Why Go
- Case Studies
  
  Common problems companies solve with Go
- Use Cases
  
  Stories about how and why companies use Go
- Security
  
  How Go can help keep you secure by default
Learn
Docs
- Effective Go
  
  Tips for writing clear, performant, and idiomatic Go code
- Go User Manual
  
  A complete introduction to building software with Go
- Standard library
  
  Reference documentation for Go's standard library
- Release Notes
  
  Learn what's new in each Go release
Packages
Community
- Recorded Talks
  
  Videos from prior events
- Meetups
  
  Meet other local Go developers
- Conferences
  
  Learn and network with Go developers from around the world
- Go blog
  
  The Go project's official blog.
- Go project
  
  Get help and stay informed from Go
- Get connected

sandbox

package

Go to main page

Versions in this module

v0

v0.2.0

May 15, 2026

Changes in this version

+ func FormatResult(result *VerificationResult) string

+ func GenerateSeatbeltProfile(policy *SeatbeltPolicy) string

+ func RunSeatbelted(ctx context.Context, command string, policy *SeatbeltPolicy) (*exec.Cmd, error)

+ func SeatbeltAvailable() bool

+ type AdversaryInspector struct

+ func (ai *AdversaryInspector) Inspect(content string) *InspectionResult

+ type CodeVerifier struct

+ AllowedPaths []string

+ BlockedFunctions []string

+ BlockedModules []string

+ BlockedPatterns []*regexp.Regexp

+ func NewCodeVerifier() *CodeVerifier

+ func (cv *CodeVerifier) AddBlockedFunction(fn string)

+ func (cv *CodeVerifier) AddBlockedModule(module string)

+ func (cv *CodeVerifier) AddBlockedPattern(pattern string) error

+ func (cv *CodeVerifier) Verify(code, language string) *VerificationResult

+ func (cv *CodeVerifier) VerifyBash(code string) []Violation

+ func (cv *CodeVerifier) VerifyGo(code string) []Violation

+ func (cv *CodeVerifier) VerifyPython(code string) []Violation

type DevEnvManager

+ OnSwapNeeded func(req SwapRequest)

+ func (d *DevEnvManager) RebuildAndForceSwap(ctx context.Context, dockerfilePath string) (string, error)

+ type EgressInspector struct

+ AllowedDomains []string

+ func (ei *EgressInspector) Inspect(content string) *InspectionResult

+ type Finding struct

+ Content string

+ Level ThreatLevel

+ Message string

+ Type string

+ type InspectionResult struct

+ Findings []Finding

+ Safe bool

+ type NetworkProxy struct

+ AllowAll bool

+ AllowedDomains []string

+ BlockAll bool

+ BlockedDomains []string

+ Log []ProxyLogEntry

+ Port int

+ Stats ProxyStats

+ func NewNetworkProxy(config ProxyConfig) *NetworkProxy

+ func (np *NetworkProxy) EnvVars() map[string]string

+ func (np *NetworkProxy) GetLog() []ProxyLogEntry

+ func (np *NetworkProxy) GetStats() ProxyStats

+ func (np *NetworkProxy) IsAllowed(host string) bool

+ func (np *NetworkProxy) Start(ctx context.Context) (string, error)

+ func (np *NetworkProxy) Stop() error

+ type ProxyConfig struct

+ AllowedDomains []string

+ BlockedDomains []string

+ LogRequests bool

+ Mode string

+ func DefaultDevelopmentConfig() ProxyConfig

+ type ProxyLogEntry struct

+ Allowed bool

+ Host string

+ Method string

+ Reason string

+ Timestamp time.Time

+ type ProxyStats struct

+ AllowedRequests int64

+ BlockedRequests int64

+ TotalBytes int64

+ UniqueHosts map[string]int

+ type SandboxManager struct

+ Dir string

+ MaxSandboxes int

+ Sandboxes map[string]*SandboxState

+ func NewSandboxManager(dir string) *SandboxManager

+ func (m *SandboxManager) Cleanup(maxAge time.Duration) error

+ func (m *SandboxManager) Create(workDir string, envVars map[string]string) (*SandboxState, error)

+ func (m *SandboxManager) DiffSandbox(id string) ([]string, error)

+ func (m *SandboxManager) FormatStatus() string

+ func (m *SandboxManager) List() []*SandboxState

+ func (m *SandboxManager) Pause(id string) error

+ func (m *SandboxManager) Restore(data []byte) (*SandboxState, error)

