTS.md or CLAUDE.md, allowing teams to provide project conventions, workflow guidance, or tool-specific instructions directly to the agent at startup. Taken together, these capabilities make Kits more than a customization feature. They provide a practical way to package secure AI environments that teams can share across projects. For example, a developer could start a sandbox with a custom Kit using:

sbx run claude –kit ./my-kit/

This launches an isolated environment with predefined tools, startup commands, and built-in security controls, making it easier to create repeatable AI environments safely.

The documentation also distinguishes between two types of Kits:

Mixin Kits vs Agent Kits

Docker SBX supports two different types of Kits, each designed for a different level of customization.

Mixin Kits

Mixin Kits extend an existing agent with additional capabilities. Rather than creating a completely new environment, they allow teams to layer functionality onto agents they already use. Common examples include:

installing linters or developer tools

injecting shared team configuration

providing access to approved external services

adding organization-specific instructions or workflows

This makes Mixin Kits useful when teams want to standardize capabilities without changing the underlying agent experience. Multiple Mixin Kits can also be stacked on the same sandbox, allowing teams to combine capabilities as their workflows evolve.

Agent Kits

Agent Kits take a different approach. Instead of extending an existing agent, they define a complete agent environment from scratch. An Agent Kit can specify:

the container image

the agent entrypoint

networking behavior

credential configuration

persistence settings

startup and installation logic

This makes Agent Kits useful for organizations building internal agents, experimenting with custom agent architectures, or packaging specialized workflows that can be shared across teams. In practice, Mixin Kits help teams standardize and extend existing agents, while Agent Kits provide a framework for building and distributing entirely new agent experiences.

Why This Matters for AI Safety

Many conversations around AI safety focus on topics such as alignment, hallucinations, evaluations, misuse prevention, and model behavior. These are important challenges, but infrastructure-level safety is equally important as AI systems become more capable and autonomous. 

Even highly capable AI models can generate unsafe commands, misuse credentials, access unintended resources, and interact with untrusted code. For that reason, developers need strong runtime isolation, controlled execution environments, credential protections, network boundaries, and safer environments for experimentation. 

As AI agents become more autonomous, secure execution environments may become a foundational part of responsible AI development. Isolation is not about assuming AI will always fail. It is about building systems that safely contain mistakes when they happen. That principle has long existed in security engineering. Now it is becoming increasingly important for AI systems as well.

The Shift Toward Agentic Development

Many developers are already part of an AI adoption journey, even if they do not think of it that way. AI tools are rapidly moving from passive assistance toward:

autonomous execution

agentic workflows

AI-driven development environments

automated coding systems

That shift changes how developers think about security. Developers are no longer only running their own commands. They are increasingly reviewing and supervising commands generated by AI systems. As this transition continues, isolation may become a standard part of AI-assisted software development.

Architecture Diagram: Docker SBX Isolation Model

Figure 1: Docker SBX isolation model 

This architecture highlights the core SBX security model:

AI agents run inside an isolated sandbox

credentials stay outside the sandbox

Outbound requests pass through a secure proxy layer

The host machine remains protected

Workflow Diagram: Secure AI Agent Execution

Figure 2: Secure AI agent execution workflow using Docker SBX 

This workflow shows:

1. The developer launches Docker SBX.

2. The AI agent runs inside an isolated sandbox.

3. The agent accesses external services safely.

4. Results return while the host machine remains protected.

Official References

Docker Sandbox Kits Documentation

Docker SBX CLI

Docker Blog: Why MicroVMs? The Architecture Behind Docker Sandboxes

Getting Started

Developers interested in experimenting with Docker SBX can explore the official Sandbox Kits documentation and SBX CLI reference to start building isolated AI workflows. Getting started is straightforward, as the standalone sbx tool installs quickly on macOS, Windows, and Linux without requiring full Docker Desktop dependencies. Even simple sandboxed setups can help create safer environments for AI-assisted development and experimentation.

Conclusion

AI coding agents are reshaping how software is built. But more capability also requires stronger safety boundaries. Docker SBX introduces an approach focused on isolation, microVM-based protection, secure execution, customizable sandbox environments, and safer AI-assisted workflows. Sandbox Kits further extend this model by making secure and repeatable AI environments easier to build and share.

As AI agents continue to evolve, secure execution environments may become just as important as the models themselves. Ultimately, the future of AI development is not only about building more capable systems. It is also about building systems that can operate safely. And isolation is becoming an important part of that future.

Quelle: https://blog.docker.com/feed/

What Does EU AI Act Compliance Require?

For teams building AI-governed systems, the EU AI Act adds compliance obligations to every stage of the development lifecycle, from documenting training data to reporting incidents in production. With phased enforcement already underway, now is the time to assess where your workflows stand.

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI regulation. It entered into force in August 2024 with requirements rolling out in phases through 2027. The Act applies, among others, to any organization that places an AI system on the EU market, deployers of AI systems established in the EU, or whose AI system’s output is used in the EU, regardless of where that organization is headquartered.

This guide covers what each risk tier requires, the full compliance timeline (including the 2026 Digital Omnibus adjustments), transparency obligations, penalties, and what compliance looks like for the teams building and operating AI systems.

Key takeaways

The EU AI Act uses a four-tier risk model; your obligations depend on how your system is classified.

Prohibited practices and GPAI rules are already in effect; high-risk deadlines run through 2027.

Article 50 regarding deepfake and synthetic content labeling obligations take effect August 2, 2026.

Penalties reach €35 million or 7% of global turnover, enforced by national authorities and the EU AI Office.

The four risk tiers

The AI Act takes a risk-based approach. Every AI system falls into one of four categories, and the category determines the regulatory obligations that apply. This classification drives the entire compliance process.

1. Unacceptable risk (prohibited)

AI systems in this tier are banned outright under Article 5. These prohibitions have been in effect since February 2, 2025. The prohibited practices include:

Subliminal, manipulative, or deceptive techniques that distort behavior and cause significant harm

Exploitation of vulnerabilities related to age, disability, or socioeconomic circumstances

Social scoring systems that evaluate individuals based on social behavior or personal traits

Predictive policing based solely on profiling or personality traits

Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases

Emotion recognition in workplaces and educational institutions (except for medical or safety reasons)

Biometric categorization to deduce or infer certain protected characteristics (except for labelling or filtering of lawfully acquired biometric datasets)

Real-time remote biometric identification in publicly accessible spaces for law enforcement, with narrow exceptions for missing persons, imminent threats, and serious crime investigations

2. High risk (regulated)

High-risk AI systems are subject to the most extensive compliance obligations. The Act identifies two paths to high-risk classification:

Annex I systems: AI used as a safety component or product covered by existing EU product safety legislation (medical devices, machinery, vehicles) that requires a third-party conformity assessment.

Annex III systems: AI used in eight sensitive areas: biometrics, critical infrastructure, education, employment, essential public and private services, law enforcement, migration and border control, and administration of justice.

Any AI system used to profile individuals within an Annex III use case is automatically classified as high-risk, regardless of other exemptions. Providers who believe their Annex III system is not high-risk must document that assessment before placing it on the market.

This is the tier that puts the heaviest demands on your logging, testing, and documentation pipelines.

Annex III exceptions: An AI system listed under Annex III is not considered high-risk if it performs a narrow procedural task, improves a previously completed human activity, detects decision-making patterns without replacing human judgment, or performs a preparatory task for an Annex III assessment.

3. Limited risk (transparency risk)

AI systems in this tier face requirements focused on transparency and disclosure. Under Article 50, deployers must ensure that users know they are interacting with an AI system (e.g., chatbots), and providers of generative AI must mark synthetic content as AI-generated. This tier is where deepfake obligations sit, covered in detail below.

For software engineers, this comes down to marking generated content in a machine-readable way and surfacing the disclosure where users actually see it.

4. Minimal risk (unregulated)

The majority of AI systems currently on the market, including spam filters, AI-enabled games, and recommendation engines, fall here. No specific regulatory obligations apply, though the Act encourages voluntary codes of conduct.

The compliance timeline

The EU AI Act’s requirements take effect in phases, not all at once. Some obligations are already enforceable. Others will not apply until late 2027.

Date

What takes effect

August 1, 2024

AI Act enters into force (Regulation (EU) 2024/1689 published).

February 2, 2025

Prohibited AI practices under Article 5 become unlawful. AI literacy obligations begin (Article 4).

August 2, 2025

General-purpose AI (GPAI) model obligations take effect (Chapter V). Governance bodies established. Penalty provisions become applicable. Code of Practice for GPAI published.

August 2, 2026

General date of application of the AI Act. Transparency obligations under Article 50 take effect, including deepfake labeling and synthetic content marking. Member States must have at least one AI regulatory sandbox operational.

December 2, 2026*

Machine-readable marking obligations under Article 50(2) apply to AI systems, including GPAI systems, which have been placed on the market before August 2, 2026 (four-month grace period). Article 5 prohibition on AI-generated non-consensual intimate imagery and child sexual abuse material becomes applicable.

August 2, 2027

Obligations for high-risk AI systems embedded in regulated products under Annex I (Article 6(1)). GPAI models placed on the market before August 2025 must be in compliance.

December 2, 2027*

Standalone Annex III high-risk AI system requirements take full effect (risk management, conformity assessment, technical documentation, CE marking, EU database registration).

August 2, 2028*

High-risk AI systems that are components of products covered by Annex I product safety legislation.

*Omnibus adjustment: The Digital Omnibus package revised these high-risk deadlines, moving the Annex III standalone high-risk deadline from August 2026 to December 2, 2027, and the Annex I embedded high-risk deadline from August 2027 to August 2, 2028. The European Parliament approved the package on June 16, 2026.

Obligations for high-risk systems by role

The EU AI Act distinguishes between providers, deployers, importers, and distributors. Their obligations differ by role.

Providers+

Providers of high-risk AI systems carry the heaviest compliance burden. Among other obligations, they must:

Risk management system: Establish and maintain a risk management process throughout the AI system’s lifecycle, not just at launch.

Data governance: Ensure that training, validation, and testing datasets are subject to appropriate data governance and management practices and are relevant, sufficiently representative, and as free of errors as possible. Where these datasets contain personal data, the GDPR also applies: you need a lawful basis, data minimization, and, for any special-category data used to detect and correct bias, the specific safeguards.

Technical documentation: Produce documentation that demonstrates compliance and provides authorities with the information to assess it. It shall contain, at minimum, the elements contained in Annex IV.

Record-keeping and documentation: Design the system to automatically log events relevant to identifying risks and tracking modifications. Providers must keep certain documents for up to 10 years at the disposal of the competent authorities.

Transparency and instructions for use: Provide deployers with clear documentation on the system’s capabilities, limitations, intended use, and human oversight requirements, which allows deployers to interpret a system’s output and use it appropriately.

Human oversight: Design the system so that deployers can implement effective human oversight during use.

Accuracy, robustness, and cybersecurity: Achieve appropriate performance levels across all three dimensions.

Quality management system: Establish and document a QMS that covers the full compliance process.

Corrective actions: Take necessary corrective action in case of suspected non-conformity of the AI system with the AI Act, including bringing it into conformity, withdrawing it, disabling it or recall it, as appropriate.

Cooperation with authorities: Provide information and documentation necessary to competent authorities and giving access to automatically generated logs, upon request, to demonstrate conformity of the AI system with the AI Act.

Authorized representatives: Providers established in third-party countries must appoint a representative established in the Union prior to making the high-risk AI system available on the Union market.

Conformity assessment: Ensure that the appropriate conformity assessment procedure is completed prior to placing the AI system on the market. Additionally, drawing up an EU declaration of conformity, affix CE marking, and register the system in the EU database before placing it on the market.

Post-market monitoring: Providers shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the AI technologies and the risks of the high-risk AI system.

Reporting: Providers shall report any serious incident to the market surveillance authorities. The AI Act establishes different terms for reporting, which vary according to the incident’s severity. 

