Docker Sandbox (SBX)
What Is Docker Sandbox (SBX)?
Docker Sandbox (SBX) is a standalone Docker product that provides isolated execution environments for AI coding agents.
Originally an experimental Sandbox feature inside Docker Desktop, it was spun out in early 2025 as an independent product called SBX — the insight being that "the agent market is much bigger than the desktop market." SBX is purpose-built for running agents without the overhead of a full Electron application.
| Feature | Details |
|---|---|
| Price | Free (no Docker Desktop license required) |
| Auth | Requires Docker login |
| Runtime | microVM + Docker container runtime |
| Platforms | macOS (Apple Silicon / Sonoma 14+), Windows 11 (x86_64), Ubuntu 24.04+ |
Architecture
microVM-Based Runtime
SBX runs a Docker container runtime inside a microVM. Each sandbox has its own Docker daemon, filesystem, and network — fully isolated from the host.
Unified Runtime (Coming to Desktop)
The microVM technology powering SBX is being adopted into Docker Desktop as the Unified Runtime (expected later in 2025). On Windows, this eliminates:
- WSL2 patch management and tuning
- WSL2 distribution selection
- Hyper-V configuration
- On macOS: migration away from MobiVM (a full VM)
The Unified Runtime controls a single-purpose kernel optimized for containers, improving IO performance (9P → virtio-FS) and consistency.
Installation and Basic Usage
Installation
# macOS (Apple Silicon)
brew install docker/tap/sbx
# Windows / Linux: see official docs
# https://docs.docker.com/ai/sandboxes/get-started/
Basic Commands
# Log in
sbx login
# Store agent credentials securely
sbx secret set ANTHROPIC_API_KEY
# Run an agent in a sandbox
sbx run --name my-sandbox claude
# Clone the repo into an isolated copy (host stays read-only)
sbx run --clone --name my-sandbox claude
# List sandboxes
sbx ls
# Remove a sandbox
sbx rm my-sandbox
Network Policy Presets
| Policy | Behavior |
|---|---|
| Open | Allow all traffic |
| Balanced | Allow common development services, block everything else |
| Locked Down | Block all traffic (explicit allow required) |
Policies can be changed at any time with sbx policy.
Security Features
Why You Should Never Give Real Secrets to an Agent
Agents aren't malicious — but they're also not deterministic, and they don't follow your organization's security protocols. An agent's goal is not just to be helpful right now, but to be helpful in the next prompt, and the one after that.
As a result, once an agent receives an API key, it will often save it proactively so it doesn't have to ask again.
Agent's reasoning:
"I was asked for an API key → why keep asking every time? → I'll save it for next time"
→ writes to a memory file
→ writes to a .env file
→ commits to Git
→ pastes to Gist / Pastebin (to share it)
→ includes it in an email
Even under a prompt injection attack (where an attacker embeds malicious instructions into content the agent reads), if the agent only ever holds a fake token, there's nothing of value to exfiltrate.
Secret Injection Proxy
SBX's secret injection proxy lets agents authenticate to external APIs without ever holding the real credentials.
Where secrets are stored:
| OS | Storage |
|---|---|
| macOS | Keychain |
| Windows | Windows Credential Manager |
| Linux | Encrypted file (DBUS unavailable) |
Request flow:
Agent holds: ANTHROPIC_API_KEY = "fake-token-xyz123" (placeholder)
↓ outbound connection intercepted, TLS decrypted
Proxy: fake-token-xyz123 → replaced with real key
↓ forwarded to upstream proxy (Zscaler, etc.)
External API: 200 OK
From the agent's perspective, it sent fake-token-xyz123 and received a 200 OK. The real secret never enters the agent's execution scope.
This means that even if an agent attempts to write credentials to a memory file, a Git repo, Pastebin, Gist, or an email — it can only output the fake token.
Per-Protocol Handling
OAuth / JWT
OAuth token refresh, expiry management, and JWT content inspection are all handled outside the sandbox on the host side. The agent sees a valid access token but never touches the underlying credential material.
AWS SIG V4 (BOTO)
AWS SIG V4 signing embeds the access key directly into the request payload, so it cannot be fully excluded from the agent's scope. SBX handles this with the following trade-off:
| Item | Handling |
|---|---|
| Access key | Passed into agent scope (required for SIG V4 signing) |
| Refresh key | Held on the host — never passed to the agent |
| Blast radius | Limited to the access key's TTL (typically 15 minutes) |
Even if the access key is exfiltrated, it expires within 15 minutes and grants no persistent access.
Network Controls
URL wildcards enable fine-grained access control.
# Allow GitHub, deny Pastebin
allow: github.com
deny: pastebin.com
# Block specific models (cost control)
deny: api.anthropic.com/*-opus-*
allow: api.anthropic.com/*-sonnet-*
For Zscaler environments with TLS inspection, embed the CA certificate inside the sandbox template for transparent operation.
# Add your corporate CA cert to the sandbox template
RUN update-ca-certificates
Filesystem Mount Controls
Policies can prevent agents from mounting sensitive directories such as the user's home folder (which may contain dot-files and .env files).
AI Governance (Organization-Scale Management)
Beyond individual use, SBX provides an AI Governance framework for managing agents across an organization.
Team-Level Policies (Available from June 1, 2026)
Policies are hierarchical. More restrictive settings always win.
Company-level policy
└─ Org-level policy
└─ Team-level policy ← supported from June 1, 2026
| Setting | Behavior |
|---|---|
allow | Users may configure and use this feature |
deny | Forced prohibition — users cannot override |
| (unset) | Denied by default; users may explicitly allow |
This lets you give developers broader permissions while keeping finance teams more restricted.
Audit Logging
All meaningful agent activity is recorded.
| Phase | Format |
|---|---|
| Current | JSONL files (collected by any endpoint log management solution) |
| Near-term | OTEL streaming — provide a URL + API key to send events to Datadog, New Relic, etc. |
| Future | Docker Cloud logging facility (no self-managed collector required) |
MCP Appliance
For enterprise-scale MCP server deployments, Docker provides an MCP Appliance.
| Feature | Details |
|---|---|
| Deployment | Self-hosted on Kubernetes |
| Authentication | Gateway authentication (not stdio like Desktop) |
| Credentials | Backend credential management |
| Auditing | Tool call logging, same as SBX |
Model Gating and Cost Control
URL Wildcard Model Blocking
Use network policy wildcards to restrict access to specific models.
# Block Claude Opus (cost control)
deny: api.anthropic.com/*-opus-*
# Allow Haiku and Sonnet
allow: api.anthropic.com/*-haiku-*
allow: api.anthropic.com/*-sonnet-*
Agent harnesses query the /models endpoint to discover which models are available, so blocked models are automatically excluded from the available list. This is more stable than implementing fine-grained URL rules in Zscaler.
Tokenomics Foundation
The Tokenomics Foundation (founded 2025, under the Linux Foundation) is working to standardize token cost reporting across inference providers — covering both output token costs and input cost reductions via prompt caching.
Integration with the Docker Ecosystem
SBX is central to Docker's "Better Together" platform strategy.
| Integration | Details |
|---|---|
| DHI integration | SBX's MCP servers and sandbox template go through DHI's image hardening process |
| Model Runner | Local inference in Docker Desktop — free, no token costs, for teams avoiding hosted inference |
| Hardened Packages | Agents can be locked to DHI package sources, blocking generic npm/pip pulls |