← All posts

Sandbox security for agentic AI: Docker, microVMs, and CVE-2026-31431

40% of teams cite security as the top barrier to scaling agentic AI. Docker Sandboxes, Engine hardening, and governance for autonomous code.

Sandbox security for agentic AI: Docker, microVMs, and CVE-2026-31431
Contents

In brief

Sandbox security is not “another container” — it is policy and enforcement so isolation boundaries hold under pressure. Docker pushes Sandboxes for coding agents: microVMs, governance, and Engine hardening after incidents with autonomous commands.

What happened

Docker’s agentic AI report: 40% of respondents name security as the top obstacle to scaling agents. Classic sandboxing is familiar; agents need the next layer — who may execute what, which network paths are allowed, how to contain damage.

The post cites a case where an AI-generated command caused serious data loss — autonomous speed beats “junior deleted prod” as a threat model.

Docker Engine addresses CVE-2026-31431 with stronger seccomp, AppArmor, and SELinux. Docker Sandboxes for AI coding agents use microVMs — stronger than namespaces alone for untrusted code.

Docker AI Governance centralizes control over which agents run and with what network/filesystem rights — relevant when many developers attach Cursor/Claude Code to shared infra.

Why it matters

Agents change the threat model: not “developer typo” but autonomous read repo → propose shell → run. Without a sandbox with explicit limits, one prompt or MCP tool can reach host secrets, .env, or corporate networks.

Platform teams should treat isolation as a product requirement, not a late toggle — whether you use Docker, gVisor, Firecracker, or dedicated CI runners.

In practice

  1. Run agent sessions in disposable sandboxes — no prod kubeconfig or host SSH keys.
  2. Deny-by-default network; allowlist APIs; log egress.
  3. Scope secrets — agent tokens, not cloud admin roots.
  4. Patch Engine/runtime for CVEs; enable seccomp/AppArmor where policy allows.
  5. Tabletop: “agent ran rm -rf on a mounted volume” — what breaks?
  6. Governance dashboard or policy-as-code when agent count grows.

Takeaway

Scaling agentic AI needs trust in code execution. Docker frames the answer as sandbox security + governance + microVM. Even off their stack, the rule stands: untrusted agent code should not run on your bare laptop kernel. Details in the Docker Blog post.