Skip to content

Devcontainers & Secure Development Environments

Engineer/DeveloperSecurity Specialist

Authored by:

Robert MacWha
Robert MacWha
Skylock | SEAL

Secure development environments reduce the risk of compromise when working with untrusted or unpredictable code. This section covers practical ways to contain risk using Devcontainers, Codespaces, and basic browser hygiene.

Securely Running Untrusted Code

When you might need this

Developers routinely execute unverified code. We (mostly) know not to run random binaries. But we often forget that source code is executable code.

  1. Recruitment Scams use fake job offers or "technical assignments" to trick developers into running infected code. Once ran, the infected repo can compromise the developer's machine and expose private code or credentials.
  2. Malicious Dependencies mimic trusted packages or infiltrate supply chains. When installed, they execute hidden and malicious code that can steal secrets or tamper with builds.

Devcontainers

Devcontainers are locally run development environments packaged as docker containers. They provide consistent, declarative and isolated environments for software development. Since they're built on docker, devcontainers share the same sandboxing and security model with network and filesystem isolation.

Devcontainers can be used to improve security and reliability for most projects without introducing developer complexity. For instructions on how to setup devcontainers theredguild offers an excellent introduction.

Importantly, while devcontainers can improve isolation, they won't always. Before running a new devcontainer you should inspect the .devcontainer.json to ensure sandboxing. Review Devcontainer Security for more information.

For security and convenience, Frameworks provides a devcontainer for local development. In addition to the security benefits Devcontainers also standardize development environments so it doesn't just "work on my machine."

Codespaces

Codespaces are cloud-hosted devcontainers. Like devcontainers they provide a declarative and isolated environment. However, since codespaces aren't run on your machine, they can be more secure when granting the containers access to external systems (IE network or filesystem). Popular codespaces include Github Codespace and the self-hosted coder.

Codespaces can be used when you're willing to give up some convenience for increased security. They should be used when running completely untrusted code, for example if running code from a recruiter or someone you don't know. When uncertain, prefer disposable environments that can be recreated from scratch after each session

Browser Security

Attackers can target your browser extensions to steal private keys or propose malicious transactions. Best practice is to maintain a separate browser / browser profile for development. If a wallet is required, use a development wallet that only holds as much as you are comfortable loosing. If using a separate browser profile is impractical, you can use incognito mode after ensuring all sensitive extensions are disabled.

Help us improve!

Spotted an error or have ideas to enhance this content?

Your contributions are valuable to us. Learn more

✏️ Contribute today!