Deployers+

Deployers are natural or legal persons, public authorities, agencies or other bodies that use an AI system under its authority. Those using AI systems in the course of a personal non-professional activity are not considered deployers. Under Article 26, deployers of high-risk systems must:

Use the system as instructed: Operate it the way the provider’s instructions for use specify.

Assign human oversight: Put oversight in the hands of people with the competence and authority to exercise it.

Govern input data: Where the deployer controls the input data, make sure it’s relevant and sufficiently representative for the system’s intended purpose.

Monitor and escalate: Monitor the operation of the AI system, and if it starts to present a risk, notify the provider or the distributor and the market surveillance authority and suspend use.

Keep logs: Retain the logs the system generates automatically, to the extent they’re under the deployer’s control, for at least six months.

Notify the workforce: Tell affected workers and their representatives before a high-risk system goes live in the workplace.

Inform affected people: When an Annex III system makes decisions, or assists in making decisions, about individuals, those individuals have to be told. This overlaps with GDPR transparency and where the system makes solely automated decisions with legal or similarly significant effects, so coordinate the AI Act notice with your GDPR notices.

Support data protection assessments: Use the information the provider supplies to meet any data protection impact assessment obligation under the GDPR.

Cooperate with authorities: Work with competent authorities on any action they take regarding the system.

Register, if public: Public authorities must register the deployment in the EU database and shall not run a system while it isn’t.

Article 27 adds a fundamental rights impact assessment for a narrower group: public bodies, private entities providing public services, and deployers using Annex III systems for credit scoring or insurance pricing. Before first use, they document how the system will be used, who it could affect, the risks involved, and the human oversight in place, then file the results with the market surveillance authority.

For engineering teams, most of these duties come down to monitoring, log retention, and the ability to suspend a system fast. They get solved in your infrastructure, not in a policy document.

Important: Under the EU AI Act, operators in the AI-value chain can be considered both providers and deployers. Put your name on a high-risk system, modify one substantially, or repurpose a non-high-risk system into a high-risk use, and you’re reclassified as a provider with the full obligation set (Article 25).

Importers+

Importers are the EU-based persons or organizations that place a non-EU provider’s high-risk AI system on the market, and Article 23 makes them a checkpoint for conformity before the system reaches EU users. Importers must:

Verify conformity before import: Confirm the provider has completed the conformity assessment, drawn up the technical documentation (Annex IV), affixed CE marking with the EU declaration of conformity and instructions for use, and appointed an authorized representative.

Block non-conforming systems: If there’s reason to believe a system isn’t in conformity, or its documentation is falsified, don’t place it on the market until it’s corrected. If the system presents a risk, inform the provider, the authorized representative, and the market surveillance authorities.

Add contact details: Put the importer’s name, registered trade name or trademark, and contact address on the system, its packaging, or its accompanying documentation.

Protect compliance in storage and transit: Make sure storage and transport conditions under the importer’s responsibility don’t compromise the system’s compliance.

Keep records for 10 years: Retain a copy of the notified-body certificate (where applicable), the instructions for use, and the EU declaration of conformity for 10 years after the system is placed on the market or put into service.

Respond to authorities: On a reasoned request, give competent authorities the information and documentation needed to demonstrate conformity, in a language they can readily understand.

Cooperate with authorities: Work with competent authorities on any action they take to reduce or mitigate the risks of a system the importer placed on the market.

An importer that puts its own name or trademark on a high-risk system, or substantially modifies one already on the market, is reclassified as a provider and takes on the full provider obligation set (Article 25).

Distributors+

Distributors are the other parties in the supply chain who make a high-risk system available on the EU market. Their duties under Article 24 overlap with an importer’s but focus on what happens at and after the point of sale. Distributors must:

Verify documentation before distribution: Confirm the system bears CE marking, comes with the EU declaration of conformity and instructions for use, and that the provider and importer have met their own obligations.

Block non-conforming systems: If there’s reason to believe a system isn’t in conformity, don’t make it available until it’s corrected. If it presents a risk, inform the provider or importer.

Protect compliance in storage and transit: Make sure storage and transport conditions under the distributor’s responsibility don’t compromise the system’s compliance.

Act on non-conformity after sale: If a system already made available turns out to be non-conforming, take corrective action to fix, withdraw, or recall it, or ensure the provider or importer does. If it presents a risk, immediately inform the provider or importer and the competent authorities.

Respond to authorities: On a reasoned request, provide the information and documentation on these actions needed to demonstrate conformity.

Cooperate with authorities: Work with competent authorities on any action they take regarding a system the distributor made available.

The same reclassification rule applies: a distributor that brands a high-risk system as its own or substantially modifies one already on the market becomes a provider under Article 25.

Deepfake and transparency obligations (Article 50)

Article 50 creates specific transparency requirements for AI systems that interact with people or generate synthetic content. These obligations generally apply from August 2, 2026 and are relevant regardless of the system’s risk classification.

Who must comply

Providers of AI systems that interact directly with people must ensure that individuals are informed they’re interacting with an AI system, unless this is obvious from the circumstances.

Providers of AI systems that generate synthetic content (audio, image, video, or text) must mark that output in a machine-readable format that’s detectable as AI-generated or manipulated. The marking must be effective, interoperable, robust, and reliable.

Deployers who use AI to create deepfakes must disclose that the content has been artificially generated or manipulated. The Act defines a deepfake as AI-generated or manipulated image, audio, or video content that resembles existing persons, objects, places, or events and would falsely appear authentic.

Deployers who publish AI-generated text on matters of public interest must label it as AI-generated, unless the content has been through human editorial review and a natural or legal person holds editorial responsibility.

Deployers of emotion recognition or biometric categorisation systems must inform the people exposed to the system that it’s operating, and handle their personal data in line with the GDPR.

Artistic exception regarding deepfakes: When AI-generated content is part of an evidently artistic, creative, satirical, or fictional work, only minimal and non-intrusive disclosure is required. The deepfake labeling obligation still applies, but the disclosure format can be lighter.

The Code of Practice for transparency

The European Commission developed a Code of Practice on marking and labeling AI-generated content to operationalize Articles 50(2) through 50(5). The code provides practical and technical guidance for real-world implementation of the marking and disclosure requirements. Its final version was published on June 10, 2026.

General-purpose AI model obligations

Chapter V of the Act creates a separate set of obligations for providers of general-purpose AI (GPAI) models. These rules have been applicable since August 2, 2025 (models placed on the market before that date have until August 2, 2027 to comply). The European Commission has published guidelines to support providers in meeting these requirements.

General-purpose AI models are the broad, multi-purpose models that show significant generality, perform a wide range of distinct tasks, and can be used directly as well as integrated into other AI systems.

All GPAI model providers

Every provider of a GPAI model must draw up and maintain technical documentation (which shall contain at minimum the information set out in Annex VI), provide information and documentation to downstream providers integrating the model, establish a policy to respect the EU Copyright Directive, and publish a sufficiently detailed summary of the content used for training.

Providers of free and open-license GPAI models (where parameters, architecture, and usage information are publicly available) do not need to comply with the obligations regarding technical documentation and provision of information to downstream providers, unless the model presents a systemic risk.

GPAI models with systemic risk

A GPAI model is presumed to carry systemic risk if it was trained using more than 10²⁵ floating point operations (FLOPs) of compute. That bar was set to capture the frontier models of the day: GPT-4 is widely estimated to sit above it, while the earlier GPT-3 was trained on roughly 30 times less. The Commission can also designate other models as systemic on criteria like the number of end users, high-impact capabilities, or output modalities.

Providers of systemic-risk models carry every GPAI obligation above, plus four more:

Model evaluation: Run model evaluations, including adversarial testing.

Risk mitigation: Assess and mitigate the systemic risks the model could pose.

Incident reporting: Track and report serious incidents to the AI Office.

Cybersecurity: Maintain an adequate level of protection for the model.

A voluntary Code of Practice for general-purpose AI models was published in July 2025. Following a code of practice creates a presumption of conformity until European harmonized standards are in place.

Penalties and enforcement

The EU AI Act establishes a three-tier penalty structure under Article 99, designed to be effective, proportionate, and dissuasive.

Violation

Maximum fine

Turnover threshold

Prohibited AI practices (Article 5)

€35 million

7% of global annual turnover

High-risk AI system non-compliance (specific provisions)

€15 million

3% of global annual turnover

Supplying incorrect or misleading information to authorities

€7.5 million

1% of global annual turnover

Enforcement is split between the European AI Office, which oversees GPAI model providers, and national competent authorities in each Member State, which handle all other operators.

Each Member State must designate at least one national authority for implementation and market surveillance. The penalty provisions are designed to account for the interests of small and medium-sized enterprises and startups, and Member States report annually to the Commission on fines issued.

What compliance looks like for engineering teams

The EU AI Act’s requirements are written in regulatory language, but they translate to concrete engineering concerns. If your team builds or deploys AI systems that serve EU users, here’s where the Act’s obligations intersect with your development workflow.

Inventory and classification come first

Compliance starts with knowing what you have. Every AI system the organization builds, uses, or procures needs to be cataloged and classified against the Act’s risk tiers. Record, for each system, whether it processes personal data and link the entry to your GDPR records of processing (Article 30) so the AI inventory and the privacy record stay aligned.

This is not a legal exercise alone. Engineering teams are typically the only ones who understand the actual capabilities, data flows, and deployment contexts of the systems they build. If your organization has an AI governance framework in place, the AI inventory is usually its foundation.

Audit trails are non-negotiable

The Act requires automatic event logging for high-risk systems and structured documentation across almost every tier. This means every decision an AI system makes, the categories of data sources it accesses, and every action it takes needs to be logged in a way that is auditable. 

Teams already shipping AI agents need structured event capture of system actions, including timestamp, session context, the tool or rule invoked, and the agent or service identity, scoped to system-health and security telemetry rather than individual worker performance. Exporting these logs to existing SIEM and compliance systems closes the gap between agent behavior and audit requirements.

Prepare your risk management system

Article 9 requires a continuous risk management process, including control measures for risks that can’t be removed by design. 

The ability to enforce policies is the mechanism that makes your chosen controls binding at the moment the agent acts, therefore acting as a risk mitigating strategy. This can happen at the agent level, by applying policies and rules to sandboxed agents, and at the tool level, with policies applied to the gateway that manages agent tool access.

Runtime isolation supports human oversight

The EU AI Act requires that high-risk AI systems be designed for human oversight, and that deployers can intervene during operation. For agentic workloads, where AI acts autonomously, this maps directly to runtime isolation: running agents inside sandboxed environments where network access, filesystem scope, and tool permissions are policy-controlled. 

If an agent exceeds its intended scope, isolation constrains the blast radius. This is the mechanism that makes oversight enforceable at the infrastructure level.

Transparency can be instrumented

Article 50’s deepfake and synthetic content marking requirements are a metadata problem. Providers need to embed machine-readable markers in generated content, and deployers need to surface human-readable disclosures. 

For teams building generative AI systems, this means integrating content provenance marking (such as C2PA or IPTC standards) into the generation pipeline. Where generated content depicts a real, identifiable person, it is also personal data under the GDPR, so the marking is necessary but not sufficient and the usual lawful-basis and rights obligations still apply. The AI governance controls your organization uses can enforce these policies at the platform layer rather than relying on each application to implement them independently.

Use the official compliance tools

The European Commission has launched the AI Act Service Desk, a single information platform that includes an official Compliance Checker to help organizations determine which obligations apply to their AI systems, an AI Act Explorer for navigating the full regulation text, and a helpdesk for submitting questions. These tools are free, official, and available in English, French, and German (with all 24 EU languages planned for 2026).

Start building compliance into your AI infrastructure

EU AI Act compliance is not a document you file. It’s a set of technical controls, organizational processes, and audit practices that need to be embedded in how your team builds and operates AI systems.

