From dd935bd0da5d1aef14528878e80153516b946ebd Mon Sep 17 00:00:00 2001 From: "Ajeet Singh Raina, Docker Captain, ARM Innovator" Date: Fri, 12 Jun 2026 16:27:41 +0530 Subject: [PATCH 1/3] Add lab guide for AI agents in Docker Sandboxes This commit adds a new lab guide for running AI agents in Docker Sandboxes using kits and hardened images, detailing the learning objectives and modules involved. --- content/guides/lab-running-sbx-kits-dhi.md | 56 ++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 content/guides/lab-running-sbx-kits-dhi.md diff --git a/content/guides/lab-running-sbx-kits-dhi.md b/content/guides/lab-running-sbx-kits-dhi.md new file mode 100644 index 00000000000..01cf830ddd0 --- /dev/null +++ b/content/guides/lab-running-sbx-kits-dhi.md @@ -0,0 +1,56 @@ +--- +title: "Lab: AI Agents in Docker Sandboxes with Kits and Hardened Images" +linkTitle: "Lab: Sandboxes, Kits, and DHI" +description: | + Run AI coding agents inside isolated Docker Sandboxes and progressively + harden what they produce using sbx kits and Docker Hardened Images in this + hands-on interactive lab. +summary: | + Hands-on lab: Run AI coding agents in isolated Docker Sandboxes, then use sbx + kits and Docker Hardened Images to turn their output into secure, + production-ready container images. +keywords: AI, Docker, Docker Sandboxes, sbx, kits, Docker Hardened Images, DHI, Docker Scout, container security, lab, labspace +params: + tags: [ai, labs] + time: 30 minutes + resource_links: + - title: Docker Sandboxes documentation + url: https://docs.docker.com/ai/sandboxes/ + - title: Docker Hardened Images documentation + url: https://docs.docker.com/dhi/ + - title: Docker Scout + url: https://docs.docker.com/scout/ + - title: Labspace repository + url: https://github.com/dockersamples/labspace-demo-sbx-kits-dhi +--- + +This lab shows you how to run AI coding agents inside isolated Docker Sandboxes +(`sbx`) and progressively harden what the agent produces using sbx **kits** and +**Docker Hardened Images (DHI)**. You'll start with a plain sandbox, attach a +container best-practices kit to change how the agent writes Dockerfiles, then add +a DHI kit so the agent builds and runs on hardened base images. Along the way +you'll compare baseline and hardened images on size, packages, vulnerabilities, +and attestations. + +## Launch the lab + +{{< labspace-launch image="dockersamples/labspace-demo-sbx-kits-dhi" >}} + +## What you'll learn + +- Run an AI coding agent (Claude) in an isolated Docker Sandbox microVM with its own daemon, filesystem, and network +- Apply sandbox network policy that allows approved development endpoints and denies everything else +- Define an sbx kit: declarative, shareable agent configuration (tools, credentials, network rules, files, startup commands, and guidance) in a single `spec.yaml` +- Compare the output of a plain sandbox against one guided by a container best-practices kit +- Use a DHI kit to direct the agent to build and run on Docker Hardened Images +- Keep registry credentials on the host with sbx custom secrets, so your Docker PAT never enters the sandbox VM +- Push baseline vs. DHI image tags and compare size, package count, vulnerabilities, and attestations (SBOM + provenance) in Docker Hub and Docker Scout + +## Modules + +| # | Module | Description | +|---|--------|-------------| +| 0 | Prerequisites | Set up Docker Desktop, the `sbx` CLI, and a Docker Personal Access Token for pulling Docker Hardened Images | +| 1 | Start with a Plain Sandbox | Run an AI coding agent in an isolated Docker Sandbox microVM and review its default container output | +| 2 | Add the Best Practices Kit | Attach a container best-practices kit and compare how the agent's Dockerfile changes | +| 3 | Add the DHI Kit | Direct the agent to use Docker Hardened Images, then compare image size, packages, vulnerabilities, and attestations | From 7e09b1db19ec6d1b073beae2568d12300983eeb5 Mon Sep 17 00:00:00 2001 From: "Ajeet Singh Raina, Docker Captain, ARM Innovator" Date: Fri, 12 Jun 2026 16:57:26 +0530 Subject: [PATCH 2/3] Update lab-running-sbx-kits-dhi.md --- content/guides/lab-running-sbx-kits-dhi.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/guides/lab-running-sbx-kits-dhi.md b/content/guides/lab-running-sbx-kits-dhi.md index 01cf830ddd0..f2997895335 100644 --- a/content/guides/lab-running-sbx-kits-dhi.md +++ b/content/guides/lab-running-sbx-kits-dhi.md @@ -34,7 +34,7 @@ and attestations. ## Launch the lab -{{< labspace-launch image="dockersamples/labspace-demo-sbx-kits-dhi" >}} +{{< labspace-launch image="dockersamples/labspace-sbx-kits-dhi" >}} ## What you'll learn From 4d19ffbdac92eef00dc13ff956d321f51af38cf7 Mon Sep 17 00:00:00 2001 From: "Ajeet Singh Raina, Docker Captain, ARM Innovator" Date: Fri, 12 Jun 2026 20:47:22 +0530 Subject: [PATCH 3/3] Update lab-running-sbx-kits-dhi.md --- content/guides/lab-running-sbx-kits-dhi.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/guides/lab-running-sbx-kits-dhi.md b/content/guides/lab-running-sbx-kits-dhi.md index f2997895335..deca7f0767e 100644 --- a/content/guides/lab-running-sbx-kits-dhi.md +++ b/content/guides/lab-running-sbx-kits-dhi.md @@ -6,10 +6,10 @@ description: | harden what they produce using sbx kits and Docker Hardened Images in this hands-on interactive lab. summary: | - Hands-on lab: Run AI coding agents in isolated Docker Sandboxes, then use sbx + Hands-on lab: Run AI coding agents in isolated Docker Sandboxes, then use `sbx` kits and Docker Hardened Images to turn their output into secure, production-ready container images. -keywords: AI, Docker, Docker Sandboxes, sbx, kits, Docker Hardened Images, DHI, Docker Scout, container security, lab, labspace +keywords: AI, Docker, Docker Sandboxes, `sbx`, kits, Docker Hardened Images, DHI, Docker Scout, container security, lab, labspace params: tags: [ai, labs] time: 30 minutes @@ -40,7 +40,7 @@ and attestations. - Run an AI coding agent (Claude) in an isolated Docker Sandbox microVM with its own daemon, filesystem, and network - Apply sandbox network policy that allows approved development endpoints and denies everything else -- Define an sbx kit: declarative, shareable agent configuration (tools, credentials, network rules, files, startup commands, and guidance) in a single `spec.yaml` +- Define an `sbx` kit: declarative, shareable agent configuration (tools, credentials, network rules, files, startup commands, and guidance) in a single `spec.yaml` - Compare the output of a plain sandbox against one guided by a container best-practices kit - Use a DHI kit to direct the agent to build and run on Docker Hardened Images - Keep registry credentials on the host with sbx custom secrets, so your Docker PAT never enters the sandbox VM