sandbox

package

v0.3.3 Latest Latest Go to latest Published: Feb 28, 2026 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/GoCodeAlone/workflow

Links

Open Source Insights

Documentation ¶

Overview ¶

Package sandbox provides Docker-based sandboxed execution for CI/CD pipeline steps.

Index ¶

type DockerSandbox
- func NewDockerSandbox(config SandboxConfig) (*DockerSandbox, error)
type ExecResult
type Mount
type SandboxConfig
- func DefaultSecureSandboxConfig(image string) SandboxConfig

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DockerSandbox ¶

type DockerSandbox struct {
	// contains filtered or unexported fields
}

DockerSandbox wraps the Docker Engine SDK to execute commands in isolated containers.

func NewDockerSandbox ¶

func NewDockerSandbox(config SandboxConfig) (*DockerSandbox, error)

NewDockerSandbox creates a new DockerSandbox with the given configuration. It initializes a Docker client using environment variables (DOCKER_HOST, etc.).

func (*DockerSandbox) Close ¶

func (s *DockerSandbox) Close() error

Close cleans up the Docker client.

func (*DockerSandbox) CopyIn ¶

func (s *DockerSandbox) CopyIn(ctx context.Context, srcPath, destPath string) error

CopyIn copies a file from the host into the active container. Call CreateContainer first to set the active container ID.

func (*DockerSandbox) CopyOut ¶

func (s *DockerSandbox) CopyOut(ctx context.Context, srcPath string) (io.ReadCloser, error)

CopyOut copies a file out of the active container. Returns a ReadCloser with the file contents. Call CreateContainer first to set the active container ID.

func (*DockerSandbox) CreateContainer ¶ added in v0.3.3

func (s *DockerSandbox) CreateContainer(ctx context.Context, cmd []string) error

CreateContainer creates and starts a container, storing its ID for use with CopyIn/CopyOut. Call RemoveContainer when done to clean up.

func (*DockerSandbox) Exec ¶

func (s *DockerSandbox) Exec(ctx context.Context, cmd []string) (*ExecResult, error)

Exec creates a container, runs the given command, captures output, and removes the container.

func (*DockerSandbox) ExecInContainer ¶

func (s *DockerSandbox) ExecInContainer(ctx context.Context, cmd []string, copyIn map[string]string, copyOutPaths []string) (*ExecResult, map[string]io.ReadCloser, error)

ExecInContainer creates a container, copies files in, runs the command, and allows file extraction. This is the higher-level API that manages the full container lifecycle with file I/O.

func (*DockerSandbox) RemoveContainer ¶ added in v0.3.3

func (s *DockerSandbox) RemoveContainer(ctx context.Context) error

RemoveContainer stops and removes the active container.

type ExecResult ¶

type ExecResult struct {
	ExitCode int
	Stdout   string
	Stderr   string
}

ExecResult holds the output from a command execution inside the sandbox.

type Mount ¶

type Mount struct {
	Source   string `yaml:"source"`
	Target   string `yaml:"target"`
	ReadOnly bool   `yaml:"read_only"`
}

Mount describes a bind mount from host to container.

type SandboxConfig ¶

type SandboxConfig struct {
	Image       string            `yaml:"image"`
	WorkDir     string            `yaml:"work_dir"`
	Env         map[string]string `yaml:"env"`
	Mounts      []Mount           `yaml:"mounts"`
	MemoryLimit int64             `yaml:"memory_limit"`
	CPULimit    float64           `yaml:"cpu_limit"`
	Timeout     time.Duration     `yaml:"timeout"`
	NetworkMode string            `yaml:"network_mode"`

	// Security hardening fields
	SecurityOpts    []string          `yaml:"security_opts"` // e.g., ["seccomp=default.json"]
	CapAdd          []string          `yaml:"cap_add"`       // capabilities to add
	CapDrop         []string          `yaml:"cap_drop"`      // e.g., ["ALL"]
	ReadOnlyRootfs  bool              `yaml:"read_only_rootfs"`
	NoNewPrivileges bool              `yaml:"no_new_privileges"`
	User            string            `yaml:"user"`       // e.g., "nobody:nogroup"
	PidsLimit       int64             `yaml:"pids_limit"` // max process count
	Tmpfs           map[string]string `yaml:"tmpfs"`      // e.g., {"/tmp": "size=64m,noexec"}
}

SandboxConfig holds configuration for a Docker sandbox execution environment.

func DefaultSecureSandboxConfig ¶ added in v0.3.3

func DefaultSecureSandboxConfig(image string) SandboxConfig

DefaultSecureSandboxConfig returns a hardened SandboxConfig suitable for running untrusted workloads. It uses a minimal Wolfi-based image, drops all Linux capabilities, enables a read-only root filesystem, mounts /tmp as tmpfs with noexec, and disables network access.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL