What's New in Docker Sandboxes (sbx) 0.35.0

Everything you want to know about the latest Docker sbx 0.35.0

Share
What's New in Docker Sandboxes (sbx) 0.35.0

Docker Sandboxes (sbx) runs AI coding agents inside isolated microVMs each
agent gets its own Docker daemon, filesystem, and network, so it can build
images, install packages, and rewrite files without ever touching your host.


Version 0.35.0 (released July 10, 2026) is a substantial release: it revamps the
policy tooling, teaches the proxy to chain through a SOCKS5 upstream, adds a
first-class secret import flow, makes sbx kit add recreate the sandbox cleanly,
and ships a proper sbx daemon command family.

Let's demystify each of these new features one by one.

Upgrade to 0.35.0

On macOS, upgrade through Homebrew and confirm the version:

$ brew upgrade docker/tap/sbx
docker/tap/sbx 0.34.0 -> 0.35.0
...
๐Ÿบ  sbx was successfully upgraded!

$ sbx version
sbx version: v0.35.0 01e0152...

On Windows use winget upgrade Docker.sbx; on Ubuntu, sudo apt-get update && sudo apt-get install --only-upgrade docker-sbx.

The new sbx daemon command

Everything sbx does runs against a background daemon, sandboxd. Before
0.35.0 that daemon was mostly invisible. Now it has its own command group:

$ sbx daemon --help
Manage sandboxd daemon

Available Commands:
  log-level   Inspect or change sandboxd's per-category log levels
  start       Start the sandboxd daemon
  stop        Stop the sandboxd daemon
  status      Check sandboxd daemon status

Start it and check status:

$ sbx daemon start
Starting daemon at .../sandboxd.sock (Ctrl+C to stop)...

$ sbx daemon status
Status: running
Socket: .../sandboxd/sandboxd.sock
Logs:   .../sandboxd/daemon.log

When something misbehaves, you can raise the log level of a single category
without restarting anything. The categories are proxygeneral, and all:

$ sbx daemon log-level
general info
proxy   info

$ sbx daemon log-level set proxy debug
proxy   debug

That proxy debug toggle is exactly what you want when you are debugging the
networking changes covered later in this post.

Policy tooling, rebuilt

The headline of 0.35.0 is the policy tooling. Sandboxes are deny-by-default:
a sandboxed process can only reach hosts and paths that policy explicitly
allows. Until now, understanding why a request was allowed or denied meant
squinting at logs. Three commands change that.

sbx policy ls ~ a readable overview

sbx policy ls now prints one row per policy, with its source, scope, and a
decision summary. On a governed machine, the header shows who manages the
policy and when it last synced:

$ sbx policy ls
Governance: Managed by acme-corp | Sync: OK, last synced 19:37:04 | Hidden: 15 inactive rules.

POLICY                                SOURCE   APPLIES TO   SUMMARY
allowanthropic                        org      all          network: 5 allow
allowdocker                           org      all          network: 15 allow
allowvscode                           org      all          network: 5 allow
denypaste                             org      all          network: 3 deny
Labspace AI Governance - network      org      all          network: 8 allow, 3 deny
Labspace AI Governance - filesystem   org      all          filesystem write: 1 allow, 5 deny
...

New filters let you slice that list. Combine --source (localorg, or
kit), --decision (allow or deny), and --type (network or
filesystem):

$ sbx policy ls --source org --decision deny
POLICY                                SOURCE   APPLIES TO   SUMMARY
deny-blocked-site                     org      all          network: 1 deny
denypaste                             org      all          network: 3 deny
Labspace AI Governance - network      org      all          network: 3 deny

Add --wide to expand every policy into its individual rules, with the exact
resources each one covers:

$ sbx policy ls --wide
SOURCE   APPLIES TO   POLICY/RULE                    TYPE               DECISION   RESOURCES
org      all          denypaste / Deny Slack chat    network            deny       hooks.slack.com
                                                                                    paste.ee
                                                                                    pastebin.com
org      all          allowanthropic / Allow AI ...  network            allow      api.anthropic.com:443
                                                                                    api.openai.com:443
                                                                                    ...
org      all          allowwork / allowwork          filesystem:write   allow      /Users/dev/work/**

sbx policy inspect ~ full detail on one policy

When you want everything about a single policy or rule, sbx policy inspect
takes a policy ID, policy name, rule ID, or rule name:

$ sbx policy inspect allowanthropic
Policy:      allowanthropic
Policy ID:   pol_06fa1waj241pgefktj4zbwph8909
Source:      org
Applies to:  all
Status:      active

Rules in this policy:
DECISION   RESOURCE                    TYPE      RULE                STATUS
allow      *.googleapis.com:443        network   Allow AI services   active
allow      api.anthropic.com:443       network   Allow AI services   active
allow      api.openai.com:443          network   Allow AI services   active
allow      platform.claude.com:443     network   Allow AI services   active
allow      statsig.anthropic.com:443   network   Allow AI services   active

sbx policy check network ~ test before you run

This is the one to reach for first. sbx policy check network evaluates a
request against the same daemon-side policy engine that enforces sandbox traffic
without launching a sandbox so you can answer "would this be allowed?" up
front.

An allowed host:

$ sbx policy check network api.anthropic.com:443
Allowed: api.anthropic.com:443
Governance: Managed by acme-corp
Context: global

A host blocked by an explicit deny rule tells you which rule blocked it:

$ sbx policy check network blocked-site.example:443
Denied: blocked-site.example:443
Context: global
Reason: denied by corporate policy rule "blocked-site-rule"

And a host that simply isn't allowed hits the default deny:

$ sbx policy check network example.com:443
Denied: example.com:443
Context: global
Reason: no matching allow rule (default deny)

Two details make this easy to script. The command exits non-zero on a denied
target, so you can gate a task on it in CI. And --json gives you the full
decision, including the deny kind and the rule that matched:

$ sbx policy check network --json blocked-site.example:443
{
  "action": "net:connect:tcp",
  "allowed": false,
  "deny_kind": "explicit",
  "reason": "Denied by corporate policy",
  "resource_value": "blocked-site.example:443",
  "rule": "blocked-site-rule",
  "type": "network"
}

Use --sandbox <name> to evaluate in a specific sandbox's context rather than
the global policy.

Import secrets from your environment

Before 0.35.0, sbx would silently pull API keys out of your host environment
at sandbox startup. That was convenient but opaque, you couldn't see what was
being injected. That auto-injection is gone. Instead, you now explicitly import
the keys you want into the keychain once with sbx secret import.

Start with a dry run to see what sbx detects in your environment:

$ sbx secret import --dry-run
Would import groq from GROQ_API_KEY (last 4: 5678)

Import a single service, or --all for everything detected non-interactively:

$ sbx secret import groq --all
โœ“ Imported groq from GROQ_API_KEY (last 4: 5678)

Imported 1 secret(s).

sbx secret ls now makes the source of every credential visible. Values are
masked, and importantly, it flags when a service is shadowed by an OAuth
token, so you know an imported API key would never actually be used:

$ sbx secret ls
SCOPE       TYPE      NAME        SECRET
(global)    service   github      gho_0C******...******QilS
(global)    service   openai      sk-pro******...******YGQA
(global)    service   anthropic   (oauth configured)

That last line is the new visibility: anthropic has an OAuth token from
sbx run claude ... -- auth login, so sbx secret import deliberately skips
it. Supported services include anthropicopenaigithubgoogle,
groqmistralopenrouterxai, and more.

sbx kit add recreates the sandbox cleanly

Kits are declarative YAML artifacts that extend a sandbox with extra tools, credentials, network rules, and files. Before 0.35.0, adding a kit to a running
sandbox injected it at runtime, which could leave the sandbox in an inconsistent state. Now sbx kit add recreates the container with the augmented kit list and preserves your data across the swap.

Here's a minimal demo kit that runs one install command:


schemaVersion: "1"
kind: mixin
name: hello-kit
displayName: Hello Kit
description: A tiny demo kit that installs a marker file

commands:
install:
- command: "echo 'installed by hello-kit' > /etc/hello-kit.txt"

With a running sandbox that has some workspace state, add the kit:


$ sbx kit add whatsnew-demo ./hello-kit
Recreating sandbox "whatsnew-demo" to apply augmented kit list...
  Swap container whatsnew-demo-swap-1491f52c started (id=54e880...).
Kit "hello-kit" added to sandbox "whatsnew-demo"

Two things to verify. First, the workspace file written before the swap is
still there ~ recreation preserves your data:

$ sbx exec whatsnew-demo -- cat /workspace/state.txt
state written at recreate test

Second, the kit's install command actually ran against the recreated container:

$ sbx exec whatsnew-demo -- cat /etc/hello-kit.txt
installed by hello-kit

The kit's network allow/deny rules and composed policy are applied to the
running sandbox too, so a kit that needs a new host can bring its own rule with
it.