To make things easier, Docker AI Governance supports operationalizing these requirements. It does not replace the human oversight, classification, and legal accountability the AI Act assigns to providers and deployers, and customer code, configurations, and telemetry are not used to train Docker’s or third-party models. Instead, Docker AI Governance includes sandbox-based runtime isolation for blast-radius risk mitigation and real time monitoring, policy enforcement across network, filesystem, and MCP tool access, and structured audit logging that exports to existing SIEM and compliance systems.

Explore Docker AI Governance to see how runtime policy, audit trails, and agent isolation support the regulatory controls the EU AI Act requires.

Frequently asked questions

Does the EU AI Act apply to companies outside the EU?

Yes. Under Article 2, the EU AI Act applies to providers and deployers of AI systems regardless of whether they’re established in the EU. You are in scope if you place an AI system on the EU market, or if the system’s output is used in the EU.

Is there an official EU AI Act compliance checker?

The European Commission’s AI Act Service Desk includes a Compliance Checker tool that helps organizations determine which obligations apply to their AI systems. It walks through a series of questions about the system’s purpose, deployment context, and risk profile to identify relevant articles and requirements.

What are the EU AI Act deepfake requirements?

Under Article 50, providers of AI systems that generate synthetic audio, image, video, or text must mark the output in a machine-readable format as AI-generated. Deployers who use AI to create deepfakes (content resembling existing persons or events that would falsely appear authentic) must disclose that the content is artificially generated, even when the content is lawful. Artistic, creative, and satirical uses require only minimal disclosure.

These obligations take effect on August 2, 2026. Where a deepfake depicts a real, identifiable person, that content is also personal data under the GDPR, so labeling is necessary but not sufficient.

What is the difference between the AI Act and the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) targets products with digital elements and focuses on cybersecurity requirements across their lifecycle. The AI Act specifically targets AI systems and AI models, with requirements that scale based on risk classification. A product could be subject to both regulations, for example an AI-powered medical device that is both a product with digital elements (CRA) and a high-risk AI system (AI Act).

When do the high-risk AI system rules actually take effect?

The timeline depends on the type of high-risk system. Under the Digital Omnibus package, approved by the European Parliament on June 16, 2026, standalone Annex III high-risk systems must comply by December 2, 2027. Annex I embedded high-risk systems (products covered by EU product safety legislation) must comply by August 2, 2028. Check the official implementation timeline for the latest confirmed dates.

Quelle: https://blog.docker.com/feed/

How to Generate an SBOM for Container Workflows

According to Omdia’s 2026 software supply chain security report, 86% of organizations find SBOM generation challenging. A major driver is tool sprawl: teams cobbling together different scanners for different artifact types, getting inconsistent output across pipelines, and spending engineering time reconciling the results rather than acting on them.

SBOMs have become important to how security teams respond to vulnerability disclosures, how compliance teams satisfy auditors, and how procurement decisions get made. That makes the generation step load-bearing. If the SBOM your pipeline produces misses transitive dependencies, records declared versions instead of resolved ones, or is not cryptographically bound to the artifact it describes, every downstream decision built on that data inherits the gap.

This post covers the decisions that determine SBOM quality: when and where to generate, what separates actionable output from data that just checks a box, and how to keep generation reliable as your image portfolio grows.

Key takeaways

Build-time SBOM generation produces more complete, accurate output than post-build scanning.

Completeness, accuracy, freshness, and verifiability determine whether an SBOM is actionable.

Generation tooling runs with elevated build access and may require additional security considerations, for example pinning to immutable references.

Images that ship with pre-built SBOMs eliminate the generation burden for your base layer.

When to generate: Build-time vs. post-build

The single decision that most affects SBOM quality is when you generate it. There are two broad approaches, and they produce meaningfully different results.

Build-time generation

Build-time generation hooks into the build system itself. The generator has access to the resolved dependency tree, the package manager files, and the full build context. It knows exactly what went into the artifact because it was present when the artifact was assembled.

Container build systems with native attestation support can produce an SPDX SBOM during the image build, attach it as an in-toto attestation, and push both the image and the SBOM to the registry in a single operation. Language-specific build plugins take a similar approach for application dependencies, generating SBOMs as part of the standard build lifecycle.

The advantage is structural: build-time generation captures the resolved state of every dependency, including transitive dependencies that post-build scanners may miss.

Post-build scanning

Post-build tools scan a finished artifact and reverse-engineer its contents. They work by identifying package manager metadata, file signatures, and known patterns within the artifact. This approach works on any OCI-compatible image, regardless of how it was built.

The trade-off is coverage. Statically linked binaries, vendored dependencies, and OS packages installed in intermediate build stages may commonly be missed by post-build scanners. The scanner can only report what it can detect, and detection is heuristic-based rather than derived from the actual build graph.

When you have build system access, generate at build time. Post-build scanning is the right choice for third-party images you consume but did not build, or for legacy artifacts without build system integration.

For container images, our documentation covers how to configure build-time SBOM attestation in detail, including the specific flags and generator options for different build workflows.

What makes an SBOM useful

Generating an SBOM is not the same as generating a useful one. The file format is standard, but the quality of the content varies dramatically depending on how and when the SBOM was produced. Five criteria separate actionable SBOMs from checkbox artifacts.

1. Completeness

A complete SBOM accounts for every component in the artifact across all layers and all package types. This includes OS packages from the base image, application dependencies from every package manager in the build, and any tooling or utilities added during the build process. 

This is where multi-stage and minimal base images create real gaps. A Dockerfile with a Node frontend, a C or C++ component compiled into a static binary, and a distroless final stage presents three distinct challenges: the Node layer has deep transitive dependency trees, the statically linked binary often carries no dependency manifest on disk, and the distroless base has no package manager at all. Post-build scanners can miss the statically linked dependencies and may undercount the Node tree. Build-time generation with access to each stage’s resolved dependency graph is the only way to get a complete picture.

2. Accuracy

Accuracy means the SBOM records resolved versions, not declared ranges. A package manifest might declare “^4.17.0” but the resolved version in the lock file is 4.17.21. The SBOM must reflect what was actually installed, not what was requested.

3. Freshness

An SBOM is a point-in-time snapshot tied to a specific build. Every time the artifact is rebuilt, the SBOM should be regenerated. Stale SBOMs create a false sense of visibility.

4. Verifiability

A verifiable SBOM is one that consumers can confirm was produced by the build system and has not been tampered with. Cryptographic signing and attestation frameworks bind the SBOM to a specific artifact digest, along with build provenance that records where and how the artifact was built.

5. Format compliance

Standard formats like SPDX and CycloneDX define required and optional fields. An SBOM that validates against the schema is interoperable across scanning tools, policy engines, and compliance workflows. One that does not may work with your current tools but will break when you change them.

Some base images already ship with SBOMs that meet all five criteria, along with SLSA Build Level 3 provenance and exploitability data. These SBOMs were generated at build time on hardened build platforms with non-falsifiable provenance, cryptographically signed, and attached as in-toto attestations bound to the image digest. They are continuously regenerated with every rebuild, so freshness is maintained without manual intervention. For those images, the generation question is answered for the most critical layer of the stack, and your effort shifts to generating a complete SBOM for the application layer you add on top.

Your generation toolchain is attack surface

The tools you use to generate SBOMs run with elevated access to your build environment. They read your source code, your dependency trees, and your build artifacts. A compromised generator does not just produce bad output; it has the access to exfiltrate or modify what it scans.

This is not a theoretical concern. Version tags on GitHub Actions and container images are mutable. A tool you pinned to v2.1 today can silently become something different tomorrow if a maintainer account is compromised or a tag is force-pushed. The exposure window for incidents like these is typically measured in hours, but automated pipelines can pull compromised versions within minutes.

Treat your generation tooling with the same rigor you apply to any other build dependency:

Pin to immutable references (commit SHAs, not version tags).

Verify checksums before execution.

Run generation in CI, not on developer machines, for reproducible and auditable output.

Monitor for upstream security advisories on your generation tools.

This is one dimension of a broader software supply chain security challenge: every tool in your pipeline is a dependency that needs the same scrutiny as your application code. For base images, you can sidestep this risk entirely. Images built on hardened build platforms with non-falsifiable provenance carry their supply chain metadata from the point of origin, cryptographically verified end-to-end.

Integrating SBOM generation into CI/CD

Manual SBOM generation works for one-off audits. For production workflows, generation needs to be automatic, reproducible, and wired into the rest of your delivery pipeline. The pattern is consistent across CI systems.

Generate at build

Add SBOM generation as a build stage step, immediately after the image is produced. For container images, BuildKit attestation flags are the most reliable approach. For application dependencies, language-specific plugins (CycloneDX for Maven/Gradle, npm/yarn for Node) produce the highest-quality output because they access the resolved dependency graph.

For multi-stage builds, generate from the final stage only. Intermediate stages often install build tools and test frameworks that do not ship in the production image. Generating against intermediate stages inflates the SBOM with components that are not deployed, creating noise in vulnerability scans.

Choose an attestation format

SPDX is the native output format for BuildKit attestation and the stronger choice if license compliance is a primary concern. CycloneDX has richer vulnerability correlation support and more granular component classification, making it the better fit for security-focused workflows. If your consumption tools (policy engines, vulnerability scanners, compliance dashboards) have a preference, follow it. If they support both, default to SPDX for container images since it requires no additional tooling beyond BuildKit’s built-in generator.

Attach to the artifact

Store the SBOM alongside the artifact it describes. For container images, this means attaching it as an OCI attestation in the registry rather than saving it as a separate file in an artifact store. Attestation-based storage keeps the SBOM discoverable, versioned, and bound to the specific image digest. When the image is promoted from dev to staging to production, the SBOM travels with it through every registry, rather than requiring a separate copy-and-sync workflow that inevitably drifts.

Validate before publishing

Add a validation step between generation and registry push. Run the SBOM through a format validator (SPDX and CycloneDX both provide official schema validators), check that the component count is reasonable for the artifact, and verify that the SBOM references the correct image digest. A build that produces 12 components for an image you know contains 200+ packages should fail the pipeline, not ship silently.

Scan and enforce continuously

SBOM generation at build time captures what’s shipped. Continuous scanning tells you what’s become vulnerable since. New CVEs drop daily, and an SBOM that was clean at build time can have critical exposures within weeks. Continuous analysis against SBOM data matches new disclosures against your inventory without re-pulling images, and surfaces policy violations as they emerge. With SBOMs attached to every image, you can gate deployment: no image ships without a valid SBOM, no image deploys with a known-vulnerable package above your severity threshold.

Implementation details vary by CI system. Our documentation covers the specific flags and configuration for generating and attaching SBOM attestations across common container build workflows.

Verifying your SBOM output

Before relying on your SBOM output for compliance reporting or vulnerability management, verify that it meets the quality criteria below.

Component count sanity check: Compare the number of components in your SBOM against what you expect from the Dockerfile, lock files, and base image. A Node.js app with 200 declared dependencies should produce substantially more entries once transitive dependencies are included.

Resolved versions, not ranges: Spot-check entries to confirm the SBOM records specific versions (4.17.21) rather than declared ranges (^4.17.0).

Transitive dependency depth: Verify that transitive dependencies appear, not just top-level packages. If your app declares 30 direct dependencies but the SBOM contains 32 entries, transitive coverage is likely incomplete.

OS package coverage: Confirm that base image OS packages appear alongside application dependencies.

Digest binding: Verify the attestation references the correct image digest. An unbound SBOM cannot be trusted to describe its artifact.

Format validation: Run the SBOM through a schema validator (SPDX and CycloneDX both provide official tools).

Start generating, then start verifying

The best time to add SBOM generation to your pipeline is the next time you touch your CI configuration. Start with your highest-traffic production image. Configure build-time generation, attach the SBOM as an attestation, and validate the output against the checklist above. Then expand to the rest of your portfolio.

