Releases: docker/sbx-releases
Release list
v0.37.0-rc2
Highlights
SSH access to sandboxes (experimental). Docker Sandboxes can now be used as SSH targets. After enabling SSH access, run sbx setup ssh once, then connect to an existing sandbox by name with ssh my-sandbox.sbx. Use the connection for interactive shells, one-shot commands, and SSH-based remote development.
What's New
SSH
sbx setup sshadds a managed*.sbxentry to your SSH config, making existing sandboxes available at<name>.sbx.- SSH connections start the local Docker Sandboxes daemon and the target sandbox automatically when needed.
- Connect using OpenSSH-compatible clients and remote-development tools such as VS Code, Cursor, Claude Desktop, and ChatGPT.
CLI
sbx createandsbx runaccept-p/--publishto publish sandbox ports at creation time.
Networking & Policy
DOCKER_SANDBOXES_PROXY=systemroutes sandbox egress through the host operating system's proxy configuration (macOS/Windows), including any PAC auto-config URL.- Governance-policy denials can now display an organization-configured support message (for example, who to contact).
Security & Audit
- Audit now emits execution-outcome records for network egress (per allowed connection) and filesystem mounts (per allowed path) — success, latency, and error class — alongside the policy-attributed decision records.
- sandboxd excludes itself from Windows Error Reporting so daemon crash dumps cannot capture in-memory credentials.
Performance
sbx secret lsand sandbox startup are faster on Linux hosts without an OS keychain — stored secrets are no longer all decrypted just to list or resolve credentials.
Bug Fixes
- Fixed sandboxd failing to start on Linux hosts without an OS keychain, where the on-disk secret store's key derivation could peg a CPU during startup and the CLI would kill the still-starting daemon.
- Fixed an intermittent "failed to fully delete sandbox" error when removing a running sandbox, caused by a network-teardown race with the engine's endpoint cleanup.
v0.37.0-rc1
Highlights
SSH access to sandboxes (experimental). Docker Sandboxes can now be used as SSH targets. After enabling SSH access, run sbx setup ssh once, then connect to an existing sandbox by name with ssh my-sandbox.sbx. Use the connection for interactive shells, one-shot commands, and SSH-based remote development.
What's New
SSH
sbx setup sshadds a managed*.sbxentry to your SSH config, making existing sandboxes available at<name>.sbx.- SSH connections start the local Docker Sandboxes daemon and the target sandbox automatically when needed.
- Connect using OpenSSH-compatible clients and remote-development tools such as VS Code, Cursor, Claude Desktop, and ChatGPT.
CLI
sbx createandsbx runaccept-p/--publishto publish sandbox ports at creation time.
Networking & Policy
DOCKER_SANDBOXES_PROXY=systemroutes sandbox egress through the host operating system's proxy configuration (macOS/Windows), including any PAC auto-config URL.- Governance-policy denials can now display an organization-configured support message (for example, who to contact).
Security & Audit
- Audit now emits execution-outcome records for network egress (per allowed connection) and filesystem mounts (per allowed path) — success, latency, and error class — alongside the policy-attributed decision records.
- sandboxd excludes itself from Windows Error Reporting so daemon crash dumps cannot capture in-memory credentials.
Performance
sbx secret lsand sandbox startup are faster on Linux hosts without an OS keychain — stored secrets are no longer all decrypted just to list or resolve credentials.
Bug Fixes
- Fixed sandboxd failing to start on Linux hosts without an OS keychain, where the on-disk secret store's key derivation could peg a CPU during startup and the CLI would kill the still-starting daemon.
- Fixed an intermittent "failed to fully delete sandbox" error when removing a running sandbox, caused by a network-teardown race with the engine's endpoint cleanup.
v0.36.0-rc1
Fix wrong nightly tap name (#173)
v0.35.0
Notice
There are no Linux/ARM64 builds for v0.35.x due to stability issues that were encountered during this release. We plan to bring them back for the v0.36.x release.
Highlights
- Host environment variables are no longer used for authentication. Previous versions automatically detected API keys in predefined environment variables (such as
ANTHROPIC_API_KEY) and injected them into model provider requests. Starting with this release, sandboxes only authenticate using credentials you've explicitly stored, or OAuth for agents that support it. If you relied on environment variables, run the newsbx secret importcommand once to move your keys into the keychain. See the credentials documentation for details. - Policy commands are revamped with a more concise
sbx policy ls, a newsbx policy inspect, and asbx policy check networkcommand for testing whether the current policy would allow an access request before you run. - Networking gains a SOCKS5 upstream-proxy transport.
