codex-container-sandbox

santiago-afonso's avatarfrom santiago-afonso

Run Codex CLI inside a Podman container with full internet access but filesystem exposure limited to the repo root + explicit bind mounts; use when you want yolo/web-search without giving the agent access to your whole host filesystem.

0stars🔀0forks📁View on GitHub🕐Updated Jan 5, 2026
[Guardrails and Safety]

When & Why to Use This Skill

The codex-container-sandbox is a security-focused Claude skill that enables the execution of Codex CLI within a localized Podman container. It strikes a perfect balance between functionality and security by providing full internet access for web-based tasks while strictly isolating the host filesystem through granular bind mounts, protecting sensitive data from unauthorized agent access.

Use Cases

  • Secure Web Research: Perform extensive web searches and data retrieval using Codex's 'yolo' mode without risking exposure of the entire host operating system.
  • Isolated Development Environments: Restrict an AI agent's workspace to a specific repository root, preventing accidental modifications or exfiltration of files outside the project scope.
  • Safe Third-Party Tool Integration: Run untrusted scripts or external CLI tools within a hardened container while maintaining the ability to fetch necessary online dependencies.
  • Granular Permission Management: Use explicit read-only or read-write bind mounts to give the agent access only to the specific directories (like caches or temp folders) required for a task.
namecodex-container-sandbox
description"Run Codex CLI inside a Podman container with full internet access but filesystem exposure limited to the repo root + explicit bind mounts; use when you want yolo/web-search without giving the agent access to your whole host filesystem."

codex-container-sandbox

Use this when you want:

  • Full egress/network for codex (web search, fetching, etc.)
  • Tight filesystem boundaries via container bind mounts (repo root + explicit allowlist)

This repo contains a wrapper script intended to be installed as codex-container-sandbox.

Workflow

  1. Build the image

    From the repo root (this repository):

    podman build -t localhost/codex-container-sandbox:latest -f Containerfile .

  2. Install the wrapper

    install -m 0755 codex-container-sandbox ~/.local/bin/codex-container-sandbox

  3. (Optional) Configure extra mounts

    Create ~/.config/codex-container-sandbox/config.sh:

    CODEX_CONTAINER_SANDBOX_IMAGE="localhost/codex-container-sandbox:latest"

# Extra read-only mounts (mapped under /home/codex/... if under $HOME)
CODEX_CONTAINER_SANDBOX_RO_MOUNTS=(
  "$HOME/.local/bin"
)

# Extra read-write mounts
CODEX_CONTAINER_SANDBOX_RW_MOUNTS=(
  "$HOME/.cache/uv"
  "$HOME/tmp"
)

  4. Login once inside the container

    codex-container-sandbox --shell
codex login

  5. Run the self-test (recommended)

    ./selftest.sh

    If this repo is vendored as a git submodule at ./codex-container-sandbox/ (for example in a dotfiles repo), either:

    • cd codex-container-sandbox && ./selftest.sh, or
    • run ./codex-container-sandbox/selftest.sh from the parent repo root.

  6. Run Codex

    codex-container-sandbox exec "Summarize this repo"

Safety notes

  • This wrapper runs Codex in full-yolo mode (--dangerously-bypass-approvals-and-sandbox) with full networking. Anything mounted into the container can be exfiltrated.
  • Keep mounts minimal; do not mount secrets, password stores, SSH keys, or large chunks of $HOME unless you intend to expose them.