If you want a head start, Docker Hardened Images ship with complete SBOMs, SLSA Build Level 3 provenance, and OpenVEX data already attached, so you can skip the generation step for your base layers entirely. For everything you build on top, Docker Scout provides continuous vulnerability matching against your SBOM data and enforces policies across your image portfolio.

Get started with Docker Hardened Images →

Explore vulnerability monitoring with Docker Scout →

Frequently asked questions

What is the best format for an SBOM?

For container images, default to SPDX since it is the native BuildKit attestation output and requires no additional tooling. Choose CycloneDX if your primary use case is security scanning and your downstream tools prefer it.

Do I need to generate an SBOM if my images already come with one?

If you are using base images that ship with pre-built SBOMs, provenance, and exploitability data, you do not need to regenerate for that layer. The included SBOM was generated at build time with full access to the build graph and is cryptographically bound to the image.

To verify the pre-built SBOM is trustworthy, check two things: 

Is the SBOM attached as a signed attestation (not a loose file)?

Does the attestation include SLSA provenance?

If the provenance traces back to a hardened build platform with non-falsifiable provenance, you can treat the SBOM as authoritative for that layer. You still need to generate an SBOM for the application dependencies you add on top.

How often should I regenerate my SBOM?

Every time the artifact is rebuilt. If your CI pipeline produces a new image, it should produce a new SBOM to match. Between rebuilds, the existing SBOM is still accurate because the artifact has not changed.

Is SBOM generation required for compliance?

In the United States, Executive Order 14028 helped set SBOM requirements in motion for software sold to federal agencies. The EU Cyber Resilience Act extends SBOM requirements to all products with digital elements sold in the EU.

And as AI workloads come under newer regulations like the EU AI Act with its technical documentation and transparency expectations, component-level inventories are becoming a practical way for teams to show what is inside high-risk systems. Industry frameworks like NIST SSDF and CISA’s SBOM guidance increasingly reference SBOMs as a baseline expectation. Whether legally required today, SBOMs are becoming a procurement prerequisite.

Sources

Omdia, Securing the Software Supply Chain: Strategic Approaches to Support Scaling Development with AI Adoption, May 2026.

Quelle: https://blog.docker.com/feed/

EU Cyber Resilience Act: Overview, Requirements, and Timelines

The EU Cyber Resilience Act (CRA) was officially introduced on December 10th 2024, to protect foundational EU values in the face of rising cyberattack threats. As cyberattacks targeting products with digital elements have grown more frequent and costly, the regulation establishes the first horizontal cybersecurity baseline for all hardware and software products sold in Europe. The urgency is real given that in Omdia’s 2026 software supply chain security report, 77% of organizations reported experiencing a supply chain incident in the last year.

The regulation will take full effect on December 11, 2027, but mandatory vulnerability reporting obligations take effect on September 11, 2026. For teams building and shipping containerized software, the CRA turns practices like SBOM generation, vulnerability disclosure, and image hardening from voluntary best practices into legal requirements.

This guide covers what the EU CRA requires, who it applies to, how its SBOM mandate connects to container build workflows, and what teams need to do before the compliance deadlines arrive.

Key takeaways

The CRA requires all products with digital elements sold in the EU to meet cybersecurity standards by December 2027.

Manufacturers must include a machine-readable SBOM in technical documentation for every product.

Actively exploited vulnerabilities and severe incidents having an impact on the security of a product with digital elements must be reported to authorities within 24 hours starting September 2026.

Container runtimes distributed commercially into the EU qualify as products with digital elements under the CRA.

What is the EU Cyber Resilience Act (CRA)?

Before the CRA, the EU had no single, cross-sector regulation setting cybersecurity baselines for  products with digital elements. A smart thermostat, an enterprise database, and a container runtime were all subject to different (or no) cybersecurity obligations. There was no general obligation to patch vulnerabilities, disclose security incidents, or document the software of products with digital elements launched in the EU market. The CRA closes that gap with a horizontal regulation that applies across several industries, placing the primary burden on manufacturers.

The regulation defines a product with digital elements as any software or hardware product, including its remote data processing solutions and any components placed on the market separately. That scope is intentionally broad: it covers everything from consumer IoT devices to enterprise software platforms to container images distributed through registries. Manufacturers must design products securely, handle vulnerabilities throughout the product lifecycle, and provide transparency about software composition.

How the CRA relates to NIS2

The CRA is one part of the broader EU cybersecurity strategy that includes other regulatory frameworks, like NIS2 and DORA. Since the CRA and NIS2 both deal with cybersecurity obligations, they’re easy to conflate, but they target different things. The CRA applies to cybersecurity of products with digital elements, while NIS2 applies to the cybersecurity of essential and important entities.

Recital 12 of CRA even affirms that SaaS, PaaS, or IaaS solutions are subject to NIS2, in principle carving them out of its own scope. However, the line is blurry for products depending on cloud infrastructure.

The European Commission’s March 2026 draft guidance introduced a three-part test for determining when a cloud component falls under CRA scope:

Does the processing happen remotely?

Would the product lose a core function without it?

Did the manufacturer design, develop, or is control of that remote component under its responsibility?

If the answer to all three is yes, the cloud component is part of the product for CRA purposes. Where that test pulls a cloud component into scope and the component processes personal data, the GDPR applies on top of the CRA rather than in place of it, so you still need to assign controller and processor roles and confirm a lawful basis.

Who the CRA applies to

The CRA assigns obligations based on your role in bringing a product to market.

Role

Obligations

Manufacturers

The heaviest set of obligations.

The manufacturer has assessment obligations before placing the product on the market, in order to ensure compliance with the cybersecurity requirements set out in the CRA.

After this process, the manufacturer can affix the CE marking and attach a declaration of conformity to its products. After placement on the market, the manufacturer is required to handle vulnerabilities in the products throughout their lifetime and to report actively exploited vulnerabilities and severe incidents.

Importers and distributors

Fewer obligations.

Both must ensure that the manufacturer complied with a set of obligations, but also retain documentation and act upon becoming aware of non-conformity of the product with the CRA or a vulnerability.

Open-source software stewards

A new CRA category.

Mainly for micro-enterprises and small and medium-sized enterprises, including start-ups, individuals, non-profit organizations and academic research organizations, that systematically support open-source used in commercial activity.

Scaled-down obligations covering, in particular, putting in place a cybersecurity policy and vulnerability handling, but also cooperation with market surveillance authorities and certain reporting obligations.

Key requirements for the EU CRA

The CRA organizes its requirements into two main areas, both defined in Annex I of the regulation: essential cybersecurity requirements for product properties, and vulnerability handling obligations for the product lifecycle.

Security by design

Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on a risk assessment. In practice, this means shipping with secure default configurations, minimizing the attack surface by removing unnecessary components, protecting the confidentiality and integrity of stored and transmitted data, and providing mechanisms for secure updates.

For container images, the security-by-design requirement maps directly to image hardening:

minimal base layers

no unnecessary shells or package managers

secure defaults out of the box.

The essential requirements also include data minimization: a product should process only personal or other data that is adequate, relevant, and limited to what is necessary for its intended purpose.

Vulnerability handling

Manufacturers must maintain processes for identifying, documenting, and remediating vulnerabilities throughout the support period they define for each product. This includes coordinated vulnerability disclosure policies, timely security updates, and public disclosure of fixed vulnerabilities with enough detail for users to assess impact and apply remediation.

Security updates must be provided free of charge for the duration of the support period. Public disclosures should be limited to the technical detail users need and must not expose personal data, such as the identity of a reporter or of affected users, consistent with the CRA’s expectation that disclosures avoid increasing risk and with GDPR limits on publishing personal data.

Transparency and SBOMs

The CRA also requires manufacturers to include a software bill of materials in the technical documentation for every product with digital elements. The SBOM must be in a commonly used, machine-readable format and must include, at minimum, the top-level dependencies of the product. However, the regulation does not mandate a specific format, but in practice that typically means SPDX or CycloneDX.  Scope the generated SBOM to package and dependency metadata and keep embedded secrets and personal data out of the artifact.

An important nuance: The CRA does not require manufacturers to publish SBOMs publicly. SBOMs must be included in technical documentation and provided to market surveillance authorities on request. Also, the documentation must be retained for ten years after the product is placed on the market, or for the duration of the support period, whichever is longer.

Incident and vulnerability reporting

Manufacturers must report actively exploited vulnerabilities and severe security incidents to the relevant national Computer Security Incident Response Team (CSIRT) and to ENISA through a single reporting platform. The reporting timelines are:

Reporting timelines:– 24 hours: early warning notification– 72 hours: full notification with technical details– 14 days: final report after a corrective measure is available (for actively exploited vulnerabilities)– 1 month: final report from the 72-hour submission (for severe incidents)

Note for Privacy: These reports can contain personal data, such as a reporter’s identity or affected-user details, so limit each report to the technical information the CSIRT and ENISA actually need and handle any personal data in line with the GDPR.  Notifications should also avoid disclosing information that would increase risk to users.

Conformity assessment

Before placing a product on the EU market, manufacturers must complete a conformity assessment to verify compliance with the essential cybersecurity requirements. The type of assessment depends on how the product is classified under the CRA.

Product categories and conformity assessment

The CRA classifies products into three tiers based on their cybersecurity risk, with each tier subject to increasingly rigorous conformity assessment procedures.

If you’re shipping container runtimes, you likely fall into the Important Class II category and will need a third-party assessment. Products that pass their conformity assessment receive the CE marking, which indicates compliance with the CRA and allows them to be sold on the EU market. Products that fail, or that are found to be non-compliant after placement, can be ordered withdrawn or recalled by national market surveillance authorities.

CRA timeline: 3 Deadlines that matter

The CRA entered into force on December 10, 2024, but its obligations phase in over three years. Each milestone introduces a distinct set of requirements.

Date

Milestone

What takes effect

June 11, 2026

Conformity assessment bodies

Member states must designate notifying authorities. Conformity assessment bodies begin formal notification and can start conducting assessments.

September 11, 2026

Reporting obligations

Manufacturers must report actively exploited vulnerabilities and severe security incidents to CSIRTs and ENISA. This retroactively applies to all products already on the EU market, not just new ones.

December 11, 2027

Full enforcement

All essential cybersecurity requirements take effect: security by design, SBOM in technical documentation, vulnerability handling, conformity assessment, CE marking. Non-compliance triggers fines.

The key detail most teams miss: the September 2026 reporting obligation is applicable to products that are already in the market. It retroactively applies to products already on the EU market, not just new releases. If you are selling container images to EU customers today, your 24-hour reporting clock starts in months, not years.

Penalties for non-compliance

Article 64 of the CRA establishes three penalty tiers for non-compliance, with fines set at the member-state level but capped by the regulation:

Up to €15 million or 2.5% of global annual turnover (whichever is higher) for failure to comply with essential cybersecurity requirements and other core obligations (Art. 64 (2)) 

Up to €10 million or 2% of global annual turnover (whichever is higher) or failure to comply with other CRA obligations (Art. 64 (3))

Up to €5 million or 1% of global annual turnover (whichever is higher) for supplying incorrect, incomplete, or misleading information to authorities (Art. 64 (4))

Beyond fines, market surveillance authorities can order product withdrawals, recalls, or outright bans from the EU market. For organizations selling software products into the EU, losing market access is often a more significant consequence than the fine itself.

Microenterprises and small enterprises are generally exempt from fines for missing the 24-hour early warning deadline on vulnerability and incident reporting. Open-source software stewards are not subject to fines for any CRA infringement.

Open-source software and the CRA

The CRA’s treatment of open source was one of the most debated aspects during the legislative process. The final text draws a clear line based on commercial activity.

Free and open-source software that’s not used in the course of a commercial activity, either directly or through support, is outside the CRA’s scope. Individual developers and volunteer maintainers are not classified as manufacturers under the regulation, as long as they operate outside a commercial activity. And the CRA explicitly does not apply to open-source software supplied for distribution outside the scope of a commercial activity.