What's New
Networking & Proxy
- The sandbox proxy can chain upstream egress through a SOCKS5 proxy (
socks5:///socks5h://, with optional auth) viaDOCKER_SANDBOXES_PROXY,HTTP_PROXY, orHTTPS_PROXY. - Add
DOCKER_SANDBOXES_NO_PROXYto exclude destinations fromDOCKER_SANDBOXES_PROXY, using standardNO_PROXYmatching semantics. - Droid OAuth credentials are now proxy-managed: real tokens stay on the host and never land in the sandbox.
- Faster sandbox startup: the TLS-proxy CA is installed by merging into the trust bundle instead of running
update-ca-certificates, saving several hundred milliseconds.
Policy
- Simplify
sbx policy lsand add--wide,--source, and--decisionfilters - Add
sbx policy checkto test whether the current policy would allow an access request - Balanced network preset now allows VS Code domains, Azure Blob Storage (
*.blob.core.windows.net), anddhi.ioover HTTP.
Kits
sbx kit addnow recreates the sandbox container with the augmented kit set instead of injecting at runtime. State is preserved with the re-creation.sbx kit addapplies the added kit's network allow/deny rules and composed policy on the running sandbox.- Re-attaching to a sandbox created from a custom
--kitagent now works withsbx run --name <name>without re-passing--kit. - Kits can inject the user's Docker login token into requests to docker.com hosts via a credential with service
sbx-login.
CLI
sbx rmnow won't delete an active session unless--forceis passed.sbx inspectnow lists the sandbox's kits, injected secrets, and sandbox information.- Added
sbx daemoncommand (start,stop,status,log-level)
Secrets
sbx secret importimports credential env vars into the keychain;sbx secret lsflags env-only and OAuth-shadowed entries. Host env vars no longer auto-inject at runtime — usesbx secret importto migrate.
Runtime & images
- Enable virtiofs caching by default on all operating systems by default for faster filesystem performance (
DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0to opt out).
Bug Fixes
- Fix "container not found" errors when copying files with
sbx cpon a sandbox that has had a kit added. - Enforce the one-credential-per-service rule on credential capture paths so a stale API key no longer shadows a newly captured credential.
- Fix
sbx loginfailing with "The specified item already exists in the keychain" when signing back into a previously used account; logout now clears all stored Docker credentials. - Restarted sandboxes keep GitHub access by rehydrating the stored
githubcredential on daemon restart. - Fix a custom kit clearing the proxy's built-in GitHub auth header mapping for the whole daemon until a restart.
- Tunnel plain-HTTP forward traffic (e.g.
apt, port 80) via CONNECT when the upstream proxy only supports CONNECT. - Sandbox egress through an upstream proxy identifies as
sbx-proxyon the CONNECT handshake. - Fix IPv6 policy allow rules using bracket notation (e.g.
[fdcb::1]:22) not matching. - Fix
sbxconnecting to the wrong Docker daemon whenDOCKER_HOSTis set in the environment. - Serialize Docker Hub token refresh across the CLI and daemon so sign-in sessions aren't unexpectedly lost.
Platform support
- Block installation on Windows versions older than Windows 11 (the only currently supported version).
v0.35.0-rc3
Highlights
This release revamps policy tooling with a concise sbx policy ls, a new sbx policy inspect, and a sbx policy check network command for testing whether the current policy would allow an access request before you run.
Networking gains a SOCKS5 upstream-proxy transport.
Secrets get a new sbx secret import with clearer env-source visibility.
What's New
Networking & Proxy
- The sandbox proxy can chain upstream egress through a SOCKS5 proxy (
socks5:///socks5h://, with optional auth) viaDOCKER_SANDBOXES_PROXY,HTTP_PROXY, orHTTPS_PROXY. - Add
DOCKER_SANDBOXES_NO_PROXYto exclude destinations fromDOCKER_SANDBOXES_PROXY, using standardNO_PROXYmatching semantics. - Droid OAuth credentials are now proxy-managed: real tokens stay on the host and never land in the sandbox.
- Faster sandbox startup: the TLS-proxy CA is installed by merging into the trust bundle instead of running
update-ca-certificates, saving several hundred milliseconds.
