Docker Sandboxes: Run Claude Code and Other Coding Agents Unsupervised (but Safely)
We introduced Docker Sandboxes in experimental preview a few months ago. Today, we’re launching the next evolution with microVM isolation, available now for macOS and Windows.
We started Docker Sandboxes to answer the question:
How do I run Claude Code or Gemini CLI safely?
Sandboxes provide disposable, isolated environments purpose-built for coding agents. Each agent runs in an isolated version of your development environment, so when it installs packages, modifies configurations, deletes files, or runs Docker containers, your host machine remains untouched.
This isolation lets you run agents like Claude Code, Codex CLI, Copilot CLI, Gemini CLI, and Kiro with autonomy. Since they can’t harm your computer, let them run free.
Since our first preview, Docker Sandboxes have evolved. They’re now more secure, easier to use, and more powerful.
Level 4 Coding Agent Autonomy
Claude Code and other coding agents fundamentally change how developers write and maintain code. But a practical question remains: how do you let an agent run unattended (without constant permission prompts), while still protecting your machine and data?
Most developers quickly run into the same set of problems trying to solve this:
- OS-level sandboxing interrupts workflows and isn’t consistent across platforms
- Containers seem like the obvious answer, until the agent needs to run Docker itself
- Full VMs work, but are slow, manual, and hard to reuse across projects
We started building Docker Sandboxes specifically to fill this gap.
Docker Sandboxes: MicroVM-Based Isolation for Coding Agents
Defense-in-depth, isolation by default
- Each agent runs inside a dedicated microVM
- Only your project workspace is mounted into the sandbox
- Hypervisor-based isolation significantly reduces host risk
A real development environment
- Agents can install system packages, run services, and modify files
- Workflows run unattended, without constant permission approvals
Safe Docker access for coding agents
- Coding agents can build and run Docker containers inside the MicroVM
- They have no access to the host Docker daemon
One sandbox, many coding agents
- Use the same sandbox experience with Claude Code, Copilot CLI, Codex CLI, Gemini CLI, and Kiro
- More to come (and we’re taking requests!)
Fast reset, no cleanup
- If an agent goes off the rails, delete the sandbox and spin up a fresh one in seconds
What’s New Since the Preview and What’s Next
The experimental preview validated the core idea: coding agents need an execution environment with clear isolation boundaries, not a stream of permission prompts. The early focus was developer experience, making it easy to spin up an environment that felt natural and productive for real workflows.
As Matt Pocock put it, “Docker Sandboxes have the best DX of any local AI coding sandbox I’ve tried.”
With this release, we’re making Sandboxes more powerful and secure with no compromise on developer experience.
What’s New
- MicroVM-based isolation
Sandboxes now run on dedicated microVMs, adding a hard security boundary. - Network isolation with allow and deny lists
Control over coding agent network access. - Secure Docker execution for agents
Docker Sandboxes are the only sandboxing solution we’re aware of that allows coding agents to build and run Docker containers while remaining isolated from the host system.
What’s Next
We’re continuing to expand Docker Sandboxes based on developer feedback:
- Linux support
- MCP Gateway support
- Ability to expose ports to the host device and access host-exposed services
- Support for additional coding agents
Docker Sandboxes were made for developers who want to run coding agents unattended, experiment freely, and recover instantly when something goes wrong. They extend the usability of containers’ isolation principles but with hard boundaries.
If you’ve been holding back on using agents because of permission prompts, system risk, or Docker-in-Docker limitations, Docker Sandboxes are built to remove those constraints.
We’re iterating quickly, and feedback from real-world usage will directly shape what comes next.
About the Authors
Principal Product Marketing Manager for AI, Docker
Srini Sekaran is Principal PMM for AI at Docker, focused on Docker AI Governance, Docker Sandboxes, and the future of agent infrastructure and developer workflows.
Related Posts
-
May 12, 2026
Docker AI Governance: Unlock Agent Autonomy, Safely
Introducing Docker AI Governance: centralized control over how agents execute, what they can reach on the network, which credentials they can use, and which MCP tools they can call, so every developer in your company can run AI agents safely, wherever they work. Your laptop is the new prod Agents are the biggest productivity unlock…
Srini SekaranRead now
-
Jun 16, 2026
Docker Content Trust: Retirement and Migration Guidance
Docker Content Trust (DCT) and the Notary v1 service at notary.docker.io are being fully retired (first announced in July of 2025). This blog explains what is changing, who is affected, and how to move to modern alternatives.
Julia WilsonandAditya TripathiRead now
-
Jun 15, 2026
Docker joins the Athena coalition: a cross-industry collaboration for supply chain security
AI is lowering the bar for supply chain attacks. Docker is joining the Athena alliance, a cross-industry effort to coordinate the defense of open source, building on our work to give every developer secure-by-default tools and our track record of sharing signals across the ecosystem.
Tushar JainRead now
-
Jun 11, 2026
Docker Hardened Images enhanced vulnerability scanning with Docker and Aikido
Aikido now scans Docker Hardened Images (DHI) with built-in VEX support. Vulnerabilities that Docker has verified as non-exploitable drop out of the queue automatically, so developers spend their time on findings that actually matter. This post walks through what changed, why it matters, and how users can benefit from the new integration. Why teams are…
Dan StelzerandBjorn HovdRead now