However, the regulation introduces a new role: the open-source software steward. 

A “steward” is a legal person (a company or foundation, not an individual) that systematically supports the development of open source software intended for commercial activities. The CRA applies a light-touch regime for stewards with limited obligations. They must mainly:

Maintain a cybersecurity policy.

Report actively exploited vulnerabilities.

Cooperate with market surveillance authorities. 

Critically, stewards are not subject to financial penalties for CRA infringements.

Organizations that distribute open-source software under a commercial model, whether through paid support or commercial container image registries, are classified as manufacturers, not stewards. The distinction matters because manufacturers carry the full weight of CRA obligations, including conformity assessment and CE marking.

What the CRA means for container teams

Everything above applies to the full universe of digital products. Here’s where it gets specific. Container images and runtimes distributed commercially into the EU qualify as products with digital elements under the CRA. If your organization publishes container images in a registry that EU customers can pull from, and those images are part of a commercial offering, the CRA applies and you may be considered a manufacturer. This is true regardless of where your organization is headquartered.

The practical implications span the entire container lifecycle:

Image composition transparency: Every image needs a machine-readable SBOM that documents at least the top-level dependencies. Image-layer SBOMs generated at build time, which capture OS packages, runtime libraries, and transitive dependencies, go further than the CRA’s minimum.

Vulnerability management: Organizations must have processes to track, remediate, and report vulnerabilities in the components their images contain. Starting September 2026, all vulnerability and incident reporting obligations listed in Article 14 come into effect.

Security by design: Images should ship with minimal attack surfaces, secure default configurations, and no unnecessary components. Hardened base images with shells, package managers, and debug tools removed satisfy this requirement more directly than standard community images.

Provenance and integrity: The CRA’s essential requirements include protecting the integrity of the product and verifying that components have not been tampered with. Cryptographic signatures and provenance attestations address this directly.

Support periods: Manufacturers must define and communicate a support period during which they will handle vulnerabilities. For container images, that means committing to a patch and rebuild cadence for the lifecycle of each supported image tag.

Compliance starts at the image layer

The CRA raises the bar for every organization that ships software into the EU. For container teams, the requirements map directly to practices the industry has been moving toward: hardened images, build-time SBOMs, provenance attestations, vulnerability monitoring, and defined support lifecycles. The difference is that these practices are no longer optional.

Thankfully, Docker Hardened Images ship with the artifacts the CRA demands: complete SBOMs, SLSA Build Level 3 provenance with non-falsifiable attestations, OpenVEX exploitability data, and cryptographic signatures. The images are minimal by default, continuously rebuilt against upstream fixes, and backed by defined support periods. Pair that with continuous vulnerability monitoring against SBOM data limited to package and component metadata and excluding personal data and embedded secrets, and the CRA’s 24-hour reporting clock starts with a known blast radius rather than a manual triage.

Get started with Docker Hardened Images →

Explore vulnerability monitoring with Docker Scout →

Frequently asked questions

Does the CRA apply to container images?

Yes, generally. Container images distributed commercially into the EU qualify as products with digital elements under the CRA. This applies whether the images are distributed as part of a software product, sold as managed services, or published in a commercial registry. The regulation applies based on commercial availability in the EU market, not on where the manufacturer is headquartered.

What SBOM format does the CRA require?

The CRA requires a commonly used, machine-readable format but does not name a specific standard. In practice, that usually means SPDX or CycloneDX. For container workflows, SPDX is the format BuildKit generates natively as an image attestation. Whichever format you use, scope the SBOM to package and dependency metadata and exclude embedded secrets and personal data from the generated artifact.

Do I have to publish my SBOM publicly?

No. The CRA requires SBOMs to be included in technical documentation and provided to market surveillance authorities upon request. There is no obligation to make them publicly available. However, organizations that do publish SBOMs as attestations attached to their images make it easier for downstream consumers to verify compliance and assess risk. If you do publish, scrub the SBOM and attestations of secrets, internal hostnames, and any personal data first, because a published artifact is difficult to retract.

Are open-source projects exempt?

Open-source software is outside the CRA’s scope as far as they are not made available on the market, and therefore supplied for distribution or use in the course of a commercial activity. Individual volunteer maintainers are not classified as manufacturers as far as they operate outside a commercial activity. However, organizations that distribute open-source software commercially (through paid support, managed services, or commercial registries) may be classified as manufacturers and subject to the full set of CRA obligations.

When do the CRA’s SBOM requirements take effect?

The SBOM requirement is part of the essential cybersecurity requirements in Annex I, which take full effect on December 11, 2027. However, the vulnerability reporting obligations that begin on September 11, 2026 are operationally much harder to meet without SBOM data, so the practical imperative to have SBOMs in place arrives well before the formal deadline.

Source

Omdia, Securing the Software Supply Chain: Strategic Approaches to Support Scaling Development with AI Adoption, May 2026.
Quelle: https://blog.docker.com/feed/

What is an SBOM (and Why Can’t You Ship Without One)?

In Omdia’s 2026 software supply chain security report, 73% of organizations that generate SBOMs say they enable more efficient vulnerability mitigation, yet 86% still find the generation process challenging. That gap between recognized value and operational difficulty is where most teams are stuck. For teams building and securing containerized applications, understanding what an SBOM is, and how to make it useful, is no longer optional.

This guide covers what SBOMs contain, why they matter for software supply chain security, how standard formats and tooling work, and where the industry is headed with regulations and enforcement.

Key takeaways

An SBOM is a machine-readable inventory of every component inside a software artifact.

SBOMs gain real value when paired with provenance attestations and cryptographic signatures.

Generating SBOMs at image build time captures the full dependency tree, including OS packages.

Regulatory mandates (EO 14028, CISA guidance, EU CRA) are making SBOMs a procurement baseline.

What is an SBOM?

Every software artifact ships with dependencies. A container image based on Alpine Linux might include dozens of system packages, each with its own version, license, and upstream maintainer. An application layer on top adds frameworks, libraries, and transitive dependencies that the developer may never have explicitly chosen. The deeper the stack, the harder it becomes to answer a basic question: what is actually running in production?

A software bill of materials answers that question. It’s a structured, machine-readable inventory of every component, library, and module inside a software artifact. Where a package manifest like package.json or requirements.txt lists declared dependencies, an SBOM captures the resolved dependency tree after the build, including transitive dependencies, system-level packages, and metadata about each component’s origin, version, and license. Think of it as a nutrition label for software.

What an SBOM contains

A well-formed SBOM includes several categories of metadata for each component:

Component identity: Package name, version, and supplier (e.g., openssl 3.1.4, maintained by the OpenSSL Project)

Licensing: The license type governing redistribution and use (MIT, Apache 2.0, GPL)

Dependency relationships: How components depend on each other, including direct and transitive dependencies

Unique identifiers: Package URLs (purl) or SWID tags that enable cross-referencing against vulnerability databases

Checksums and digests: Cryptographic hashes that let consumers verify the component has not been tampered withThis data is structured using open standards, primarily SPDX or CycloneDX, to keep it machine-readable and interoperable across tools, registries, and compliance workflows. In practice, an SPDX SBOM entry for a single package looks like this:

{
"name": "openssl",
"SPDXID": "SPDXRef-Package-openssl",
"versionInfo": "3.1.4",
"supplier": "Organization: OpenSSL Project",
"licenseDeclared": "Apache-2.0",
"checksums": [{ "algorithm": "SHA256", "value": "a1b2c3…" }]
}

A real SBOM contains one entry like this for every component in the artifact, from the base image’s OS packages up through the application’s runtime dependencies.

Why SBOMs matter for software supply chain security

The value of an SBOM becomes clear the moment something goes wrong. When the Log4Shell vulnerability was disclosed in December 2021, organizations with current SBOMs could query their inventories and identify every affected image within minutes. Teams without them spent days manually tracing dependencies across registries and deployment manifests.

Sonatype’s research found that nearly 65% of open source CVEs lack an NVD-assigned CVSS score, and when scored independently, 46% turned out to be high or critical. Without an SBOM, those unscored vulnerabilities are invisible.

Faster incident response

When a new CVE drops, the first question is always where are we exposed? An SBOM makes that question answerable in seconds rather than days. Cross-reference the affected package and version against your SBOM library, and you have an immediate blast radius. Pair the SBOM with continuous vulnerability scanning and the process becomes automated: new CVEs are matched against existing SBOMs, and affected images are flagged without manual intervention.

Customer spotlight: JWP, a video streaming platform serving more than 1 billion users, enabled vulnerability scanning across 400+ repositories in under an hour. With SBOMs feeding their scanning pipeline, the team fixed thousands of vulnerabilities while filtering out tens of thousands of non-critical issues, reducing noise and accelerating remediation.

Regulatory compliance

SBOMs are moving from best practice to legal requirements. In the United States, Executive Order 14028 helped set SBOM requirements in motion for software sold to federal agencies. CISA’s 2025 Minimum Elements guidance aims to clarify what a useful SBOM should include. The EU’s Cyber Resilience Act (EU CRA) extends similar requirements to products sold in the European market. For organizations operating in regulated industries, finance, healthcare, defense, and critical infrastructure, SBOM delivery is becoming a procurement gate.

Proactive verification, not reactive trust

SBOMs shift the security model from assuming software is safe to verifying that it is. Rather than trusting that a base image is clean because the registry says so, teams can inspect the SBOM to confirm which packages are present, which versions are running, and whether any known vulnerabilities apply.

In practice, that means writing policies against SBOM data: no image ships if it contains a package from an unapproved supplier, no end-of-life component persists past a defined grace period, no image deploys without a matching SBOM attestation. These checks can run automatically in CI, turning the SBOM from a passive document into an active gate.

When combined with provenance attestations and cryptographic signatures, the SBOM becomes one layer in a verifiable chain of custody from source to deployment. You’re no longer taking the registry’s word for it. You’re cryptographically verifying it.

SBOM formats and standards

For an SBOM to be useful across teams, tools, and organizations, it needs a shared language. Two open standards dominate the landscape, each designed for a different primary use case.

SPDX (Software Package Data Exchange)

Developed by the Linux Foundation (ISO/IEC 5962:2021), SPDX is the most widely adopted format for license compliance and open source auditing. It is also the format used by BuildKit’s built-in SBOM generator, which attaches an SPDX document as an attestation to the container image during the build.

CycloneDX

Developed by the OWASP Foundation, CycloneDX is optimized for security workflows and DevSecOps pipelines. It includes fields for vulnerability metadata and dependency graphs, and integrates well with tools like OWASP Dependency-Track.

SBOM Formats at a Glance

SPDX

CycloneDX

Primary focus

License compliance, open source auditing

Security, vulnerability management

Governed by

Linux Foundation (ISO/IEC 5962:2021)

OWASP Foundation

Format types

JSON, YAML, tag-value, RDF/XML

JSON, XML, Protocol Buffers

Best for

Compliance, due diligence, audits

DevSecOps pipelines, CI/CD integration

Container ecosystem support

Native in BuildKit attestations

Also produced by tools like Syft and Trivy

If you’re building container images, start with SPDX. It’s the format BuildKit generates natively, so you get an SBOM as a build output with zero additional tooling. Your downstream scanning tools may prefer CycloneDX, and that’s fine. The two formats are interoperable, and converters exist for moving between them. Let the build produce SPDX; let consumption tools handle conversion if they need it.

SWID (Software Identification Tags), a third format governed by ISO/IEC 19770-2, is primarily used for IT asset management in enterprise and government procurement. But it has largely lost traction in cloud-native and container workflows.

How SBOMs fit into container workflows

In traditional software development, SBOMs are often generated after the fact, bolted on as a compliance artifact during release. Container workflows offer a better approach: generating the SBOM at build time, as a native output of the image build process.

