Docker released Sandboxes on March 31, an experimental tool that isolates AI coding agents inside lightweight microVMs so developers can let them run unattended. The pitch: stop babysitting your agent and let it actually work. The blog post announcing it leans hard on a familiar pain point, and for good reason.
Anyone who's used Claude Code or Codex in "YOLO mode" (the --dangerously-skip-permissions flag, which is as ominous as it sounds) knows the tradeoff. You get speed. You also get an agent that can rm -rf your project directory, leak your SSH keys, or silently rewrite your .env file. Most developers end up stuck in a loop: approving every file write, every package install, every shell command. At that point you're not using an autonomous agent. You're a human clipboard with extra steps.
What Docker actually built
Each sandbox spins up its own microVM with a dedicated Docker daemon, filesystem, and network stack. Your workspace gets mounted in via filesystem passthrough (changes sync both ways), but the agent can't touch anything outside that directory. It can install packages, run docker compose up, modify configs, even spawn containers inside the sandbox. Your host stays clean. One sbx rm command and the whole thing disappears.
The documentation is surprisingly thorough for an experimental feature. The sbx CLI is standalone, no Docker Desktop required, which matters if you're on a locked-down corporate machine or just don't want the overhead. It runs on macOS (Apple Silicon) and Windows 11. On first login, you pick a network policy: Open, Balanced, or Locked Down. Balanced is the interesting default, allowing common dev services while blocking everything else.
The numbers Docker is citing
The announcement opens with two stats: over a quarter of production code is now AI-authored, and developers using agents merge roughly 60% more pull requests. Both trace back to DX's research across 135,000+ developers. The most recent DX data from Q1 2026 puts AI-authored merged code at 27.4%, up slightly from 22% the prior quarter. Laura Tacho, CTO at DX, presented these findings at the Pragmatic Summit, noting that 92.6% of surveyed developers use an AI coding assistant at least monthly.
But here's what Docker glosses over: Tacho's same research shows overall productivity gains stuck at around 10%. Some companies see a 50% drop in customer-facing incidents with AI. Others see incidents double. The difference is organizational readiness, not tooling. A sandbox won't fix a team that can't review code properly.
How it compares to what already exists
Docker isn't the first to tackle this. Projects like AgentBox have been doing container-based isolation for agents since late 2025, and VS Code devcontainers offer a similar (if clunkier) workflow. The sbx-releases repo on GitHub is where Docker publishes binaries and tracks issues.
Docker's argument is that containers alone aren't enough. Mounting the Docker socket exposes your host daemon. Docker-in-Docker needs privileged access. A microVM sidesteps both problems by giving the agent its own kernel. That's a real architectural difference, not marketing.
The supported agent list is long: Claude Code, Codex, GitHub Copilot CLI, Gemini CLI, OpenCode, Kiro, and Docker's own Docker Agent. It also supports newer autonomous systems like NanoClaw and OpenClaw. Gavriel Cohen, who created NanoClaw, called Sandboxes "what [safe agent execution] looks like at the infrastructure level." Ben Navetta from Warp's engineering team made similar noises about long-running tasks.
What's missing
Linux support. I had to read the docs twice to confirm this. macOS and Windows only, for now. For a company whose entire identity is built on Linux containers, that's a weird gap. The docs mention .deb and .rpm packages in the GitHub releases, so Linux support may be landing soon or may already be in nightly builds. But the official getting-started page lists only macOS and Windows as supported platforms.
There's also the question of cost. Docker Sandboxes require a Docker login, and while the tool is free during the experimental phase, Docker hasn't said what happens after that. Given Docker's track record with Desktop pricing changes, it's worth watching.
Does it matter?
The real shift here isn't technical. It's workflow. When you trust that your agent can't break anything outside its sandbox, you stop hovering. You assign a task, go work on architecture or review someone else's PR, and come back to a branch with passing tests. That's a fundamentally different relationship with the tool.
Whether Docker Sandboxes specifically become the standard is less clear. The microVM approach is solid, but the experimental label means things will break. And the ecosystem is moving fast: Anthropic, OpenAI, and Google all have their own ideas about safe agent execution. Docker's bet is that isolation should live at the infrastructure layer, not inside the agent itself. That's probably right. An agent policing its own behavior is like asking the fox to guard the henhouse, except the fox also wrote the lock.
