Docker Sandboxes release notes
This page lists changes in recent stable releases of Docker Sandboxes. For the full release history, including pre-releases and downloads, see the Docker Sandboxes releases on GitHub.
0.35.0
2026-07-10Highlights
This release revamps policy tooling with a concise sbx policy ls, a new sbx policy inspect, and a sbx policy check network command for testing whether the current policy would allow an access request before you run.
Networking gains a SOCKS5 upstream-proxy transport.
Secrets get a new sbx secret import with clearer env-source visibility.
What's New
Networking & Proxy
- The sandbox proxy can chain upstream egress through a SOCKS5 proxy (
socks5:///socks5h://, with optional auth) viaDOCKER_SANDBOXES_PROXY,HTTP_PROXY, orHTTPS_PROXY. - Add
DOCKER_SANDBOXES_NO_PROXYto exclude destinations fromDOCKER_SANDBOXES_PROXY, using standardNO_PROXYmatching semantics. - Droid OAuth credentials are now proxy-managed: real tokens stay on the host and never land in the sandbox.
- Faster sandbox startup: the TLS-proxy CA is installed by merging into the trust bundle instead of running
update-ca-certificates, saving several hundred milliseconds.
Policy
- Simplify
sbx policy lsand add--wide,--source, and--decisionfilters - Add
sbx policy checkto test whether the current policy would allow an access request - Balanced network preset now allows VS Code domains, Azure Blob Storage (
*.blob.core.windows.net), anddhi.ioover HTTP.
Kits
sbx kit addnow recreates the sandbox container with the augmented kit set instead of injecting at runtime. State is preserved with the re-creation.sbx kit addapplies the added kit's network allow/deny rules and composed policy on the running sandbox.- Re-attaching to a sandbox created from a custom
--kitagent now works withsbx run --name <name>without re-passing--kit. - Kits can inject the user's Docker login token into requests to docker.com hosts via a credential with service
sbx-login.
CLI
sbx rmnow won't delete an active session unless--forceis passed.sbx inspectnow lists the sandbox's kits, injected secrets, and sandbox information.- Added
sbx daemoncommand (start,stop,status,log-level)
Secrets
sbx secret importimports credential env vars into the keychain;sbx secret lsflags env-only and OAuth-shadowed entries. Host env vars no longer auto-inject at runtime — usesbx secret importto migrate.
Runtime & images
- Enable virtiofs caching by default on all operating systems by default for faster filesystem performance (
DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0to opt out).
Bug Fixes
- Fix "container not found" errors when copying files with
sbx cpon a sandbox that has had a kit added. - Enforce the one-credential-per-service rule on credential capture paths so a stale API key no longer shadows a newly captured credential.
- Fix
sbx loginfailing with "The specified item already exists in the keychain" when signing back into a previously used account; logout now clears all stored Docker credentials. - Restarted sandboxes keep GitHub access by rehydrating the stored
githubcredential on daemon restart. - Fix a custom kit clearing the proxy's built-in GitHub auth header mapping for the whole daemon until a restart.
- Tunnel plain-HTTP forward traffic (e.g.
apt, port 80) via CONNECT when the upstream proxy only supports CONNECT. - Sandbox egress through an upstream proxy identifies as
sbx-proxyon the CONNECT handshake. - Fix IPv6 policy allow rules using bracket notation (e.g.
[fdcb::1]:22) not matching. - Fix
sbxconnecting to the wrong Docker daemon whenDOCKER_HOSTis set in the environment. - Serialize Docker Hub token refresh across the CLI and daemon so sign-in sessions aren't unexpectedly lost.
Platform support
- Block installation on Windows versions older than Windows 11 (the only currently supported version).
0.34.0
2026-06-26Highlights
Kit installs are now restricted to an allowlist of sources, defaulting to Docker Hub only — a breaking change if you install kits from a Git URL or another registry.
This release also renames sbx policy set-default to sbx policy init, restores published ports when a sandbox restarts, fixes a number of bugs, and adds two experimental previews: a native SSH endpoint and an sbx setup command for smoother first-time onboarding.
What's New
SSH
- Add an experimental native SSH endpoint in sandboxd: connect with
ssh <sandbox-name>@127.0.0.1 -p 2222(publickey auth, connect-to-create, interactive shell and exec; no SFTP yet). Enable withsbx settings set feature.ssh true.
Setup & Onboarding
- Add an experimental
sbx setupcommand that imports agent credentials from environment variables.
Agents
- Cursor sandboxes no longer show the workspace trust prompt on launch.
Kits
Add OCI v2 kit artifact streaming that decompresses the layer once to a cache directory and uses seek-based random access, so file content is not held in memory between reads.