Build-time generation

When you build a container image with BuildKit, the builder scans the final image filesystem and produces an SBOM that reflects what actually shipped, not just what was declared in the Dockerfile. Because it captures the resolved state after all build stages complete, it includes OS-level packages, application-level dependencies, and any files copied from external sources.

Source-level SBOMs, generated from manifest files before the build, frequently miss transitive dependencies and system packages. An image-layer SBOM reflects reality.

Attestation and provenance

An SBOM tells you what’s in an image. Provenance attestations tell you how it was built: which builder, which source commit, which build platform. Together, they form a verifiable chain of evidence that auditors and policy engines can evaluate programmatically. This is the model described by SLSA (Supply-chain Levels for Software Artifacts), where Build Level 3 requires hardened build platforms with non-falsifiable provenance. SLSA is the specification; in-toto is the attestation format it uses.

The SBOM itself is attached to the image as an in-toto attestation using the SPDX predicate format. Provenance is attached the same way, so both travel with the image as verifiable, machine-readable metadata.

Registry storage

Once the image and its attestations are built, they need to live somewhere consumers can access them. Pushing the image to an OCI-compliant registry keeps the SBOM co-located with the artifact it describes. This matters because an SBOM that lives in a separate system, a shared drive, a compliance portal, or a CI artifact bucket, will eventually drift out of sync with the image it was generated from. Co-location eliminates that gap: pull the image, and you pull its SBOM and provenance with it.

Continuous scanning

With SBOMs attached to images and stored in a registry, they become inputs for continuous vulnerability monitoring. New CVEs are matched against the components listed in the SBOM without re-analyzing the image itself. Instead of re-scanning every image when a new vulnerability is disclosed, the scanner cross-references the SBOM inventory and flags affected images immediately.

Policy enforcement

Scanning identifies risk. Enforcement acts on it. Policy engines can consume SBOM data to gate deployments based on rules the team defines: no image ships if it contains a package from an unapproved supplier, no end-of-life component persists past a defined grace period, no image deploys without a matching SBOM attestation.

These checks run automatically in CI, turning the SBOM from a passive document into an active gate. You’re no longer relying on manual review to catch a problematic dependency. The pipeline catches it before the image reaches production.

SBOM maturity: Where does your organization stand?

SBOM adoption isn’t binary. Most organizations fall somewhere on a spectrum from ad hoc to fully scaled. The following maturity model helps teams assess where they are and what to prioritize next.

Level

Generation

Storage

Scanning

Governance

Ad hoc

Manual, on request

Local files or shared drives

Occasional, tool-dependent

No formal policy

Pilot

Automated for 1–2 apps or services

Alongside build artifacts

Integrated into CI for pilot apps

Basic policy drafted

Production

Automated for all new images

Attached to images in OCI registries

Continuous, with alerting

Policies enforced in pipelines

Scaled

All images, including third-party ingestion

Centralized SBOM management platform

Continuous with policy gating

Cross-org governance, audit trails, supplier requirements

Omdia’s 2026 software supply chain security survey surfaced that more than half of the organizations generating SBOMs are only generating them on a case-by-case basis. 

Common misconceptions about SBOMs

SBOMs are just a compliance checkbox

Teams that generate SBOMs solely to satisfy a procurement requirement are missing the operational value. SBOMs are most useful as a live data source for vulnerability management, incident response, and dependency tracking. A one-time SBOM generated for an audit and then filed away provides a false sense of coverage.

They’re the same as SCA

Software composition analysis (SCA) tools scan code or images for known vulnerabilities. An SBOM is the inventory that makes that scanning possible. SCA and SBOMs generally work together. The SBOM is the inventory, and SCA tools use that inventory, often generating their own, to check for known vulnerabilities. The distinction matters because scanning tends to be only as good as the inventory behind it.

SBOMs are a one-time artifact

An SBOM is tied to a specific image digest. Every time you rebuild an image, the SBOM should be regenerated to reflect any dependency changes. Stale SBOMs create a gap between what you think is running and what’s actually deployed. Automated build-time generation eliminates this drift.

SBOMs substitute runtime security

SBOMs tell you what shipped. They do not tell you what’s happening at runtime. An SBOM will not catch a zero-day that hasn’t been disclosed yet, detect anomalous process behavior inside a running container, or verify that the application logic is correct. SBOMs are one layer in a defense-in-depth model: they handle inventory and composition. Runtime monitoring, network policies, and access controls handle the rest.

What can go wrong without SBOMs

Let’s say a zero-day vulnerability is disclosed in a widely used library. Without SBOMs, the security team starts a manual triage: checking Dockerfiles, querying registries, asking developers which versions they use. Hours pass. Some images are missed because the affected package is a transitive dependency three levels deep. By the time the blast radius is mapped, the vulnerability has been public for two days.

With SBOMs attached to every image, the same triage takes minutes. Query the SBOM database for the affected package and version, get a list of every image that includes it, and prioritize remediation based on deployment context.

Getting started with SBOMs

The most common mistake teams make is treating SBOM adoption as a large-scale transformation project that’ll derail workflows. It doesn’t need to be.

Start with one image. Pick a production image and enable SBOM generation on the next build. With BuildKit, that is a single flag:

docker buildx build –attest type=sbom –tag myapp:latest .

Review the output. This single step often reveals transitive dependencies and OS packages you did not know were in the image.

Automate generation in CI. Extend the flag to your CI pipeline so every image build produces an SBOM automatically.

Store SBOMs alongside images. Attach SBOMs as attestations in your OCI registry so the SBOM stays co-located with the artifact it describes.

Connect to monitoring. Feed SBOMs into a vulnerability monitoring tool that can continuously match components against new CVEs. This closes the loop between inventory and action.

Set policies. Define what is acceptable: maximum CVE age, required minimum SBOM completeness, blocked licenses. Enforce these policies in the pipeline so non-compliant images are flagged before deployment.

Build with visibility, ship with confidence

SBOMs are the foundation of software supply chain security. They turn opaque software artifacts into transparent, auditable inventories that security teams, compliance officers, and developers can all use. But an SBOM alone is not enough. The real value comes when SBOMs are generated at build time, paired with provenance attestations, and continuously monitored against emerging threats.

Docker makes this workflow native. Docker Hardened Images ship with complete SBOMs, SLSA Build Level 3 provenance, OpenVEX exploitability data, and cryptographic signatures on every image. Meanwhile, Docker Scout provides continuous vulnerability monitoring powered by the SBOM data attached to your images, surfacing actionable insights across your entire image portfolio. Together, they give teams a verifiable chain of custody from source to production, with no manual assembly required.

Frequently asked questions

What does SBOM stand for?

SBOM stands for software bill of materials. It’s a structured inventory of every component, dependency, and metadata element inside a software artifact, formatted in a machine-readable standard like SPDX or CycloneDX.

Are SBOMs required by law?

In the United States, Executive Order 14028 requires SBOMs for software sold to federal agencies. CISA’s 2025 draft guidance proposes an updated set of minimum elements. The EU Cyber Resilience Act extends similar requirements to products sold in the European market. For organizations in regulated industries, SBOMs are increasingly a procurement prerequisite rather than a voluntary practice.

What is the difference between an SBOM and a package manifest?

A package manifest (package.json, requirements.txt, go.mod) lists the dependencies a developer declared. An SBOM captures the fully resolved dependency tree after the build, including transitive dependencies, system-level packages, and metadata like licenses and checksums. The manifest is an input to the build; the SBOM is an output that reflects what was actually shipped.

How often should an SBOM be updated?

An SBOM should be regenerated every time the associated artifact is rebuilt. For container images, this means generating a new SBOM with each image build. Between rebuilds, the existing SBOM remains valid for the specific image digest it describes, but new CVEs may be discovered against the components it lists. Continuous monitoring against the stored SBOM catches these without requiring a rebuild.

Source

Omdia, Securing the Software Supply Chain: Strategic Approaches to Support Scaling Development with AI Adoption, May 2026.
Quelle: https://blog.docker.com/feed/

Coding Agent Horror Stories: The 13-Hour AWS Outage

In Part 1, we walked through six categories of AI coding agent failures and why they keep happening. The agent runs as you, with your filesystem permissions and your credentials, and nothing sits between the model’s decision and the shell’s execution. In Part 2, we looked at one specific version of that failure in detail, the rm -rf ~/ incident that wiped a developer’s entire Mac in a single command. Part 3 moves the same problem up the stack, into a production AWS environment where the blast radius is no longer one laptop but a regional cloud service.

What happens when the agent isn’t running on your laptop, but on a production AWS environment with operator-level credentials? You get a thirteen-hour outage, a public denial that fooled no one, and a series of follow-on incidents that cost Amazon an estimated 6.3 million orders before the company was forced to introduce what it called a “code safety reset.” 

Today’s Horror Story: The Agent That Deleted Production

In mid-December 2025, an AWS engineer asked Kiro for help with a small bug in AWS Cost Explorer, the dashboard customers use to track their cloud spending. Kiro is Amazon’s own agentic coding assistant. It had been granted operator-level access to the environment, the same access the engineer had, because that was how Kiro was being rolled out across the company at the time.

Kiro looked at the bug, weighed its options, and decided the cleanest fix was to delete the production environment and rebuild it from scratch. The engineer never got a chance to step in. There was no confirmation prompt, no second pair of eyes, no two-person rule, and by the time anyone could have intervened the deletion was already done. Cost Explorer went down for thirteen hours in one of AWS’s mainland China regions.

This was not a security breach. It was an AI coding agent doing exactly what it had been set up to do, running with the engineer’s full credentials, with nothing in the architecture to catch the moment between “delete and recreate” being a reasonable option to consider and a production service being torn down.

In this issue, you’ll learn:

What happened in the December outage, step by step

Why Amazon’s “user error, not AI” response only told part of the story

How the December incident set the stage for outages that cost an estimated 6.3 million orders by March 2026

The scoped-identity pattern that prevents this whole category of failure

Why This Series Matters

Each “Horror Story” examines a real-world incident that turns laboratory findings into production disasters. These aren’t hypothetical attacks. They’re documented cases with named victims, internal memos obtained by reporters, and in several cases, public denials from the vendors. Our goal is to show the human and operational impact behind the security statistics, demonstrate how these failures unfold in practice, and provide concrete guidance on protecting your infrastructure through Docker’s scoped-identity execution model.

The story begins with an internal memo dated November 24, 2025. Three weeks before Kiro deleted the Cost Explorer environment, two of Amazon’s senior VPs, Peter DeSantis (AWS Utility Computing) and Dave Treadwell (eCommerce Foundation) signed and distributed an internal memo telling the company that Kiro was now the standardized AI coding assistant for the entire organization. The memo set a target of 80% weekly usage by every Amazon engineer by year-end 2025, and directed teams to stop using third-party AI tools unless a VP signed off on the exception.

Engineers came to call this the “Kiro Mandate.” Adoption was tracked as a corporate OKR, and engineers who weren’t using the tool showed up on management dashboards. The mandate was framed as a performance question, not a safety question, which mattered because the safety side of the rollout had not kept up. Things like peer review for destructive changes, approval gates for production access, and per-agent permission scoping had not been formally extended to AI-assisted work when the 80% target was set

Around 1,500 Amazon engineers signed an internal forum post pushing back, arguing that tools like Claude Code outperformed Kiro on real engineering tasks like multi-language refactoring. Management proceeded with the mandate anyway. By January 2026, 70% of Amazon engineers had used Kiro during sprint windows. Adoption was on track. The risk profile of what those engineers could do with the tool was a different story.

Then on February 20, 2026, the Financial Times broke the story based on accounts from four people familiar with the incident. The FT reporting also surfaced a second AI-related outage, this one involving Amazon Q Developer, on a separate system. Amazon’s response went up the same day under the title “Correcting the Financial Times report about AWS, Kiro, and AI.” It called the cause “user error, specifically misconfigured access controls, not AI as the story claims,” and dismissed the FT’s second-incident claim as “entirely false.”