Chain egress through a SOCKS5 upstream proxy

Networking gained a genuinely new capability: the sandbox proxy can now chain
its upstream egress through a SOCKS5 proxy. That means sandbox traffic can
respect the same egress controls as the rest of your machine โ€” routed through a
corporate proxy, an SSH tunnel, or anything that speaks SOCKS5.

DOCKER_SANDBOXES_PROXY now accepts http://https://socks5://, and
socks5h:// URLs (with optional user:pass@). With socks5://, DNS is
resolved on the host before the connection is handed to the proxy; with
socks5h://, DNS resolution happens at the proxy.

Let's prove it end to end. Start a local SOCKS5 proxy:

$ docker run -d --name socksdemo -e REQUIRE_AUTH=false -p 1080:1080 serjs/go-socks5-proxy

Point the daemon at it and start it. DOCKER_SANDBOXES_NO_PROXY โ€” also new in
0.35.0 โ€” excludes destinations from the upstream proxy using standard
NO_PROXY matching semantics:

$ export DOCKER_SANDBOXES_PROXY="socks5h://127.0.0.1:1080"
$ export DOCKER_SANDBOXES_NO_PROXY="registry-1.docker.io,auth.docker.io"
$ sbx daemon start

Now run an allowed request from inside a sandbox and watch it succeed:

$ sbx exec whatsnew-demo -- curl -s -o /dev/null -w "HTTP %{http_code}\n" https://api.openai.com/v1/models
HTTP 200

Check the SOCKS5 proxy's own logs, and you can see the sandbox's connection
arriving at the upstream:

$ docker logs socksdemo
[INFO] socks: Connection from allowed IP address: 192.168.65.1

Crucially, policy is still enforced before traffic reaches the upstream
proxy. A denied host is blocked no matter how egress is routed:

$ sbx exec whatsnew-demo -- curl -s -o /dev/null -w "HTTP %{http_code}\n" https://blocked-site.example
HTTP 403

The upstream proxy changes where allowed traffic goes, not what is allowed.

Richer sbx inspect

sbx inspect now gives you a single readable summary of a sandbox โ€” its agent,
kits, injected secrets, network and mount policy, proxy, and active sessions:

$ sbx inspect whatsnew-demo
  Name:           whatsnew-demo
  Agent:          shell
  Kits:           ./hello-kit
  State:          running (13s)
  Image:          docker/sandbox-templates:shell-docker
  Workspace:      /Users/dev/workdemo/sbx-demo
  Network Policy: global (organizational policy: acme-corp)
  Mount Policy:   allowed
  Proxy:          172.17.0.16:3128
  Secrets:        box (uploaded), github (uploaded), openai (uploaded)
  Ports:          none published
  Sessions:       0

  Daemon:         v0.35.0   uptime 7m

This is the fastest way to answer "what does this agent actually have access
to?" - kits, secrets, and policy all in one place.

Smaller changes worth knowing

  • sbx rm protects active sessions. Removing a sandbox that is in use (for example, an open SSH connection) now requires --force, so you can't pull the rug out from under a running agent by accident.
  • virtiofs caching is on by default everywhere. Faster filesystem performance across macOS, Linux, and Windows. Opt out with DOCKER_SANDBOXES_ENABLE_VIRTIOFS_CACHE=0 if you hit a caching edge case.
  • Faster startup. The TLS-proxy CA is installed by merging into the trust bundle instead of running update-ca-certificates, shaving several hundred milliseconds off each sandbox launch.
  • Balanced network preset additions. The balanced preset now allows VS Code domains, Azure Blob Storage (*.blob.core.windows.net), and dhi.io over HTTP out of the box.

Wrapping up

Docker Sandboxes 0.35.0 is mostly about visibility and control: you can now ask
the policy engine what it would decide before you run, see exactly which
credentials are injected and why, route sandbox egress through your own proxy,
and add capabilities to a live sandbox without corrupting its state. The
sbx policy check network and sbx secret ls commands in particular turn what
used to be guesswork into a quick, script-friendly question.

For the full change list, see the Docker Sandboxes release notes, and try sbx yourself from the get started guide. Found a bug or have a request? Open an issue at github.com/docker/sbx-releases/issues.