Amazing Sandbox (asb)
July 11, 2026 ยท View on GitHub
Amazing Sandbox (AS) is for running various tools inside
-
a Docker-based sandbox (by default)
-
seatbelt-based sandbox on Mac OS
-
bubblewrap sandbox on GNU/Linux
-
Prevents malicious packages from having full disk access and stealing data
-
Prevents AI agents from mistakenly deleting all files on your disk
-
Optionally, run packages like linters air-gapped (no internet access) as well
Features
Default config
- Give Read-write access to the current directory
- network access
- Load
.envfile from the current directory - Cache various build steps using Docker
- Give Read-write access to any explicitly referenced files via CLI arguments
Configurable via CLI parameters
- Disable read access to the current and referenced directories via
-x - Provide Read-only access to the referenced directories via
-r - Disable network access - via
-n - Disable
.envfile loading via--load-env=false - Add ability to pass a custom Docker image via
-i
Supported
- Python
- JavaScript/Typescript
- Go
go-exec - Rust
cargoandcargo-exec - Ruby
gemandgem-exec - Haskell
cabalandcabal-exec - Zig
zig
Caches config of the following coding agents
The configuration of the following coding agents is mapped to the corresponding directories in your home directory, so they will work seamlessly inside the sandbox without needing to re-authenticate or re-configure them.
Installation
$ go install github.com/ashishb/amazing-sandbox/src/asb/cmd/asb@latest
...
Or download a binary from the releases page
Usage
Run yarn with full access to current directory + a cache directory but no access to full disk
$ asb yarn install
...
Run HTML linter inside the sandbox with -n, that is, no Internet access
$ asb -n npx htmlhint
...
Run yamllint inside the sandbox
$ asb uvx yamllint -d <path-to-dir-containing-yaml-files-to-lint>
...
Run Claude code against the current directory
$ asb npx @anthropic-ai/claude-code
...
Run Open AI Codex against the directory "~/src/repo1"
$ asb -d ~/src/repo1 npx @openai/codex
...
Run Google Gemini CLI inside the sandbox
$ asb npx @google/gemini-cli@latest
...
Run fd tool inside the sandbox with no Internet access (air-gapped)
$ asb cargo install fd-find # One time install
...
$ asb -n cargo-exec fd '.*.go'
...
Run hadolint (Haskell-based Dockerfile linter) inside the sandbox
$ asb cabal update && asb cabal install hadolint # One time install
...
$ asb -n cabal-exec hadolint Dockerfile
...
Run acoustid-index build using Zig inside the sandbox
$ git clone https://github.com/acoustid/acoustid-index.git
...
$ cd acoustid-index
$ asb zig build
...
To see the full usage
asb is CLI tool for running tools inside Sandbox
See https://ashishb.net/programming/amazing-sandbox/ for reasoning behind this tool
$ asb --help
Usage:
asb [flags]
asb [command]
Available Commands:
bun Run a bun command
cabal Run a Haskell cabal command
cabal-exec Run a Haskell-based binary already installed inside sandbox
cargo Run a cargo command
cargo-exec Run a Rust-based binary package already installed inside sandbox
completion Generate the autocompletion script for the specified shell
gem Run a Ruby gem-based CLI tool
go-exec Run a Go-based binary package using go run
help Help about any command
node Run a node command
npm Run an npm command
npx Run an npx command
pip Install Python packages using pip
pip-exec Run a Python-based package already installed inside sandbox
pnpm Run a pnpm command
poetry Run a poetry command
python Run a python command
uv Run a uv command
uvx Run a Python-based package already installed inside sandbox using uvx
version Display asb version
yarn Run a yarn command
zig Run a Zig command
Flags:
-i, --custom-docker-image string Use a custom Docker image for the sandbox
-d, --directory string Working directory for this command (default "<current directory>")
-h, --help help for asb
-e, --load-env Load .env file from working directory (default true)
--mode string Sandbox mode to use (docker or native) (default "docker")
-m, --mount-ro stringArray Mount a directory as read-only inside the sandbox (can be specified multiple times)
-x, --no-disk-access Disable disk access inside the sandbox
-n, --no-network Disable network access inside the sandbox
-r, --read-only Load working directory and referenced directories as read-only
-w, --read-write Load working directory and referenced directories as read-write (default true)
How I use it
For interactive shells, one can use bash aliases, for example, alias htmlhint=asb -n npx htmlhint.
However, this does not work for non-interactive shells, for example, inside Makefile.
So, I prefer creating ~/.local/bin which contains htmlhint file
containing asb npx htmlhint "$@" and add .local/bin to the $PATH in ~/.bash_profile via export PATH=$PATH:$HOME/.local/bin.
FAQ
-
Why not use bubblewrap?
It only supports GNU/Linux.
Further, the developer experience for trying to run a simple tool likehtmlhintoryamllintis sub-par. -
Why not use Firejail?
No support for Mac OS or Windows.
Further, the developer experience for trying to run a simple tool likehtmlhintoryamllintis sub-par. -
Why not use
sandbox-execon Mac OS?
sandbox-execis deprecated. But if you want, you can useasbto usesandbox-exec/bubblewrapvia `asb --mode=native) -
Why not use ai-jail?
ai-jailuses OS-level sandboxing viabwrapon Linux and the deprecatedsandbox-execon macOS.
It has no Windows support.
In contrast,asbuses Docker, which works consistently across Linux, macOS, and Windows. -
Why not use drop?
dropuses Linux mount namespaces for sandboxing and only supports Linux.
In contrast,asbuses Docker, which works consistently across Linux, macOS, and Windows. -
I heard that Docker is not a security boundary?
Containers aren't as strong a security boundary as VMs; however, this means that a successful attack now requires infection of the container AND a concurrent container-escape vulnerability. That's a really high bar; someone would need to burn a 0-day on that. Taken from here -
I want to use a custom rootless image or a different version of Python instead of the default images?
You can provide any custom image via-iCLI parameter.$ asb -i astral/uv:python3.12-bookworm-slim python --version Python 3.12.12 $ asb -i astral/uv:python3.14-bookworm-slim python --version Python 3.14.2