The misconfigured access controls part is worth a closer look. A typo would have been “user error.” What actually happened was a structural decision to give an autonomous agent the same permissions as a human operator, in a system where the human’s safety net had always been a colleague asking “are you sure?” Kiro had no colleagues.

The Scale of the Problem

The December outage was the visible piece of a bigger pattern. Inside Amazon, briefing notes described a series of incidents with “high blast radius” tied to AI-assisted changes, with safety rules that had not yet been written for the way the agents were now being used. None of that language was ever shared publicly.

On March 2, Amazon.com showed shoppers the wrong delivery dates after they added things to their carts. About 120,000 orders were lost and 1.6 million people hit error pages. Amazon’s internal review pointed at one of its own AI tools, Amazon Q, as a main cause. Three days later, on March 5, the storefront went down for six hours and lost an estimated 6.3 million orders, with U.S. order volume dropping 99% while it was down. Both incidents traced back to AI-written code that had been pushed live without proper review.

On March 10, Dave Treadwell, the same SVP who had co-signed the Kiro Mandate four months earlier, announced a 90-day code safety reset across roughly 335 of Amazon’s most important systems. The new rules: two people had to sign off on every change going live, senior engineers had to approve AI-written code from juniors, and the automated checks were tightened. Treadwell called the new approach “controlled friction.” It’s a quiet way of saying the friction had not been there before, and that what arrived in March was what should have been in place in November.

How the Failure Works

To understand why these incidents happen, you have to look at the architecture underneath. Kiro was doing exactly what an agentic coding assistant is designed to do. The failure was in the system that surrounded it.

When Kiro runs on behalf of an engineer, it inherits the engineer’s full set of permissions. There’s no separate identity for “Kiro acting on behalf of someone,” no role with a narrower scope than the human who launched it. Whatever the engineer can touch, the agent can touch. This is the same property we walked through in Part 1 for filesystem access, applied here to cloud credentials instead. The agent gets a copy of the keys, every time.

Then there’s the loop. In most AI coding assistants the reasoning step and the execution step happen inside the same cycle. The agent thinks about what to do, generates the action, and runs it before the engineer has a chance to read what it decided. There’s no proposal stage, no preview screen, no “do you want me to do this?” gate that a human approves first. The deciding and the doing are one thing.

The speed makes this worse. Most safeguards in software engineering assume a human is the one making the change. A confirm? (y/n) prompt only protects against typos because a person sees it, pauses, and reads it. An agentic loop reads the same prompt and replies “y” in milliseconds. By the time anyone notices the agent has made a decision, the decision has already been executed. Post-hoc intervention isn’t really a thing in this environment.

And the reasoning that gets the agent there isn’t wrong. It’s just not bounded by the things that would have stopped a human. A senior AWS engineer with the same permissions would not have looked at a small bug in Cost Explorer and decided the right move was to tear down the production environment. They would have walked over to a colleague, posted in a Slack channel, paused to think about whether anyone had pinged them lately about that service. Kiro had the same permissions and skipped all of that, because none of it is part of how an AI agent makes a decision.

Kiro didn’t go rogue. It didn’t malfunction. It was optimizing for the objective it was given, which was to fix the bug, and “delete and recreate” is a legitimate solution in many engineering contexts. What was missing wasn’t smarter reasoning. It was the layer of friction that would have caught the moment between “this is a defensible option” and “this is happening to a live customer service.”

Technical Breakdown: How a Cost Explorer Fix Became a 13-Hour Outage

Caption: Diagram illustrating how operator-level permissions flow directly from engineer to agent to production control plane, with no scoped-identity boundary in between.

Here’s how the December incident unfolded, step by step:

1. The Request

An AWS engineer is looking at a small bug in Cost Explorer for the cn-northwest region. They hand it to Kiro the way they’d hand it to a colleague:

check the cost explorer issue in cn-northwest and propose a fix

That’s the whole prompt. No special framing, no permissions caveat. It’s just routine maintenance.

2. The Reasoning

Kiro looks at the environment, finds the misconfiguration, and weighs its options. It could patch the misconfiguration in place, or redeploy specific components, or tear the environment down and rebuild it cleanly from the deployment templates. From a pure correctness standpoint, the last option is the most thorough, since it guarantees no residual state from the broken configuration. That’s the path Kiro picks.

3. The Inheritance

Kiro is running as the engineer. The engineer has operator-level access to the Cost Explorer production environment, including the ability to tear it down, because that’s the kind of operation a human operator might legitimately need during an incident. The control plane has no concept of “Kiro acting on behalf of the engineer.” It only has “an authenticated principal with sufficient permissions making a request.” From its point of view, the engineer is making the call.

4. The Execution

Kiro initiates the deletion, and the request runs in the seconds it takes to send the API call. There is no confirmation prompt the engineer could intercept in that window, no two-person rule waiting on a second approver, and no policy gate watching for the specific shape of “this command would tear down a production service.” The control plane sees a valid API call from an authenticated principal with sufficient permissions, and it processes the call the way it would process any other operator request.

5. The Outage

Cost Explorer in the affected region goes down, and customers across that region lose the ability to view, analyze, or manage their cloud spending. The outage ends up running for thirteen hours, with almost all of that time spent on recovery rather than detection, because the deletion itself completed in the seconds it took to send the API call. Rebuilding the environment from the deployment templates, validating the configuration against the expected state, restoring connectivity to the services Cost Explorer depends on, replaying the state the old environment had built up, and bringing the service back up in front of real traffic is the work that takes the rest of the day.

Internally, the incident enters Amazon’s Correction of Error process, while externally the story stays quiet for two months until the Financial Times breaks it on February 20, 2026. Amazon’s response, issued the same day, frames the cause as “user error, specifically misconfigured access controls,” and announces mandatory peer review for production access in the same breath. That second part is the architectural admission that something more than user error needed to be fixed.

The Impact

Within thirteen hours, AWS had:

Lost a production service for a regulated region (mainland China) where service continuity matters acutely

Triggered an internal investigation that produced a post-incident briefing characterizing the failure as part of a “trend of incidents” with “high blast radius”

Set the conditions for the follow-on incidents in March that cost an estimated 6.3 million orders

The technical fix was simple. Mandatory peer review for production access. The reason it wasn’t in place from the start is the part that matters: nobody had updated the operational model to account for the fact that the entity making the change might be moving at a thousand times the speed of the entity reviewing it.

This is what one autonomous “delete and recreate” decision produces when the agent has the same credentials as the engineer who launched it.

How Docker Sandboxes Eliminates This Attack Vector

Issues 1 and 2 covered the commands you’d type to run an agent in a sandbox. This one is about what sits underneath those commands, because the Kiro incident isn’t really a CLI problem. It’s an architecture problem, and no command-line flag fixes the kind of gap the December outage exposed. What fixes it is the layer the flag sits on top of.

That layer is the microVM. Each sandbox runs inside its own dedicated microVM, with its own kernel, its own filesystem, its own network namespace, and its own Docker daemon. It’s hardware-boundary isolation, the same kind you get from a full VM, but optimized for the way agents actually work: spin up in seconds, throw away when done, no path back to the host. As Docker’s microVM architecture post explains, the bounding box has to come from infrastructure, not from a system prompt. An LLM deciding its own security boundaries is not a security model.

This is the part that matters for the Kiro case. Inside a microVM, the agent isn’t an extension of the engineer’s identity. It’s a distinct process with a distinct view of the world, running on a different kernel, talking to a different Docker daemon, reaching the network through a proxy that the agent cannot see or bypass. The credentials that would let a human operator delete a production environment are not in the agent’s process memory, not in its environment variables, not in any file it can read. They live outside the microVM boundary entirely.

Three architectural decisions that close the Kiro gap

The Docker Sandboxes architecture documentation describes how each layer of the design protects against a specific class of failure. Three of those layers are directly relevant to the December incident.

1. The workspace is mounted at the same path it has on the host, and nothing else is. The sandbox sees the agent’s workspace through a filesystem passthrough at the same absolute path. That’s the only thing it sees. The engineer’s home directory, their cloud configs, their credential files, their SSH keys, all of that lives outside the boundary. If the agent reasoned its way to a “delete and recreate” plan, the deletion would target the workspace, which is reproducible from source anyway. The host stays whole.

2. The Docker daemon lives inside the VM, with no path back. This is the design decision that separates Docker Sandboxes from approaches that look similar on the surface. Mounting the Docker socket from the host gives the agent escape paths. WASM and V8 isolates can’t run a full development environment. A general-purpose VM is too heavy to spin up for a single session. A microVM with its own Docker daemon is the only model that gives the agent a real working environment without any of those compromises. For the Kiro case specifically, it means the agent can investigate the Cost Explorer bug, build container images, run tests against them, and propose a fix, all without ever holding the credentials it would need to execute that fix against the live service.

3. A proxy on the host enforces credentials and network policy. All outbound traffic from the sandbox routes through an HTTP/HTTPS proxy running on the host, outside the VM boundary. This is the layer that directly addresses what went wrong with Kiro. Secrets are stored on the host, scoped to specific services, and injected into outbound requests by the proxy. The agent never sees the values themselves. It also can’t get around the proxy, because the proxy is the only way traffic leaves the microVM at all. If the agent decides to call a destructive control-plane endpoint, the proxy is what stops it, regardless of what the model has reasoned its way to.

Why this matters for the Kiro incident specifically 

Let’s replay the December scenario against this architecture. The engineer launches the agent inside a sandbox. The microVM boots in seconds, the workspace gets mounted, and the agent starts up without any AWS operator credentials in its environment. Those credentials are still on the host, where they belong. From here, the agent investigates the Cost Explorer bug exactly the way Kiro did, reasoning through the same options and quite possibly landing on the same “delete and recreate” plan. Nothing on the inside of the box has changed.

What changes is what happens when the agent tries to act. The deletion call leaves the sandbox through the only path available to it, which is the proxy on the host. The proxy checks the network policy and either authenticates the call with a scoped, read-only credential the engineer set up for investigation work, or it refuses the call because the destination wasn’t on the allowlist. Either way, the December outcome, the thirteen-hour production outage, simply doesn’t happen. The agent’s plan ends up in front of the engineer as a proposal. The engineer reads “delete and recreate,” recognizes that it’s too much for a small bug, and asks the agent to patch in place instead.

This pattern generalizes. The same architecture that would have contained the LovesWorkin filesystem incident in Issue 2 would have contained the Kiro control-plane incident in this one, because both failures share the same root cause: an agent acting with the launching user’s full identity, at machine speed, against systems that have no way of knowing they’re talking to an agent. The microVM makes the agent a distinct actor with its own boundary. The isolated Docker daemon gives that actor a real working environment to operate in. The proxy gives the engineer a place to decide, ahead of time, what that actor can reach. The blast radius of anything the agent reasons its way into is bounded by what the sandbox allows, not by what the engineer who launched it happens to have access to.

The sbx CLI is what exposes all of this to the developer. Here’s what the Cost Explorer investigation would have looked like inside a sandbox, configured the way the December incident needed.

# 1. Store the AWS credential for the sandbox, outside the agent's view.
# The actual scoping (read-only, Cost Explorer only) is handled
# at the AWS IAM layer when the credential is created. From sbx's
# side, the credential is opaque, the agent never sees the value,
# and the proxy is what injects it into outbound calls.
echo "$AWS_COST_EXPLORER_READONLY_KEY" | sbx secret set -g aws

# 2. Define what the sandbox is allowed to reach on the network.
# Cost Explorer read endpoints are on the list. Control-plane
# endpoints that would let an agent tear down a production
# environment are not.
sbx policy allow network "ce.amazonaws.com,api.anthropic.com"

# 3. Launch the agent inside the sandbox.
sbx run claude

# 4. After the session, review what the proxy allowed and denied.
# Any attempt the agent made to reach an endpoint outside the
# allowlist will show up here.
sbx policy log

Step 1 stores the AWS credential outside the agent’s view, with the read-only and Cost-Explorer-only scoping enforced by AWS IAM rather than by sbx. Step 2 defines the network perimeter the proxy will enforce, independent of how broad the credential’s IAM permissions actually are. Step 3 starts the agent inside the microVM with no path back to the host. Step 4 is what makes the whole setup auditable: every call the proxy allowed or denied during the session, including any attempt the agent made to reach destinations off the allowlist, shows up in sbx policy log.