Policy
- Simplify
sbx policy lsand add--wide,--source, and--decisionfilters - Add
sbx policy checkto test whether the current policy would allow an access request - Balanced network preset now allows VS Code domains, Azure Blob Storage (
*.blob.core.windows.net), anddhi.ioover HTTP.
Kits
sbx kit addnow recreates the sandbox container with the augmented kit set instead of injecting at runtime. State is preserved with the re-creation.sbx kit addapplies the added kit's network allow/deny rules and composed policy on the running sandbox.- Re-attaching to a sandbox created from a custom
--kitagent now works withsbx run --name <name>without re-passing--kit. - Kits can inject the user's Docker login token into requests to docker.com hosts via a credential with service
sbx-login.
CLI
sbx rmnow won't delete an active session unless--forceis passed.sbx inspectnow lists the sandbox's kits, injected secrets, and sandbox information.- Added
sbx daemoncommand (start,stop,status,log-level)
Secrets
sbx secret importimports credential env vars into the keychain;sbx secret lsflags env-only and OAuth-shadowed entries. Host env vars no longer auto-inject at runtime — usesbx secret importto migrate.
Runtime & images
- Enable virtiofs caching by default on all operating systems by default for faster filesystem performance (
DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0to opt out).
Bug Fixes
- Fix "container not found" errors when copying files with
sbx cpon a sandbox that has had a kit added. - Enforce the one-credential-per-service rule on credential capture paths so a stale API key no longer shadows a newly captured credential.
- Fix
sbx loginfailing with "The specified item already exists in the keychain" when signing back into a previously used account; logout now clears all stored Docker credentials. - Restarted sandboxes keep GitHub access by rehydrating the stored
githubcredential on daemon restart. - Fix a custom kit clearing the proxy's built-in GitHub auth header mapping for the whole daemon until a restart.
- Tunnel plain-HTTP forward traffic (e.g.
apt, port 80) via CONNECT when the upstream proxy only supports CONNECT. - Sandbox egress through an upstream proxy identifies as
sbx-proxyon the CONNECT handshake. - Fix IPv6 policy allow rules using bracket notation (e.g.
[fdcb::1]:22) not matching. - Fix
sbxconnecting to the wrong Docker daemon whenDOCKER_HOSTis set in the environment. - Serialize Docker Hub token refresh across the CLI and daemon so sign-in sessions aren't unexpectedly lost.
Platform support
- Block installation on Windows versions older than Windows 11 (the only currently supported version).
v0.35.0-rc2
Bug Fixes
- Fix an issue where the filesystem would not update properly on WSL.
v0.35.0-rc1
Highlights
This release revamps policy tooling with a concise sbx policy ls, a new sbx policy inspect, and a sbx policy check network command for testing whether the current policy would allow an access request before you run.
Networking gains a SOCKS5 upstream-proxy transport.
Secrets get a new sbx secret import with clearer env-source visibility.
What's New
Networking & Proxy
- The sandbox proxy can chain upstream egress through a SOCKS5 proxy (
socks5:///socks5h://, with optional auth) viaDOCKER_SANDBOXES_PROXY,HTTP_PROXY, orHTTPS_PROXY. - Add
DOCKER_SANDBOXES_NO_PROXYto exclude destinations fromDOCKER_SANDBOXES_PROXY, using standardNO_PROXYmatching semantics. - Droid OAuth credentials are now proxy-managed: real tokens stay on the host and never land in the sandbox.
- Faster sandbox startup: the TLS-proxy CA is installed by merging into the trust bundle instead of running
update-ca-certificates, saving several hundred milliseconds.
Policy
- Simplify
sbx policy lsand add--wide,--source, and--decisionfilters - Add
sbx policy checkto test whether the current policy would allow an access request - Balanced network preset now allows VS Code domains, Azure Blob Storage (
*.blob.core.windows.net), anddhi.ioover HTTP.
Kits
sbx kit addnow recreates the sandbox container with the augmented kit set instead of injecting at runtime. State is preserved with the re-creation.sbx kit addapplies the added kit's network allow/deny rules and composed policy on the running sandbox.- Re-attaching to a sandbox created from a custom
--kitagent now works withsbx run --name <name>without re-passing--kit. - Kits can inject the user's Docker login token into requests to docker.com hosts via a credential with service
sbx-login.
