Docker Sandboxes

2 min read Original article ↗

Availability: Experimental

Requires: Docker Desktop 4.58 or later

Docker Sandboxes lets you run AI coding agents in isolated environments on your machine. If you're building with agents like Claude Code, Sandboxes provides a secure way to give agents autonomy without compromising your system.

AI agents need to execute commands, install packages, and test code. Running them directly on your host machine means they have full access to your files, processes, and network. Docker Sandboxes isolates agents in microVMs, each with its own Docker daemon. Agents can spin up test containers and modify their environment without affecting your host.

You get:

  • Agent autonomy without host system risk
  • Private Docker daemon for running test containers
  • File sharing between host and sandbox
  • Network access control

For a comparison between Docker Sandboxes and other approaches to isolating coding agents, see Comparison to alternatives.

MicroVM-based sandboxes require macOS or Windows (experimental). Linux users can use legacy container-based sandboxes with Docker Desktop 4.57.

To create and run a sandbox:

This command creates a sandbox for your workspace (~/my-project) and starts the Claude Code agent inside it. The agent can now work with your code, install tools, and run containers inside the isolated sandbox.

Sandboxes run in lightweight microVMs with private Docker daemons. Each sandbox is completely isolated - the agent runs inside the VM and can't access your host Docker daemon, containers, or files outside the workspace.

Your workspace directory syncs between host and sandbox at the same absolute path, so file paths in error messages match between environments.

Sandboxes don't appear in docker ps on your host because they're VMs, not containers. Use docker sandbox ls to see them.

For technical details on the architecture, isolation model, and networking, see Architecture.

Multiple sandboxes

Create separate sandboxes for different projects:

Each sandbox is completely isolated from the others. Sandboxes persist until you remove them, so installed packages and configuration stay available for that workspace.

Docker Sandboxes works with multiple AI coding agents:

  • Claude Code - Anthropic's coding agent
  • Codex - OpenAI's Codex agent (partial support; in development)
  • Gemini - Google's Gemini agent (partial support; in development)
  • cagent - Docker's cagent (partial support; in development)
  • Kiro - by AWS (partial support; in development)

Head to the Get started guide to run your first sandboxed agent.

See Troubleshooting for common configuration errors, or report issues on the Docker Desktop issue tracker.