What this gives the engineer, end to end, is a working agent with a known and bounded reach. The agent can investigate, reason, and propose. It cannot execute its way into a region-wide outage.

What This Looks Like in Practice

Stepping back from the Kiro story for a moment, the picture is straightforward. Docker Sandboxes gives an agent a real working environment, scoped credentials, a network boundary, and a path that throws everything away cleanly when the session ends. Compared with the way most engineers run AI coding agents today, the trade-offs look like this:

Security Aspect

Traditional Agentic Setup

Docker Sandboxes

Identity

Engineer’s full credentials

Scoped identity per task

Secret Handling

Loaded into agent context

Proxy-injected, never exposed

Production Access

Inherited from operator role

Explicit allowlist or nothing

Destructive Operations

Execute at machine speed

Reviewable before execution

Audit Trail

Per-engineer, post-hoc

Per-sandbox, real-time sbx policy log

Blast Radius

Whatever the engineer can do

Whatever the sandbox is configured for

The row that matters most for the Kiro story is the second-to-last one. Without a sandbox, a destructive operation runs as fast as the API call leaving the agent’s process. With a sandbox, that same operation has to clear the proxy first, which means it lands in the engineer’s review queue instead of in production.

Best Practices for Secure Agentic Production Work

Never give an agent your full production credentials. Create a scoped identity with the minimum permissions the specific task needs. If the agent is investigating a read-only issue, give it read-only access. The Kiro incident is what happens when this rule is skipped.

Inject secrets through a proxy, not through environment variables. A secret the agent never sees is a secret the agent cannot accidentally send to the wrong endpoint, leak in a log, or include in a code commit. Proxy injection turns the credential from data the agent holds into a capability the proxy provides.

Tag AI-assisted changes as a distinct change category. Track them, require senior review, and apply the two-person rule by default. This is not a slowdown for AI workflows. It is the same review discipline a senior engineer’s pull request would get, applied to an actor that ships at machine speed.

Read the policy log. sbx policy log records every connection attempt the proxy allowed or denied during a session. A blocked attempt to reach a destructive endpoint is exactly the signal you would want to see, and it stays buried unless someone looks.

Pair adoption metrics with blast-radius metrics. Amazon’s 80% Kiro target was a corporate OKR. The safeguards that should have moved alongside it were tracked nowhere. Pushing usage forward without also pushing safety boundaries forward is what set up the December outage.

Take Action

The path to safe agentic work in production-adjacent environments starts with one shift: stop giving agents the credentials you give your humans.

Install Docker Sandboxes. The Docker Sandboxes documentation walks through installing sbx and running your first scoped-identity agent.

Read the security model. The Docker Sandboxes security documentation covers credential handling, isolation layers, network policies, and workspace trust in detail.

Try the proxy-injected secrets pattern. Running sbx secret set followed by sbx run is the quickest way to see how the threat model shifts when secrets sit outside the agent’s context rather than inside it.

If you’re new to this series, Issue 1 walks through the six categories of AI coding agent failures, and Issue 2 goes deep on the rm -rf ~/ incident on the filesystem layer.

Conclusion

The December Cost Explorer outage and the March outages on Amazon.com are points on the same line. They are what happens when an agent inherits an operator’s credentials, when the safeguards designed for human pace meet a decision-making loop that moves a thousand times faster, and when adoption gets pushed forward without anything pushing the safety boundary forward with it.

Amazon’s response is the part of the story worth holding onto. “User error, specifically misconfigured access controls” is true in the same way that “operator error, not the missing guardrail” was true for every famous industrial accident before guardrails were invented. The misconfigured access controls weren’t a typo. They were the structural decision to scale agentic adoption without scaling the identity model around it. Everything Amazon added afterward, the peer review, the senior sign-off on AI-assisted changes, the 90-day code safety reset, the “controlled friction” Treadwell described, points at the same gap. The agent needed to operate in a smaller box than the engineer it was running on behalf of.

Docker Sandboxes doesn’t try to make the agent more cautious; it changes what the agent can reach. The credentials sit outside the boundary. The destructive endpoints sit off the allowlist. The agent gets a real working environment, but not the production control plane.

Coming up in our series: Issue 4 will explore the GitGuardian sprawl report and the s1ngularity attack, where AI agents weaponized their own context windows to scan developer machines for credentials, and how proxy-injected secrets eliminate the exposure surface

Learn More

Run agents safely with Docker Sandboxes: Visit the Docker Sandboxes documentation to get started.

Explore the Docker MCP Catalog: Discover MCP servers that connect your agents to external services through Docker’s security-first architecture.

Download Docker Desktop: The fastest path to a governed AI agent environment, with Docker Sandboxes, MCP Gateway, and Model Runner in a single install.

Read the MCP Horror Stories series: Start with issue 1 to understand the protocol-layer security risks that complement the agent-layer risks covered here.

Quelle: https://blog.docker.com/feed/

Docker Content Trust: Retirement and Migration Guidance

TLDR: Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io are being fully retired (first announced in July of 2025). This blog explains what is changing, who is affected, and how to move to modern alternatives. 

Ten years ago, Docker Content Trust (DCT) gave the container ecosystem one of its first ways to verify the integrity and publisher of an image, built on The Update Framework and the Notary v1 project. The upstream Notary v1 codebase is no longer maintained, more modern signing tools have become the standard, and today a very small number (fewer than 0.05%) of Docker Hub pulls rely on DCT.

Last year we began retiring DCT for Docker Official Images, and now we’re completing that work by fully retiring DCT and the Notary v1 service at notary.docker.io. This post covers what’s changing, who’s affected (for most people, nothing), and the modern alternatives that are available to users.

Why are we retiring Docker Content Trust (DCT)?

DCT relies on the upstream Notary v1 server, the original TUF-based implementation that was first released in 2015, and the project is no longer maintained. In the years since, the ecosystem has standardized on OCI-native signing tools such as Sigstore/Cosign and the Notary Project’s Notation, that store signatures alongside the image in any compliant registry, with no separate trust infrastructure to run. The broader ecosystem has been retiring this approach–Microsoft deprecated DCT support in Azure Container Registry some time ago, and Harbor deprecated Notary v1 support too.

Retiring Notary v1 lets us put our investment behind other modern, standards-based tools (described below) that developers are already adopting, and behind making secure defaults first-class citizens on Docker Hub.

Who is affected by this change?

DCT was opt-in, and normal image pulls (docker pull) would not touch the Notary service, so if you’ve never deliberately turned it on, nothing about your workflow changes. You can stop reading here.

The change matters if you configured DCT for use, which usually shows up in one of a few ways:

You have DOCKER_CONTENT_TRUST=1 set in your environment, shell profile, CI pipeline, or Dockerfile.

Your scripts or automation use docker trust sign, docker trust inspect, or docker trust revoke.

Your Kubernetes admission controllers or deployment policies check for DCT signatures.

You publish images to Docker Hub with DCT signing enabled.

If you have never set DOCKER_CONTENT_TRUST and do not use docker trust commands, this change does not affect you. 

Pathway to retirement: timeline

We’re winding DCT down in stages rather than all at once. The brownouts are brief, scheduled outages, these are dry runs that flush out any pipeline still leaning on the service while there’s time to fix it. Writes go dark before reads, so signing breaks before verification and publishers can get the earliest heads-up.

Date

What happens

Jul 14, 2026

4-hour write brownout

Jul 15, 2026

4-hour write brownout 

Aug 10, 2026

4-hour read brownout 

Aug 12, 2026

4-hour read brownout 

Dec 8, 2026

Full shutdown

Windows run ~4 hours and begin at 8AM Pacific Time.

Note this only touches DCT trust operations; ordinary docker pull and docker push operations will keep working through these windows.

What to do if you are affected: migration guide and alternatives

If any of the cases above describe your setup, here’s how to move off DCT cleanly. The ecosystem has settled on a handful of strong, widely-adopted tools, so this is as much a menu as a manual. The steps run from the quickest unblock to the most complete setup; pick the leading technology that fits your workflow, and go as far down the list as your situation calls for.

Ensuring image pulls succeed

If your only goal is to ensure that image pulls keep working past the shutdown date, disable DCT. This is the fastest path to unblocking your workflows, but it removes tag-level verification. 

# Remove from your current shell session
unset DOCKER_CONTENT_TRUST

# Or explicitly disable it
export DOCKER_CONTENT_TRUST=0

Search your environment for anywhere this variable might be set, including shell profiles, CI/CD configuration, Compose files, and K8s manifests. Once DCT is disabled, all pulls continue to work normally.

Ensuring pulls are repeatable

Tags on image registries can change when an image is updated. Pulling by digest guarantees that you get the exact image content you expect, regardless of whether a tag has been moved or overwritten. Digests are immutable.

# Find the digest of an image you have pulled
docker pull busybox:latest
docker images –digests busybox
# REPOSITORY TAG DIGEST IMAGE ID
# busybox latest sha256:f85340bf… abc123def456

# Pull by digest
docker pull busybox@sha256:f85340bf…

Use digests in dockerfiles for reproducible builds, and in Kubernetes manifests or Compose files to ensure predictable deployments. 

Digest pinning verifies content integrity (you get exactly what you asked for), but it does not by itself prove publisher identity. For that, you need cryptographic signatures, which is where Sigstore/Cosign and Notation come in.

Proving publisher identity

Two mature, actively maintained signing projects have replaced DCT’s signing capabilities in Hub. Both store signatures alongside the image in OCI-compliant registries.

Option A: Sigstore / Cosign

Cosign is part of the Sigstore project and supports identity-based signing using short-lived certificates tied to an OIDC identity. It stores signatures as OCI artifacts in the same registry, alongside the image. 

Sigstore quickstart: https://docs.sigstore.dev/quickstart/quickstart-cosign/ 

Cosign on GitHub: https://github.com/sigstore/cosign 

Option B: Notation

Notation is the CLI for the Notary Project. It uses a certificate-based PKI model and stores signatures as OCI reference artifacts. 

Notation quickstart: https://notaryproject.dev/docs/quickstart/ 

Notation on GitHub: https://github.com/notaryproject/notation

Enforcing verification in production

Signing images is only half the story. To get full security benefits, you need to enforce that only signed images can be deployed.

Kyverno (works with Cosign)

Kyverno can verify Cosign signatures before pulling into a cluster. See the documentation for details. 

Ratify + Gatekeeper (works with Notation)

Ratify can verify Notation signatures before admitting pods. See the Ratify quickstart for setup instructions.

Use Docker Hardened Images as a built-in replacement

If you currently rely on DCT to verify base images from Docker Hub, switching to Docker Hardened Images (DHI) is a free and secure path forward. Every DHI comes with cryptographic signatures, provenance attestations, and SBOMs already built in.

This means the integrity checks you relied on with DCT are guaranteed, and then some. DHI images are minimal by design and continuously rebuilt when new CVEs appear. You are not just replacing a verification mechanism, you are getting a more secure base image to begin with.

Read more here: https://docs.docker.com/dhi/ 

Or view the free catalog at dhi.io

Need help?

A couple of things worth knowing as you plan your move.

If you are a Docker Hub publisher currently signing images with DCT, Docker cannot provide replacement signatures on your behalf. You will need to adopt Cosign or Notation to sign your own images.

If you are a consumer of third-party images that were signed with DCT, contact those publishers directly to determine whether they plan to adopt modern signing.

For questions or issues related to the shutdown, or if you want to work more directly with us on a migration plan, contact Docker support.
Quelle: https://blog.docker.com/feed/