<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>article Letting Coding Agents Move Fast Without Breaking Everything in Technical Blog</title>
    <link>https://community.databricks.com/t5/technical-blog/letting-coding-agents-move-fast-without-breaking-everything/ba-p/152236</link>
    <description>&lt;P&gt;&lt;SPAN&gt;Your preferred AI model is a deeply personal choice. Public benchmarks might declare the “best” model for a specific task, but they don’t account for your workflow or how you access information, which can change the calculation entirely.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Person A might find that using Gemini for a specific task is more productive than Claude because of the workflow they’ve adopted, while Person B might disagree and prefer Codex instead.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Databricks Coding Agents give you access to top frontier models, letting you choose the best model for your workflow.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ezgif-6c9cee9d80b51dd4.gif" style="width: 999px;"&gt;&lt;img src="https://community.databricks.com/t5/image/serverpage/image-id/27178iBB88C3F1EDAA1696/image-size/large?v=v2&amp;amp;px=999" role="button" title="ezgif-6c9cee9d80b51dd4.gif" alt="ezgif-6c9cee9d80b51dd4.gif" /&gt;&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P style="text-align: center;"&gt;&lt;SPAN&gt;&lt;EM&gt;Databricks AI Gateway&lt;/EM&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;The new bottleneck: Human approval&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;As you get more proficient with these agents, you realise that the bottleneck isn’t the agents, it’s you having to approve every single action.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Reviewing every edit kills your speed. But giving your agent access to your entire workspace and letting it run unchecked with &lt;/SPAN&gt;&lt;CODE&gt;--dangerously-skip-permissions&lt;/CODE&gt;&lt;SPAN&gt; or &lt;/SPAN&gt;&lt;CODE&gt;--yolo&lt;/CODE&gt;&lt;SPAN&gt; can lead to severe unintended consequences:&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;&lt;A href="https://www.theguardian.com/technology/2026/feb/20/amazon-cloud-outages-ai-tools-amazon-web-services-aws" target="_blank" rel="noopener"&gt;Amazon’s Kiro AI assistant took it upon itself to delete and recreate the environment during a routine task, causing a 13-hour outage.&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;&lt;A href="https://x.com/summeryue0/status/2025774069124399363" target="_blank" rel="noopener"&gt;At Meta, even after explicitly asking her OpenClaw agent to confirm before every action, the director of AI Safety &amp;amp; Alignment still watched it bulk-delete and archive hundreds of emails.&lt;/A&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;The solution: Containers as a blast radius limiter&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;The solution is straightforward. Run your coding agent inside a container, provide the environment variables and mount only the directories it should touch.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The agent gets full autonomy inside the container, so it can read, write, and execute freely. But “freely” only applies to the environment variables you pass in and the directories you choose to mount. Your home directory, SSH keys, shell config, and every other project are invisible to it, limiting the blast radius of the agent’s mistakes.&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;+-------------------------------------+
|           Your Machine              |
|                                     |
|  ~/.zshrc        &amp;lt;- untouchable     |
|  ~/.ssh/         &amp;lt;- untouchable     |
|  ~/Documents/    &amp;lt;- untouchable     |
|                                     |
|  ~/my-project/  ---- mounted ---&amp;gt;+  |
|                                  |  |
|  +---------------------------+   |  |
|  |     Docker Container      |   |  |
|  |                           |   |  |
|  |   /workspace &amp;lt;- only this |&amp;lt;--+  |
|  |                           |      |
|  |   Agent runs here with    |      |
|  |   full permissions but    |      |
|  |   can only see /workspace |      |
|  +---------------------------+      |
+-------------------------------------+&lt;/CODE&gt;&lt;/PRE&gt;
&lt;H3&gt;&lt;SPAN&gt;Getting Started&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;While there are many ways to define containers, this article will use Dockerfiles and also assume that your coding agents are configured to use Databricks endpoints. It will describe the following:&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;The container Dockerfiles&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;How to provide environment variables and mount directories&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Specific commands that reduce blast radius&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;The Dockerfiles&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;We start by defining a container for Claude Code, Gemini or Codex. I’ve published sandbox templates for each of these agents &lt;/SPAN&gt;&lt;A href="https://github.com/databricks-solutions/databricks-blogposts/tree/main/2026-05-coding-agent-sandboxes" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;here&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Each template is intentionally minimal. Here’s the Claude one in its entirety:&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;# Minimal Claude Code sandbox
FROM node:20-bookworm

# Install Claude Code CLI
# Note: unpinned version resolves to latest at build time. Pin for reproducibility, e.g.:
# RUN npm install -g @anthropic-ai/claude-code@1.x
RUN npm install -g @anthropic-ai/claude-code

# --- Add project-specific dependencies below (e.g., Go, Terraform, Python, Rust) ---


# --- End project-specific dependencies ---

# Create non-root user with a fixed uid so --tmpfs uid=1001 in docker run
# always matches this user (Claude Code blocks --dangerously-skip-permissions as root)
RUN useradd -m -s /bin/bash -u 1001 agent \
    &amp;amp;&amp;amp; mkdir -p /home/agent/.claude \
    &amp;amp;&amp;amp; chown -R agent:agent /home/agent

# Set working directory
WORKDIR /workspace

# Switch to non-root user
USER agent

# Default command
ENTRYPOINT ["claude"]&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;The Codex and Gemini templates follow the same pattern. Just swap out the CLI package and the relevant configuration directory for your coding agent, then build the image:&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;# Claude
docker build -f Dockerfile.claude.template -t claude-code:latest .

# Codex
docker build -f Dockerfile.codex.template -t codex-cli:latest .

# Gemini
docker build -f Dockerfile.gemini.template -t gemini-cli:latest .&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;If you require additional tools, add them to the Dockerfile. On Apple Silicon, add &lt;/SPAN&gt;&lt;CODE&gt;--platform linux/arm64&lt;/CODE&gt;&lt;SPAN&gt; for native performance.&lt;/SPAN&gt;&lt;/P&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;How to provide environment variables and mount directories&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;Assuming you have configured authentication following the Databricks Coding Agents setup instructions for &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/aws/en/ai-gateway/coding-agent-integration-beta" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;AWS&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;, &lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/databricks/ai-gateway/coding-agent-integration-beta" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;Azure&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;, or &lt;/SPAN&gt;&lt;A href="https://docs.databricks.com/gcp/en/ai-gateway/coding-agent-integration-beta" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;GCP&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;, the config files need small adjustments to work inside a container. See the &lt;/SPAN&gt;&lt;A href="https://github.com/databricks-solutions/databricks-blogposts/blob/main/2026-05-coding-agent-sandboxes/readme.md" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;readme&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt; located with the sandbox templates for working examples.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;After that navigate to the project you want the agent to work on and run the container. The project directory gets mounted as &lt;/SPAN&gt;&lt;CODE&gt;/workspace&lt;/CODE&gt;&lt;SPAN&gt;, and each agent reads its Databricks credentials differently depending on what the CLI supports:&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;Codex:&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;docker run -it --rm \
 --cap-drop=ALL \
 --security-opt=no-new-privileges \
 --read-only \
 --tmpfs /tmp:rw,size=128m \
 --tmpfs "/home/agent:rw,size=128m,uid=1001,gid=1001" \
 --pids-limit=512 \
 --memory=4g \
 -e DATABRICKS_TOKEN \
 -v $(pwd):/workspace \
 -v ~/.codex:/home/agent/.codex \
 codex-cli:latest&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;Gemini:&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;docker run -it --rm \
 --cap-drop=ALL \
 --security-opt=no-new-privileges \
 --read-only \
 --tmpfs /tmp:rw,size=128m \
 --tmpfs "/home/agent:rw,size=128m,uid=1001,gid=1001" \
 --pids-limit=512 \
 --memory=4g \
 -v $(pwd):/workspace \
 --env-file ~/.gemini/.env \
 gemini-cli:latest --yolo&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;Claude:&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;docker run -it --rm \
 --cap-drop=ALL \
 --security-opt=no-new-privileges \
 --read-only \
 --tmpfs /tmp:rw,size=128m \
 --tmpfs "/home/agent:rw,size=128m,uid=1001,gid=1001" \
 --pids-limit=512 \
 --memory=4g \
 -v $(pwd):/workspace \
 -v ~/.claude/settings.json:/home/agent/.claude/settings.json:ro \
 claude-code:latest --verbose --dangerously-skip-permissions&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;That’s it. The agent launches in interactive mode, sees only &lt;/SPAN&gt;&lt;CODE&gt;/workspace&lt;/CODE&gt;&lt;SPAN&gt;, and everything else on your machine is invisible.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Here are a few notes on how credentials are passed for each coding agent:&lt;/SPAN&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Claude Code mounts &lt;/SPAN&gt;&lt;CODE&gt;settings.json&lt;/CODE&gt;&lt;SPAN&gt; as a single read-only file and only reads this file at startup.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Codex mounts the whole &lt;/SPAN&gt;&lt;CODE&gt;~/.codex&lt;/CODE&gt;&lt;SPAN&gt; directory (not just the config file) because Codex needs to save session data alongside its config. Your &lt;/SPAN&gt;&lt;CODE&gt;config.toml&lt;/CODE&gt;&lt;SPAN&gt; should tell Codex to read the token from the &lt;/SPAN&gt;&lt;CODE&gt;DATABRICKS_TOKEN&lt;/CODE&gt;&lt;SPAN&gt; environment variable rather than running a shell command to fetch one, since the container does not have the Databricks CLI installed.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;LI style="font-weight: 400;" aria-level="1"&gt;&lt;SPAN&gt;Gemini passes credentials using &lt;/SPAN&gt;&lt;CODE&gt;--env-file&lt;/CODE&gt;&lt;SPAN&gt; which loads your &lt;/SPAN&gt;&lt;CODE&gt;.env&lt;/CODE&gt;&lt;SPAN&gt; file as environment variables. This is used instead of mounting the file directly because Gemini needs to write other files into its config directory. One thing to watch out for is that values in the &lt;/SPAN&gt;&lt;CODE&gt;.env&lt;/CODE&gt;&lt;SPAN&gt; file should not have quotes around them. For example use &lt;/SPAN&gt;&lt;CODE&gt;GEMINI_API_KEY_AUTH_MECHANISM=bearer&lt;/CODE&gt;&lt;SPAN&gt;, as Docker reads the quotes literally, which breaks authentication.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;Commands that reduce blast radius&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;1. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;-v&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; mounts only the directories you specify&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;-v $(pwd):/workspace&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Use &lt;/SPAN&gt;&lt;CODE&gt;-v&lt;/CODE&gt;&lt;SPAN&gt; to mount directories into the container. Only the directories you explicitly mount are visible to the agent. Everything else on your machine does not exist from the agent’s perspective.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;2. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;-e&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; passes only the environment variables you specify&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;-e DATABRICKS_TOKEN&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Use &lt;/SPAN&gt;&lt;CODE&gt;-e&lt;/CODE&gt;&lt;SPAN&gt; to pass environment variables into the container. The agent only has access to the variables you explicitly declare.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;3. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;:ro&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; makes mounts read-only&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;-v ~/.claude/settings.json:/home/agent/.claude/settings.json:ro&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;The &lt;/SPAN&gt;&lt;CODE&gt;:ro&lt;/CODE&gt;&lt;SPAN&gt; flag makes the mounted file read-only inside the container. The agent can read your credentials to authenticate, but cannot overwrite or corrupt them.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;4. Non-root user&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;RUN useradd -m -s /bin/bash -u 1001 agent