CLI
sbx rmnow won't delete an active session unless--forceis passed.sbx inspectnow lists the sandbox's kits, injected secrets, and sandbox information.- Added
sbx daemoncommand (start,stop,status,log-level)
Secrets
sbx secret importimports credential env vars into the keychain;sbx secret lsflags env-only and OAuth-shadowed entries. Host env vars no longer auto-inject at runtime — usesbx secret importto migrate.
Runtime & images
- Enable virtiofs caching by default on all operating systems by default for faster filesystem performance (
DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0to opt out).
Bug Fixes
- Fix "container not found" errors when copying files with
sbx cpon a sandbox that has had a kit added. - Enforce the one-credential-per-service rule on credential capture paths so a stale API key no longer shadows a newly captured credential.
- Fix
sbx loginfailing with "The specified item already exists in the keychain" when signing back into a previously used account; logout now clears all stored Docker credentials. - Restarted sandboxes keep GitHub access by rehydrating the stored
githubcredential on daemon restart. - Fix a custom kit clearing the proxy's built-in GitHub auth header mapping for the whole daemon until a restart.
- Tunnel plain-HTTP forward traffic (e.g.
apt, port 80) via CONNECT when the upstream proxy only supports CONNECT. - Sandbox egress through an upstream proxy identifies as
sbx-proxyon the CONNECT handshake. - Fix IPv6 policy allow rules using bracket notation (e.g.
[fdcb::1]:22) not matching. - Fix
sbxconnecting to the wrong Docker daemon whenDOCKER_HOSTis set in the environment. - Serialize Docker Hub token refresh across the CLI and daemon so sign-in sessions aren't unexpectedly lost.
Platform support
- Block installation on Windows versions older than Windows 11 (the only currently supported version).
v0.34.0
Highlights
Kit installs are now restricted to an allowlist of sources, defaulting to Docker Hub only — a breaking change if you install kits from a Git URL or another registry.
This release also renames sbx policy set-default to sbx policy init, restores published ports when a sandbox restarts, fixes a number of bugs, and adds two experimental previews: a native SSH endpoint and an sbx setup command for smoother first-time onboarding.
What's New
SSH
- Add an experimental native SSH endpoint in sandboxd: connect with
ssh <sandbox-name>@127.0.0.1 -p 2222(publickey auth, connect-to-create, interactive shell and exec; no SFTP yet). Enable withsbx settings set feature.ssh true.
Setup & Onboarding
- Add an experimental
sbx setupcommand that imports agent credentials from environment variables.
Agents
- Cursor sandboxes no longer show the workspace trust prompt on launch.
Kits
-
Add OCI v2 kit artifact streaming that decompresses the layer once to a cache directory and uses seek-based random access, so file content is not held in memory between reads.
-
Restrict kit installs to an allowlist of sources, defaulting to Docker Hub (
docker.io/) only.Breaking: installing a kit from another registry or a Git URL fails until you add its prefix with
sbx settings set kit.allowedSources. See Docs: Restrict kit sources for details.
CLI & Behavior Changes
- Rename
sbx policy set-defaulttosbx policy init; the old name keeps working as a hidden, deprecated alias. - Published sandbox ports are restored on restart, and the CLI/TUI can recover explicit host-port conflicts by choosing a new host port.
Bug Fixes
- Fix a daemon hang where a slow or stuck sandbox creation/deletion blocked
sbx ls, the TUI, and new sessions until the daemon was restarted. - Fix a kit mixin regression where adding
network.serviceDomainsfor a service already provided by the base agent failed with a "credential … defined in both" error. - Reject
+in sandbox names with a clear validation error instead of panicking. - Fix the interactive host-port conflict recovery prompt not appearing on Windows when restarting a sandbox whose published port is already in use.
v0.34.0-rc3
Highlights
This release expands how you connect to and provision sandboxes. The headline is an experimental native SSH endpoint in sandboxd: any SSH client can reach a sandbox directly, with the SSH username selecting the sandbox and connect-to-create behavior — interactive shells and one-shot commands work today (SFTP is not yet supported). A new sbx setup first-run experience detects agent credentials already on your host and imports them in one command, with Gordon now able to scan the host and steer you to it.
We also clarified a confusing command name — sbx policy set-default is now sbx policy init — smoothed the Cursor launch experience, and fixed a daemon hang plus several kit, naming, and Windows port-conflict issues.
What's New
SSH
- Add an experimental native SSH endpoint in sandboxd: connect with
ssh <sandbox-name>@127.0.0.1 -p 2222(publickey auth, connect-to-create, interactive shell and exec; no SFTP yet). Enable withsbx settings set feature.ssh true.
