Devcontainer Security Checklist
Engineer/DeveloperSecurity Specialist
While devcontainers can improve security, a maliciously or incorrectly configured devcontainer can still break the sandbox and access your system. When using pre-built devcontainers you should always inspect the .devcontainer.json before running. Did you check frameworks' devcontainer?
Check host mounts
Ensure the container only mounts your workspace. No access to sensitive host paths like `/`, `/home`, `.ssh`, or `/var/run/docker.sock`.
Network Isolation
By default fully isolate devcontainers from the network. If network access is required, alloy only specific hosts or ports, avoid LAN access, and avoid binding container ports to the host.
Inspect setup scripts
Review `Dockerfile`, `devcontainer.json`, and any post-create commands. Look for unsafe commands such as `sudo`, `--privileged`, or `curl | bash`.
Verify base image
Confirm the base image is from a trusted source and pinned to a version or digest. Avoid unverified or `latest` tags.
Run as non-root
The container should run as a normal user (like `vscode` or `developer`), not as root.
Use isolation
If uncertain, open untrusted repositories in remote or disposable environments (e.g., Codespaces, sandbox VMs) rather than your main machine.
For more information on devcontainer security, consider reviewing other security checklists, or use theredguild's devcontainer as a starting point for your own.