USER agent&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;The agent process runs as a regular user, not root. Even inside the container, this prevents the agent from modifying system files or installing packages at runtime.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;5. Root-owned workspace&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;WORKDIR /workspace&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;CODE&gt;WORKDIR&lt;/CODE&gt;&lt;SPAN&gt; runs before &lt;/SPAN&gt;&lt;CODE&gt;USER agent&lt;/CODE&gt;&lt;SPAN&gt;, so &lt;/SPAN&gt;&lt;CODE&gt;/workspace&lt;/CODE&gt;&lt;SPAN&gt; is created as root. If you forget the &lt;/SPAN&gt;&lt;CODE&gt;-v&lt;/CODE&gt;&lt;SPAN&gt; mount, the agent gets a permission denied error instead of silently writing to a throwaway filesystem. This is a fail-closed design. The container does nothing useful unless you explicitly mount a directory.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;6. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;--cap-drop=ALL&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; removes all special OS permissions&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;--cap-drop=ALL&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Containers get a set of Linux capabilities by default (things like changing file ownership or binding to low ports). The agent doesn’t need any of them. Dropping them all means even if something goes wrong inside the container, it can’t do anything privileged.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;7. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;--security-opt=no-new-privileges&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; blocks privilege escalation&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;--security-opt=no-new-privileges&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Stops the agent from running a program that grants itself higher permissions. This closes the “exploit a setuid binary” loophole that attackers commonly use to escalate from a regular user to root.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;8. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;--read-only&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; with writable tmpfs (temporary file system) mounts&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;--read-only
--tmpfs /tmp:rw,size=128m
--tmpfs "/home/agent:rw,size=128m,uid=1001,gid=1001"&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Makes the container’s own filesystem immutable. The agent can’t install packages or drop scripts into system directories. The CLI tools still need somewhere to write session state and temp files, so we give them two small writable locations: &lt;/SPAN&gt;&lt;CODE&gt;/tmp&lt;/CODE&gt;&lt;SPAN&gt; and the agent’s home directory. Both are capped at 128 MB and get thrown away when the container exits. Your mounted project folder is the only place where real work persists.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The &lt;/SPAN&gt;&lt;CODE&gt;uid=1001,gid=1001&lt;/CODE&gt;&lt;SPAN&gt; part sets ownership of the tmpfs to the &lt;/SPAN&gt;&lt;CODE&gt;agent&lt;/CODE&gt;&lt;SPAN&gt; user inside the container. Without it, the tmpfs is owned by root and the agent can’t write to its own home directory. The 1001 value matches the uid we pinned in the Dockerfile with &lt;/SPAN&gt;&lt;CODE&gt;useradd -u 1001 agent&lt;/CODE&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;9. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;--pids-limit=512&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; caps the number of processes&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;--pids-limit=512&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Limits how many processes can run at once inside the container. If a command goes haywire and starts spawning processes in a loop, it hits this ceiling instead of eating all your host resources.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;&lt;STRONG&gt;10. &lt;/STRONG&gt;&lt;/SPAN&gt;&lt;CODE&gt;&lt;STRONG&gt;--memory=4g&lt;/STRONG&gt;&lt;/CODE&gt;&lt;SPAN&gt;&lt;STRONG&gt; caps RAM usage&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;--memory=4g&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;Specifies a hard cap on the memory allowed to be consumed by the container. If the agent spawns something that leaks memory, the container gets killed at 4 GB instead of consuming your whole machine’s RAM. Adjust the value based on your workload.&lt;/SPAN&gt;&lt;/P&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;Customizing for your stack&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;The templates are starting points. If your project needs specific toolchains, copy a template into a subdirectory and add dependencies in the marked section:&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;# --- Add project-specific dependencies below (e.g., Go, Terraform, Python, Rust) ---