Setup & Onboarding
- Add an experimental
sbx setupcommand that imports agent credentials from environment variables. - Gordon can now detect agent credentials already present on your host and guide you to import them with the new experimental
sbx setupcommand.
Agents
- Cursor sandboxes no longer show the workspace trust prompt on launch.
Kits
- Add OCI v2 kit artifact streaming that decompresses the layer once to a cache directory and uses seek-based random access, so file content is not held in memory between reads.
CLI & Behavior Changes
- Rename
sbx policy set-defaulttosbx policy init; the old name keeps working as a hidden, deprecated alias.
Bug Fixes
- Fix a daemon hang where a slow or stuck sandbox creation/deletion blocked
sbx ls, the TUI, and new sessions until the daemon was restarted. - Fix a kit mixin regression where adding
network.serviceDomainsfor a service already provided by the base agent failed with a "credential … defined in both" error. - Reject
+in sandbox names with a clear validation error instead of panicking. - Fix the interactive host-port conflict recovery prompt not appearing on Windows when restarting a sandbox whose published port is already in use.
v0.33.0
Highlights
sbx run --name <sandbox> now re-attaches to an existing sandbox by name. You can now also create multiple sandboxes of the same agent type and workspace by specifying unique sandbox names with --name.
Consequently, re-attaching to existing sandboxes with sbx run <name> is deprecated; the preferred form is sbx run --name <name>. The positional argument for sbx run should be an agent (e.g. claude, or codex). Sandbox name as the positional argument for run is still supported but will be removed in a future release.
This release also improves network isolation and policy enforcement. Sandbox DNS is now gated on network policy (closing a DNS-based exfiltration channel), ICMP egress is blocked across daemon restarts, and the MITM proxy publishes a CRL so revocation-strict clients keep working.
What's New
Sandbox Identity & CLI
sbx run --namenow identifies a sandbox independent of the working directory: run multiple independently-named sandboxes in the same workspace, re-attach from any directory (agent may be omitted), and re-run a create command to re-enter. It no longer auto-creates numbered sibling sandboxes, prompts before entering a same-named sandbox from a different workspace, and errors when the requested agent doesn't match the named sandbox. The TUI follows the same rules.sbx run <sandbox>now prints a deprecation warning when re-attaching to an existing sandbox; usesbx run --name <sandbox>instead.sbx ls --jsonnow reports a stable per-sandboxid.sbx createnow fails with a clear missing-agent error when run without arguments.sbx execnow uses the same working directory assbx run.sbx cp -Lnow follows symlinks in the source path for sandbox-to-host copies.- Daemon inspect output is now included in the diagnostics bundle.
Networking & Proxy
- Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g.
localhost) are exempt to avoid breaking local OAuth callback flows. CVE-2026-12039 - Outgoing ICMP from sandboxes is now blocked across daemon restarts. CVE-2026-12539
- CIDR subnet allow rules (e.g.
sbx policy allow network 10.10.14.0/24) now correctly permit traffic to IP addresses within the subnet. - The MITM proxy now publishes a CRL and embeds a CRL distribution point in generated certificates, fixing clients that require certificate revocation checking (e.g. .NET
CheckCertificateRevocationList=true). - Removed the bracketed
[::1]entry from the sandboxNO_PROXYdefault, fixing credential injection for HTTP clients that mis-parsed it. - Claude connectors (Slack, Gmail, Notion, Atlassian, etc.) now work inside sandboxed Claude Code without manual policy overrides.
Secrets & Credentials
sbx secret set-custom --host, andserviceDomainsin kits, now accept wildcard host patterns (*matches one label,**matches any number) and is repeatable, so one custom secret can cover multiple subdomains/domains.
Agents
- Cursor OAuth is now supported
Platform & Performance
- The virtiofs cache is now enabled by default on macOS and Linux.
- Build packages for
linux/arm64are now produced. - On Linux, the keychain backend now falls back to the encrypted on-disk store when
dbus-launchis unavailable, fixing headless/server hosts.
Bug Fixes
- Suppress a misleading warning when saving OAuth credentials while the daemon is not running.
- Fixed a TTY sizing issue on Windows.
- Keep agent entrypoint flags when arguments after
--are themselves flags. - Inject git identity from subdirectories and
[include]d Git config when cloning. - Proxy service detection now supports middle-position wildcards.
- Sandboxes blocked by mount policies are no longer filtered out on daemon startup.