Skip to content

Add lab guide for AI agents in Docker Sandboxes #25340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
ajeetraina wants to merge 2 commits into
base: main
Choose a base branch
from
+56 −0
Draft

Add lab guide for AI agents in Docker Sandboxes #25340

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dd935bd
Add lab guide for AI agents in Docker Sandboxes
ajeetraina Jun 12, 2026
7e09b1d
Update lab-running-sbx-kits-dhi.md
ajeetraina Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions content/guides/lab-running-sbx-kits-dhi.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
---
title: "Lab: AI Agents in Docker Sandboxes with Kits and Hardened Images"
linkTitle: "Lab: Sandboxes, Kits, and DHI"
description: |
Run AI coding agents inside isolated Docker Sandboxes and progressively
harden what they produce using sbx kits and Docker Hardened Images in this
hands-on interactive lab.
summary: |
Hands-on lab: Run AI coding agents in isolated Docker Sandboxes, then use sbx
kits and Docker Hardened Images to turn their output into secure,
production-ready container images.
keywords: AI, Docker, Docker Sandboxes, sbx, kits, Docker Hardened Images, DHI, Docker Scout, container security, lab, labspace
params:
tags: [ai, labs]
time: 30 minutes
resource_links:
- title: Docker Sandboxes documentation
url: https://docs.docker.com/ai/sandboxes/
- title: Docker Hardened Images documentation
url: https://docs.docker.com/dhi/
- title: Docker Scout
url: https://docs.docker.com/scout/
- title: Labspace repository
url: https://github.com/dockersamples/labspace-demo-sbx-kits-dhi
---

This lab shows you how to run AI coding agents inside isolated Docker Sandboxes
(`sbx`) and progressively harden what the agent produces using sbx **kits** and

Check failure on line 28 in content/guides/lab-running-sbx-kits-dhi.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'sbx'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'sbx'?", "location": {"path": "content/guides/lab-running-sbx-kits-dhi.md", "range": {"start": {"line": 28, "column": 64}}}, "severity": "ERROR"}
**Docker Hardened Images (DHI)**. You'll start with a plain sandbox, attach a
container best-practices kit to change how the agent writes Dockerfiles, then add
a DHI kit so the agent builds and runs on hardened base images. Along the way
you'll compare baseline and hardened images on size, packages, vulnerabilities,
and attestations.

## Launch the lab

{{< labspace-launch image="dockersamples/labspace-sbx-kits-dhi" >}}

## What you'll learn

- Run an AI coding agent (Claude) in an isolated Docker Sandbox microVM with its own daemon, filesystem, and network
- Apply sandbox network policy that allows approved development endpoints and denies everything else
- Define an sbx kit: declarative, shareable agent configuration (tools, credentials, network rules, files, startup commands, and guidance) in a single `spec.yaml`

Check failure on line 43 in content/guides/lab-running-sbx-kits-dhi.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'sbx'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'sbx'?", "location": {"path": "content/guides/lab-running-sbx-kits-dhi.md", "range": {"start": {"line": 43, "column": 13}}}, "severity": "ERROR"}
- Compare the output of a plain sandbox against one guided by a container best-practices kit
- Use a DHI kit to direct the agent to build and run on Docker Hardened Images
- Keep registry credentials on the host with sbx custom secrets, so your Docker PAT never enters the sandbox VM

Check failure on line 46 in content/guides/lab-running-sbx-kits-dhi.md

View workflow job for this annotation

GitHub Actions / validate (vale) 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'sbx'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'sbx'?", "location": {"path": "content/guides/lab-running-sbx-kits-dhi.md", "range": {"start": {"line": 46, "column": 46}}}, "severity": "ERROR"}
- Push baseline vs. DHI image tags and compare size, package count, vulnerabilities, and attestations (SBOM + provenance) in Docker Hub and Docker Scout

## Modules

| # | Module | Description |
|---|--------|-------------|
| 0 | Prerequisites | Set up Docker Desktop, the `sbx` CLI, and a Docker Personal Access Token for pulling Docker Hardened Images |
| 1 | Start with a Plain Sandbox | Run an AI coding agent in an isolated Docker Sandbox microVM and review its default container output |
| 2 | Add the Best Practices Kit | Attach a container best-practices kit and compare how the agent's Dockerfile changes |
| 3 | Add the DHI Kit | Direct the agent to use Docker Hardened Images, then compare image size, packages, vulnerabilities, and attestations |
Loading