Restrict kit installs to an allowlist of sources, defaulting to Docker Hub (
docker.io/) only.Breaking: installing a kit from another registry or a Git URL fails until you add its prefix with
sbx settings set kit.allowedSources. See Docs: Restrict kit sources for details.
CLI & Behavior Changes
- Rename
sbx policy set-defaulttosbx policy init; the old name keeps working as a hidden, deprecated alias. - Published sandbox ports are restored on restart, and the CLI/TUI can recover explicit host-port conflicts by choosing a new host port.
Bug Fixes
- Fix a daemon hang where a slow or stuck sandbox creation/deletion blocked
sbx ls, the TUI, and new sessions until the daemon was restarted. - Fix a kit mixin regression where adding
network.serviceDomainsfor a service already provided by the base agent failed with a "credential … defined in both" error. - Reject
+in sandbox names with a clear validation error instead of panicking. - Fix the interactive host-port conflict recovery prompt not appearing on Windows when restarting a sandbox whose published port is already in use.
0.33.0
2026-06-17Highlights
sbx run --name <sandbox> now re-attaches to an existing sandbox by name. You can now also create multiple sandboxes of the same agent type and workspace by specifying unique sandbox names with --name.
Consequently, re-attaching to existing sandboxes with sbx run <name> is deprecated; the preferred form is sbx run --name <name>. The positional argument for sbx run should be an agent (e.g. claude, or codex). Sandbox name as the positional argument for run is still supported but will be removed in a future release.
This release also improves network isolation and policy enforcement. Sandbox DNS is now gated on network policy (closing a DNS-based exfiltration channel), ICMP egress is blocked across daemon restarts, and the MITM proxy publishes a CRL so revocation-strict clients keep working.
What's New
Sandbox Identity & CLI
sbx run --namenow identifies a sandbox independent of the working directory: run multiple independently-named sandboxes in the same workspace, re-attach from any directory (agent may be omitted), and re-run a create command to re-enter. It no longer auto-creates numbered sibling sandboxes, prompts before entering a same-named sandbox from a different workspace, and errors when the requested agent doesn't match the named sandbox. The TUI follows the same rules.sbx run <sandbox>now prints a deprecation warning when re-attaching to an existing sandbox; usesbx run --name <sandbox>instead.sbx ls --jsonnow reports a stable per-sandboxid.sbx createnow fails with a clear missing-agent error when run without arguments.sbx execnow uses the same working directory assbx run.sbx cp -Lnow follows symlinks in the source path for sandbox-to-host copies.- Daemon inspect output is now included in the diagnostics bundle.
Networking & Proxy
- Sandbox DNS lookups are now gated on the network policy: a sandboxed process can no longer resolve domains that policy denies, closing a DNS-based data-exfiltration channel. Loopback names (e.g.
localhost) are exempt to avoid breaking local OAuth callback flows. CVE-2026-12039 - Outgoing ICMP from sandboxes is now blocked across daemon restarts. CVE-2026-12539
- CIDR subnet allow rules (e.g.
sbx policy allow network 10.10.14.0/24) now correctly permit traffic to IP addresses within the subnet. - The MITM proxy now publishes a CRL and embeds a CRL distribution point in generated certificates, fixing clients that require certificate revocation checking (e.g. .NET
CheckCertificateRevocationList=true). - Removed the bracketed
[::1]entry from the sandboxNO_PROXYdefault, fixing credential injection for HTTP clients that mis-parsed it. - Claude connectors (Slack, Gmail, Notion, Atlassian, etc.) now work inside sandboxed Claude Code without manual policy overrides.
Secrets & Credentials
sbx secret set-custom --host, andserviceDomainsin kits, now accept wildcard host patterns (*matches one label,**matches any number) and is repeatable, so one custom secret can cover multiple subdomains/domains.
Agents
- Cursor OAuth is now supported
Platform & Performance
- The virtiofs cache is now enabled by default on macOS and Linux.
- Build packages for
linux/arm64are now produced. - On Linux, the keychain backend now falls back to the encrypted on-disk store when
dbus-launchis unavailable, fixing headless/server hosts.
Bug Fixes
- Suppress a misleading warning when saving OAuth credentials while the daemon is not running.
- Fixed a TTY sizing issue on Windows.
- Keep agent entrypoint flags when arguments after
--are themselves flags. - Inject git identity from subdirectories and
[include]d Git config when cloning. - Proxy service detection now supports middle-position wildcards.
- Sandboxes blocked by mount policies are no longer filtered out on daemon startup.
Earlier releases
For older versions, see the Docker Sandboxes releases on GitHub.