Run AI coding agents (Claude Code, OpenCode) safely inside sandboxed Docker containers with audit logging
Project description
LASSO
Run AI coding agents safely inside sandboxed Docker containers.
LASSO wraps Claude Code, OpenCode, and other AI agents in isolated containers with command filtering, network control, and tamper-evident audit logging. Every action the agent takes is controlled and recorded.
Quick Start
pip install lasso-sandbox
# Pre-build images (one time, ~2 min)
lasso prebuild
# Start coding with Claude Code
lasso up --agent claude-code --dir ~/my-project
# Or start from the dashboard
lasso dashboard
That's it. Claude Code opens in a sandboxed terminal with your project files mounted.
What It Does
When an AI agent runs inside LASSO:
- Dangerous commands are blocked —
rm,docker,sudo,ssh,nc, and 30+ others can't execute - Network is controlled — only package registries and AI APIs are reachable (configurable)
- Files are isolated — the agent can only see your project directory, nothing else
- Everything is logged — every command is recorded with tamper-proof signatures
- Your code stays on your machine — files are mounted from your computer, never copied into the container
Commands
lasso up # Start a sandbox (auto-detect agent + profile)
lasso up --agent claude-code # Start with Claude Code
lasso up --agent opencode # Start with OpenCode
lasso down # Stop all sandboxes
lasso shell --agent claude-code # Create sandbox + drop into terminal
lasso attach <id> # Reconnect to a running sandbox
lasso status # List running sandboxes
lasso stop <id> # Stop a sandbox
lasso why "pip install requests" # Check if a command would be allowed
lasso dashboard # Open the web dashboard
lasso prebuild # Pre-build container images
Dashboard
The web dashboard is the easiest way to use LASSO:
lasso dashboard
# Opens at http://127.0.0.1:8080
From the dashboard you can:
- Create sandboxes with one click (pick agent + security profile)
- Open a terminal window connected to any running sandbox
- View and edit security profiles visually
- Browse activity logs
- Create custom profiles with the profile editor
Security Profiles
LASSO comes with 5 built-in profiles:
| Profile | Commands | Internet | Best For |
|---|---|---|---|
| standard | Block dangerous, allow rest | Package registries + AI APIs | Everyday coding |
| open | Block dangerous, allow rest | Full internet | Research, browsing docs |
| offline | Block dangerous, allow rest | None | Sensitive data work |
| strict | Approved commands only | None | Compliance-critical work |
| evaluation | Read-only only | None | Testing untrusted agents |
Create custom profiles via the dashboard or TOML files:
# team-secure.toml
extends = "strict"
name = "team-secure"
[commands.blocked_args]
git = ["push --force", "config --global"]
How It Works
lasso up --agent claude-code --dir ~/my-project
1. Loads the "standard" security profile
2. Creates a Docker container from a pre-built image
3. Mounts ~/my-project as /workspace (read-write)
4. Mounts ~/.claude for authentication (read-write)
5. Applies network firewall rules (iptables)
6. Starts Claude Code inside the container
7. Logs everything to a tamper-evident audit trail
Inside the container:
- Non-root user (uid 1000)
- Read-only root filesystem
- All capabilities dropped
- No new privileges allowed
- Database ports blocked
- Cloud metadata blocked
Container Security
Every sandbox has these protections:
cap_drop: ALL— no Linux capabilitiesno-new-privileges— prevents privilege escalation- Read-only root filesystem
- Non-root user (uid 1000)
- Resource limits (memory, CPU, PIDs)
- Database port blocking (PostgreSQL, MySQL, MSSQL, etc.)
- IPv4 + IPv6 firewall rules
- iptables binaries removed after rule setup
Audit Trail
Every command is logged with HMAC-SHA256 signatures in a hash chain:
lasso audit view audit/<id>.jsonl # View the audit trail
lasso audit verify audit/<id>.jsonl # Verify chain integrity
Each entry records: timestamp, command, outcome (allowed/blocked), reason, and a tamper-proof signature.
Extra Folder Mounts
Mount additional directories into the sandbox:
# Read-write mount
lasso shell --agent claude-code --dir ~/project --mount ~/data:/data
# Read-only mount for shared context
lasso shell --agent claude-code --dir ~/project --mount ~/team-docs:/context:ro
Requirements
- Python 3.10+
- Docker Desktop or Podman
- ~2 GB disk for container images
Install
# From PyPI
pip install lasso-sandbox
# With all extras (dashboard + Docker SDK + keyring)
pip install lasso-sandbox[all]
# From source
git clone https://github.com/ClawWorksCo/lasso-sandbox.git
cd lasso-sandbox
pip install -e ".[all]"
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file lasso_sandbox-1.4.2.tar.gz.
File metadata
- Download URL: lasso_sandbox-1.4.2.tar.gz
- Upload date:
- Size: 195.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d25bc3d6ad69b532fd8c7ef792507f36b18dc61c37395010e047af32871c61f7
|
|
| MD5 |
dc8dcd69acb3636482d42a75057c79f2
|
|
| BLAKE2b-256 |
1016b38d738ef23f771088fe20d8c210024587263cff473f43943deb6f9a7b62
|
File details
Details for the file lasso_sandbox-1.4.2-py3-none-any.whl.
File metadata
- Download URL: lasso_sandbox-1.4.2-py3-none-any.whl
- Upload date:
- Size: 222.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
060e1677fd4fcc03edf32bc61085befefbe2ca3b10b179c3f58cf693050facad
|
|
| MD5 |
e1542580e852a62b40abb0db852c7cd1
|
|
| BLAKE2b-256 |
b70795685a75ab13b3a2b218da9908c6233a06ac293ecedd9032f87bb95a0547
|
