April 1, 2026

Contain this: drama inside the sandbox

Article URL →HN comments →

Show HN: Zerobox – Sandbox any command with file and network restrictions

Docker diehards vs sandbox rebels: fans, skeptics, and a big “add a warning” chant

TLDR: Zerobox launches as a lightweight way to lock down commands and secrets without Docker, swapping real keys at a network proxy. The crowd split fast: Docker loyalists remain unconvinced, security hawks warn blacklisting is fragile, cautious users want big warnings, and builders ask for logging and latency numbers.

Hacker News lit up over Zerobox, a single-file tool promising to run any command in a locked-down “sandbox” where files, internet, and even environment variables are off-limits unless you say otherwise. It even does a spy-movie trick: your app sees a fake API key while a proxy swaps in the real one only for approved sites. Sounds neat… and cue the drama.

The first shot: Team Docker. One user shrugged, essentially saying, “cool, but I’m still using containers,” praising Docker’s runs-anywhere predictability while admitting this is lighter weight. Across the aisle, security purists pounced: one commenter called the approach “blacklisting” and “kind of impossible to get right,” warning that real-world apps (especially on macOS) need a mile-long permission list. That set the tone: ambition versus attack surface.

Then came the red flags. A voice of caution demanded a giant “experimental” sticker and clearer comparisons to tools like Bubblewrap. Meanwhile, the builders showed up: another dev, working on sandboxing AI-written programs, asked about latency—translation: will this slow my bots? And feature requests rolled in, like “log literally everything,” because if a sandbox screams in the console and no one logs it, did security even happen?

Verdict from the crowd: clever idea, spicy risks. Some want “diet Docker,” others want receipts, benchmarks, and big bold warnings.

Key Points

  • Zerobox is a single-binary, cross-platform sandbox for running commands with restricted file, network, and environment access.
  • It defaults to denying writes, network connections, and nonessential environment variables unless explicitly allowed.
  • On macOS it uses seatbelt; on Linux it uses bubblewrap and seccomp; it is powered by OpenAI Codex’s production sandbox runtime.
  • Network filtering is enforced by a real HTTP/SOCKS proxy with domain whitelisting and proxy-level secret substitution.
  • Installation options include curl script, npm, and Cargo; a TypeScript SDK and CLI provide usage with examples for Node.js and secret handling.

Hottest takes

"I would probably always reach for a docker container" — eluded7
"it’s blacklisting so kind of impossible to get right" — jbverschoor
"add a huge disclaimer that this is an untested, experimental project" — wepple

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.