sandbox
Malware? Tear it apart, discover its ins and outs and collect actionable threat data. Cuckoo is the leading open source automated malware analysis system.
Advanced vm/sandbox for Node.js. vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
A CLI to create code sandboxes with automatic HTTPS and long running processes in your cloud provider account.
PHPSandbox + Packagist. This is a playground to try Composer packages. With it, you can try 350k+ packages using a standard PHP v8.1 environment.
Component toolkit for creating live-running code editing experiences.
Sandpack is a component toolkit for creating your own live running code editing experience powered by CodeSandbox.
Vulnerable REST API with OWASP top 10 vulnerabilities for security testing.
VAmPI is a vulnerable API made with Flask and it includes vulnerabilities from the OWASP top 10 vulnerabilities for APIs. It was created as I wanted a vulnerable API to evaluate the efficiency of tools used to detect security issues in APIs. It includes a switch on/off to allow the API to be vulnerable or not while testing. This allows to cover better the cases for false positives/negatives. VAmPI can also be used for learning/teaching purposes. You can find a bit more details about the vulnerabilities in erev0s.com.
TIO is a family of online interpreters for an evergrowing list of practical and recreational programming languages. To use TIO, simply click the arrow below, pick a programming language, and start typing. Once you click the run button, your code is sent to a TIO arena, executed in a sandboxed environment, and the results are sent back to your browser. You can share your code by generating a client-side permalink that encodes code and input directly in the URL.
Efficient and consistent CI/CD with Kubernetes.
A solution for implementing efficient and consistent software delivery to Kubernetes facilitating best practices. werf is a CNCF Sandbox CLI tool to implement full-cycle CI/CD to Kubernetes easily. werf integrates into your CI system and leverages familiar and reliable technologies, such as Git, Dockerfile, Helm, and Buildah.
Dev Environment Management Platform. The future of dev environments.
Daytona is the enterprise-grade Codespaces alternative for managing self-hosted, secure and standardized development environments.
Related contents:
In-browser Postgres sandbox with AI assistance.
With postgres.new, you can instantly spin up an unlimited number of Postgres databases that run directly in your browser (and soon, deploy them to S3).
Malware analysis tool. Cuckoo3 is a Python 3 open source automated malware analysis system.
Cuckoo3 is an open-source tool to test suspicious files or links in a controlled environment. It will test them in a sandboxed platform emulator(s) and generate a report, showing what the files or websites did during the test.
VMM for native-performance sandboxing.
TinyKVM is a simple, slim and specialized userspace emulator library with native performance.
TinyKVM is designed to execute regular Linux programs and also excels at request-based workloads in high-performance HTTP caches and web servers.
Related contents:
Hyperlight is a lightweight Virtual Machine Manager (VMM) designed to be embedded within applications. It enables safe execution of untrusted code within micro virtual machines with very low latency and minimal overhead.
Run AI Generated Code Locally. A secure local sandbox to run LLM-generated code using Apple containers.
CodeRunner is an MCP (Model Context Protocol) server that executes AI-generated code in a sandboxed environment on your Mac using Apple's native containers.
Related contents:
📦 Lightweight, ephemeral, sandboxes for Linux.
Create lightweight sandboxes for Linux with host isolation, rootfs images, and networking.
Microbox is a sandbox runtime that creates ephemeral and isolated execution environments on Linux by combining specific kernel features such as namespaces, cgroups, seccomp, and capabilities. It provides lightweight sandboxes to run container-like applications securely.
Sandboxing for Nix.
NixPak is essentially a fancy declarative wrapper around bwrap. You can use it to sandbox all sorts of Nix-packaged applications, including graphical ones.
Create and manage micro VMs at scale for safe execution of untrusted code. Secure sandboxed compute for AI agents and workloads
K7 Demo
Katakate aims to make it easy to create, manage and orchestrate lightweight safe VM sandboxes for executing untrusted code, at scale. It is built on battle-tested VM isolation with Kata, Firecracker and Kubernetes. It is orignally motivated by AI agents that need to run arbitrary code at scale.
Security, visibility, and authorization for AI agents
Leash wraps AI coding agents in containers and monitors their activity. You define policies in Cedar; Leash enforces them instantly.
Authorize and monitor your AI agents with policy enforcement, sandboxed execution, and real-time observability—ensuring they operate safely within your defined boundaries.
Lightweight, container-free sandbox for running commands with network and filesystem restrictions.
Fence wraps commands in a sandbox that blocks network access by default and restricts filesystem operations based on configurable rules. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects, and it can also complement AI coding agents as defense-in-depth.
Vagrant is the command line utility for managing the lifecycle of virtual machines. Isolate dependencies and their configuration within a single disposable and consistent environment.
Related contents:
Easy Linux virtual machine on MacOS to sandbox LLM agents.
Vibe is a quick, zero-configuration way to spin up a Linux virtual machine on Mac to sandbox LLM agents.
Related contents:
Matchlock secures AI agent workloads with a Linux-based sandbox.
Matchlock is a CLI tool for running AI agents in ephemeral microVMs - with network allowlisting, secret injection via MITM proxy, and VM-level isolation. Your secrets never enter the VM.
A security-focused library OS supporting kernel- and user-mode execution.
LiteBox is a sandboxing library OS that drastically cuts down the interface to the host, thereby reducing attack surface. It focuses on easy interop of various "North" shims and "South" platforms. LiteBox is designed for usage in both kernel and non-kernel scenarios.