+ func (m *SandboxManager) Resume(id string) (*SandboxState, error)

+ func (m *SandboxManager) Snapshot(id string) ([]byte, error)

+ type SandboxState struct

+ CreatedAt time.Time

+ EnvVars map[string]string

+ Files map[string][]byte

+ ID string

+ PausedAt *time.Time

+ ProcessState string

+ ResumedAt *time.Time

+ Status string

+ WorkDir string

+ type SeatbeltPolicy struct

+ AllowNetwork bool

+ AllowProcess bool

+ AllowSysctl bool

+ AllowWrite bool

+ ReadablePaths []string

+ WritablePaths []string

+ func DefaultHawkPolicy(workDir string) *SeatbeltPolicy

+ type SwapRequest struct

+ Dockerfile string

+ ImageTag string

+ Workspace string

+ type ThreatLevel int

+ const ThreatCritical

+ const ThreatHigh

+ const ThreatLow

+ const ThreatMedium

+ const ThreatNone

+ func (t ThreatLevel) String() string

+ type VerificationResult struct

+ Language string

+ Safe bool

+ Violations []Violation

+ Warnings []string

+ type Violation struct

+ Code string

+ Line int

+ Reason string

+ Severity string

+ Type string

v0.1.0

May 12, 2026

Changes in this version

+ var ContainerImageTag = "latest"

+ func ApplySeccomp() error

+ func Available() bool

+ func ContextWithMode(ctx context.Context, m Mode) context.Context

+ func DefaultSeccompProfile() []byte

+ func DockerAvailable() bool

+ func GVisorAvailable() bool

+ func GVisorDockerArgs() []string

+ func GenerateProfile(cfg SandboxConfig) string

+ func IsAvailable() bool

+ func LandlockAvailable() bool

+ func WrapCommand(command string, cfg SandboxConfig) (string, []string)

+ type CachedImage struct

+ BuiltAt time.Time

+ ContentHash string

+ Stale bool

+ Tag string

+ type Config struct

+ AllowNetwork bool

+ AllowWrite bool

+ Enabled bool

+ MaxCPUPct int

+ MaxMemoryMB int

+ ReadOnlyDirs []string

+ Type string

+ WritableDirs []string

+ func DefaultConfig() *Config

+ type ContainerSandbox struct

+ func NewContainerSandbox(projectDir string) *ContainerSandbox

+ func (c *ContainerSandbox) BuildFromDockerfile(ctx context.Context, dockerfile string) (string, error)

+ func (c *ContainerSandbox) ContainerID() string

+ func (c *ContainerSandbox) Exec(ctx context.Context, command string, timeout time.Duration) (string, error)

+ func (c *ContainerSandbox) HotSwap(ctx context.Context) error

+ func (c *ContainerSandbox) Image() string

+ func (c *ContainerSandbox) Running() bool

+ func (c *ContainerSandbox) SetImage(img string)

+ func (c *ContainerSandbox) Start(ctx context.Context) error

+ func (c *ContainerSandbox) Stop() error

+ type DevEnvManager struct

+ func NewDevEnvManager(projectDir string) *DevEnvManager

+ func (d *DevEnvManager) GetOrBuild(ctx context.Context, dockerfile string) (string, error)

+ func (d *DevEnvManager) Invalidate(projectDir string)

+ func (d *DevEnvManager) IsStale(projectDir string) bool

+ type IsolationLevel string

+ const IsolationContainer

+ const IsolationDefault

+ const IsolationEnhanced

+ const IsolationMaximum

+ const IsolationOff

+ type LandlockSandbox struct

+ func NewLandlockSandbox(projectDir string) *LandlockSandbox

+ func (l *LandlockSandbox) AddReadOnlyPath(path string)

+ func (l *LandlockSandbox) AddReadWritePath(path string)

+ func (l *LandlockSandbox) Apply() error

+ type Mode string

+ const ModeOff

+ const ModeStrict

+ const ModeWorkspace

+ func ModeFromContext(ctx context.Context) Mode

+ func ParseMode(s string) Mode

+ type Sandbox struct

+ func New(config *Config) (*Sandbox, error)

+ func (s *Sandbox) Close() error

+ func (s *Sandbox) Run(ctx context.Context, command string) (*exec.Cmd, error)

+ type SandboxConfig struct

+ AllowNetwork bool

+ Mode Mode

+ WorkspaceDir string

+ type SandboxSelection struct

+ Backend string

+ Reason string

+ func SelectSandbox(level IsolationLevel, projectDir string) SandboxSelection