RUN apt-get update &amp;amp;&amp;amp; apt-get install -y python3 python3-pip \
   &amp;amp;&amp;amp; apt-get clean &amp;amp;&amp;amp; rm -rf /var/lib/apt/lists/*

# --- End project-specific dependencies ---&lt;/CODE&gt;&lt;/PRE&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;Shell alias (macOS / Linux)&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;You can wrap the container command in a shell alias so running your sandboxed agent feels like calling a local CLI. I call mine &lt;/SPAN&gt;&lt;CODE&gt;claudex&lt;/CODE&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;On macOS or Linux, add this to your &lt;/SPAN&gt;&lt;CODE&gt;~/.zshrc&lt;/CODE&gt;&lt;SPAN&gt; (or &lt;/SPAN&gt;&lt;CODE&gt;~/.bashrc&lt;/CODE&gt;&lt;SPAN&gt;&lt;span class="lia-unicode-emoji" title=":disappointed_face:"&gt;😞&lt;/span&gt;&lt;/SPAN&gt;&lt;/P&gt;
&lt;PRE&gt;&lt;CODE&gt;claudex() {
  docker run -it --rm \
    --cap-drop=ALL \
    --security-opt=no-new-privileges \
    --read-only \
    --tmpfs /tmp:rw,size=128m \
    --tmpfs "/home/agent:rw,size=128m,uid=1001,gid=1001" \
    --pids-limit=512 \
    --memory=4g \
    --workdir $(pwd) \
    -v $(pwd):$(pwd) \
    -v ~/.claude/settings.json:/home/agent/.claude/settings.json:ro \
    claude-code:latest --verbose --dangerously-skip-permissions "$@"
}&lt;/CODE&gt;&lt;/PRE&gt;
&lt;P&gt;&lt;SPAN&gt;This mounts your current directory at the same absolute path inside the container (so the agent sees the same file paths you do on the host) and sets &lt;/SPAN&gt;&lt;CODE&gt;--workdir&lt;/CODE&gt;&lt;SPAN&gt; to match. Your Claude settings are mounted read-only for authentication. The agent is confined to the working directory and cannot access or modify anything else on your host machine.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;After reloading your shell (for example, &lt;/SPAN&gt;&lt;CODE&gt;source ~/.zshrc&lt;/CODE&gt;&lt;SPAN&gt;), you can run &lt;/SPAN&gt;&lt;CODE&gt;claudex&lt;/CODE&gt;&lt;SPAN&gt; from any project directory to launch the agent inside its container.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;On Windows, you can achieve something similar with PowerShell functions or aliases, but the exact setup will differ from the macOS/Linux example above.&lt;/SPAN&gt;&lt;/P&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;What this doesn’t protect against&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;Containers limit filesystem access, not network access. The agent can still make API calls, download packages, or reach the internet. Docker does not offer fine-grained network controls out of the box. Adding &lt;/SPAN&gt;&lt;CODE&gt;--network=none&lt;/CODE&gt;&lt;SPAN&gt; to your &lt;/SPAN&gt;&lt;CODE&gt;docker run&lt;/CODE&gt;&lt;SPAN&gt; command blocks all traffic including the model API. Fine-grained network control requires additional tooling like a forward proxy, which is beyond the scope of this article.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;This also doesn’t protect the mounted directory itself. If you mount &lt;/SPAN&gt;&lt;CODE&gt;$(pwd):/workspace&lt;/CODE&gt;&lt;SPAN&gt;, the agent can delete everything in that directory. Use git branches or worktrees so you can always revert.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Note: Since the release of Claude’s model Mythos, there is growing discussion around the next wave of models being able to discover and exploit container breakout vulnerabilities, sometimes without the prompter even knowing it happened. Containers share the host kernel, and a sufficiently capable agent that finds a kernel exploit can escape the container entirely.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;This is driving interest in using virtual machines instead, as they run their own kernel. So even if the agent compromises the guest operating system, it cannot reach the host.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;For most development workflows today, containers remain a practical and meaningful improvement over running agents directly on your host. But if you are giving agents access to sensitive environments or running untrusted prompts, consider whether VM-level isolation is more appropriate for your threat model. The industry is moving in this direction, and it is worth watching how vendors respond as model capabilities continue to advance.&lt;/SPAN&gt;&lt;/P&gt;
&lt;HR /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;&lt;SPAN&gt;Conclusion&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN&gt;We have just gone through how to use each frontier model in a container sandbox. Each model’s credentials are passed into the container (via read-only mounts, env vars, or env files depending on the CLI) allowing you to connect to the models hosted on Databricks.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;With a sandbox environment, you don’t have to choose between speed and safety. Run your coding agent in a container, mount only what it needs, and let it work with full permissions inside that boundary. The worst case goes from “agent deletes your home directory” to “agent makes a mess in one git branch.”&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;The Dockerfiles are available on &lt;/SPAN&gt;&lt;A href="https://github.com/databricks-solutions/databricks-blogposts/tree/main/2026-05-coding-agent-sandboxes" target="_blank" rel="noopener"&gt;&lt;SPAN&gt;GitHub&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN&gt;.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;Pick a template, build it, and start sandboxing.&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Thu, 21 May 2026 15:30:11 GMT</pubDate>
    <dc:creator>jlieow</dc:creator>
    <dc:date>2026-05-21T15:30:11Z</dc:date>
    <item>
      <title>Letting Coding Agents Move Fast Without Breaking Everything</title>
      <link>https://community.databricks.com/t5/technical-blog/letting-coding-agents-move-fast-without-breaking-everything/ba-p/152236</link>
      <description>&lt;P&gt;&lt;SPAN&gt;As you get proficient with coding agents, you realise that the biggest bottleneck isn’t the model. It’s you, sitting there approving every single action.&lt;/SPAN&gt;&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;Reviewing every edit kills your speed. But letting an agent run unchecked with --dangerously-skip-permissions or --yolo can lead to terrible outcomes.&lt;/SPAN&gt;&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;&lt;BR /&gt;&lt;/SPAN&gt;&lt;SPAN&gt;What if there were a way to constrain your agent’s access to only the secrets and files it’s expected to edit?&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 21 May 2026 15:30:11 GMT</pubDate>
      <guid>https://community.databricks.com/t5/technical-blog/letting-coding-agents-move-fast-without-breaking-everything/ba-p/152236</guid>
      <dc:creator>jlieow</dc:creator>
      <dc:date>2026-05-21T15:30:11Z</dc:date>
    </item>
  </channel>
</rss>