A sandboxed bash interpreter for AI agents. Pure TypeScript with in-memory filesystem.
A simulated bash environment with an in-memory virtual filesystem, written in TypeScript. Designed for AI agents that need a secure, sandboxed bash environment. Supports optional network access via curl with secure-by-default URL filtering.
Universal Sandbox Infrastructure for AI Applications.
Securely run commands, filesystems, code interpreters, browsers, and developer tools in isolated runtime environments.
OpenSandbox is a general-purpose sandbox platform for AI applications, offering multi-language SDKs, unified sandbox APIs, and Docker/Kubernetes runtimes for scenarios like Coding Agents, GUI Agents, Agent Evaluation, AI Code Execution, and RL Training.
Let your AI go full send. Your home directory stays home.
Run Claude Code, Codex, or any AI coding agent in "yolo mode" without nuking your home directory.
Related contents:
Secure, ephemeral browsing in a disposable VM (macOS only).
Bromure is a native macOS app that runs every browser session inside a lightweight, disposable Linux virtual machine using Apple's Virtualization.framework. The browser and your Mac don't share an operating system, a filesystem, or even a kernel. When you close the window, the VM is destroyed -- cookies, history, malware, trackers, all of it. Gone.
OpenShell is the safe, private runtime for autonomous AI agents.
NVIDIA OpenShell is the safe, private runtime for autonomous AI agents. It provides sandboxed execution environments that protect your data, credentials, and infrastructure. Agents run with exactly the permissions they need and nothing more, governed by declarative policies that prevent unauthorized file access, data exfiltration, and uncontrolled network activity.
agent-sandbox enables easy management of isolated, stateful, singleton workloads, ideal for use cases like AI agent runtimes.
Related contents:
Go hard on agents, not on your filesystem. easy containment for AI agents.
Use jai for effortless containment of AI agents on Linux. jai strives to be the easiest container in the world to configure--so easy that you never again need to run a code assistant without protection. It's not a substitute for docker or podman when you need better isolation. But if you regularly do risky things like run an AI CLI with your own privileges in your home directory on a computer that you care about, then jai could reduce the damage when things go wrong.
Sandbox any command with file, network, and credential controls.
Lightweight, cross-platform process sandboxing powered by OpenAI Codex's runtime. Sandbox any command with file, network, and credential controls.
Full autonomy. Controlled environment. OS-level containment for AI coding agents on macOS.
macOS containment for AI agents — user isolation, kernel sandbox, pf firewall, DNS blocklist, backup/rollback. TLA+ verified.
AI coding agents are most useful when you let them work autonomously. But full autonomy means the agent runs with your full privileges, your credentials, your files.
Hazmat makes that safe.
Related contents:
The Enterprise AI Agent Cloud.
AI Sandboxes for Open-source, secure environment with real-world tools for enterprise-grade agents.
Related contents:
Save 98% of your AI coding agent's context window.
Context window optimization for AI coding agents. Sandboxes tool output, 98% reduction. 15 platforms
Go full --yolo. We've got you.
macOS-native sandboxing for local agents. Move fast, break nothing. Sandbox your local AI agents so they can read/write only what they need
Related contents:
Persistent & Secure sandboxes for AI agents.
Give your agents lightning-fast sandboxes with persistent state and versioned filesystems.
Run Coding Agents in Sandboxes. Control Them Over HTTP. Supports Claude Code, Codex, OpenCode, and Amp.
Related contents:
Every agent deserves its own machine.
Run agents in secure, local-first sandboxes. On your laptop, in your VPC, on-prem, or in our cloud. Programmable, fast, and yours.
microsandbox takes a different approach: every sandbox is a real VM with its own Linux kernel. It provides security primitives for preventing exploits like secret exfiltration. And it runs locally on your machine.
Related contents:
Run a single command in a speedy virtual machine with zero-setup vmexec is a zero-setup CLI tool that runs single commands in a throwaway virtual machines. The idea is for you to run a command in VM without having think about the performance implications, how to mount files, how to forward ports, etc. Nowadays, many are used to the convenience of container runners such as podman or docker but so far it hasn't been as covenient to run a VM, often requiring a manual set up step.
Related contents:
Orchestrate sandboxed coding agents in TypeScript with sandcastle.run().
A TypeScript library for orchestrating AI coding agents in isolated sandboxes.
Self-hosted dev sandboxes with preview URLs. One command. No Kubernetes, perfect for coding agents and Saas factories.
The open-source engine for AI app-builder products. Give every user an isolated cloud dev environment, a built-in coding agent, and a live preview URL — self-hosted, on one machine, in one command.
Isolated databases for every AI agent branch. Build, test, and migrate in parallel. Production stays untouched.
Database safety infrastructure for AFK agentic development.
SafeAgentDB is built for serious vibe coders shipping real products with a team — whether your teammates are people, AI agents, or both. Once you have many branches in flight at the same time, one shared database becomes the thing everyone breaks. SafeAgentDB gives every branch and PR a live preview URL backed by its own isolated database, so agents can run migrations, hydrate realistic data, and test real app behavior without risking production, corrupting shared development data, or stepping on each other.
Built first for Supabase + Vercel + GitHub Actions, with guidance for adapting the same infrastructure pattern to other stacks.