The CanisterWorm attack this year involving Github Actions, Trivy, LiteLLM, etc. has made me reconsider the security gamble I take whenever I download software. Despite doing unimportant personal projects all on one PC, I still don’t want my identity and personal files stolen by some vibe-coded worm that evaded fully staffed companies and anti-malware, so I started looking into sandboxing for the first time. I have zero idea what’s reputable, and one reason I’m asking for advice here is to avoid bots and salespeople in at least one space.
My needs:
Affordable. Ideally free but can accept $200 per year
Timely security updates
Savable environment. If compromised, can delete with no lingering effects on host PC.
Internet access in environment for downloads, though it should also work without internet access. Assume I do not log in to anything.
Copy plain text or screenshots from environment to host PC, if transferring compromised files and paste-jacking are too risky. Luckily my projects are mostly small enough for this.
Host is Windows. Don’t want to move everything and I think some apps don’t have nice equivalents.
No default or easy option for an escape hatch in the sandbox to my host PC’s files e.g. dangerouslyDisableSandbox in Claude Code.
I’ve read that software can tell if it’s running in a virtual machine, and things get worse if escapes or bugs occur at a lower level e.g. bare-metal, though working at a higher level provides a larger attack surface e.g. host OS. I can’t tell which is better or when, so advice would be good. I’m open to other suggestions if security can be addressed. For example, I steered away from remote desktop services because that’s another login that could be stolen or intercepted, just to start.
I have been using podman containers for my dev environments for a little while now, and I’m reasonably happy with it. Basically, I just create a container, and then make a folder that has any stuff in it that I wish to persist between sessions or to be shared from the host, and then I mount those folders onto the podman container during startup.
Setting it up has required a lot of futzing about and learning about random things, but once it’s set up, I find it pretty straightforward to use. podman is supported on windows, but you’ll need to do it from the WSL.
My main motivation for this was that I did not trust the guard rails that were built into coding agents, and instead preferring to do the isolation myself, but these software dependency attacks also make me want to move more of my regular software development into containers.
I think cloud machines are important because even being on the same private network as an unrestricted coding agent is a bit of a risk imo.
I like Hetzner cloud instances a lot; they are super cheap. You can get a 24/7 server for single-digit € per month. Sadly they don’t support Windows so maybe @Mason’s suggestion is better.
On my Hetzner machine I can let coding agents run without restrictions. I made them their own GitHub account and email, so their only access to me is via a telegram chat, where I work on open-source projects with it. This means that even if the machine was entirely compromised, the only inconvenience would be wiping it and restarting. The agent’s GitHub account doesn’t even have write access to my repositories. It’s really like I have an external collaborator living in Helsinki who eagerly wants to contribute to all my open source projects…
I also like that all my coding sessions can be on a single machine so they can share memory and intermediate work (and caches).
These days I’m experimenting with Docker Sandboxes (Docker Sandboxes | Docker Docs), which are apparently more secure than standard containers and designed for agents. There are still two things I don’t like:
The folder I open the container in is synced by default with the one on my computer, so that file changes there are immediately visible locally
There is still a risk of my Claude credentials being exfiltrated, which is arguably more valuable than the agent’s bogus GitHub account