You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
See [Docker](#docker-1) below for mounting paths, networking, installing extra software, and building custom images.
40
+
32
41
### From source
33
42
34
43
```bash
@@ -190,7 +199,7 @@ The server validates the `Host` header to prevent [DNS rebinding attacks](https:
190
199
-**Glob/grep search scope.**`--allow-path` validates the search directory for glob and grep, but results within that directory tree may include symlinks pointing outside it. The content of those symlink targets could be returned in grep output or listed by glob.
191
200
-**No process-level sandboxing.** All restrictions are enforced in application code within the platter process. They do not use OS-level mechanisms (seccomp, namespaces, pledge, etc.). A vulnerability in platter itself, Bun, or a dependency could bypass all restrictions.
192
201
193
-
For high-security deployments, combine these restrictions with OS-level isolation (containers, VMs, dedicated users with limited filesystem permissions).
202
+
For stronger isolation, use the just-bash sandbox, a Docker container, or both.
-**No native binaries.** Commands like `git`, `node`, `docker`, `rg`, `python` are not available. Only bash builtins and just-bash's built-in command set work.
232
241
-**Beta software.** just-bash is under active development. Test your workflows before relying on it in production.
233
242
243
+
### Container isolation (Docker)
244
+
245
+
Running platter inside a Docker container provides OS-level isolation via Linux namespaces and cgroups. The container boundary limits what the bash tool can access — even unrestricted commands can only reach the filesystems and network that the container exposes.
246
+
247
+
```bash
248
+
# Minimal: no host filesystem, no network
249
+
docker run --rm -i --network none ghcr.io/scriptsmith/platter
-**Filesystem boundary.** Only explicitly mounted paths (`-v`) are visible. Even with bash enabled, commands cannot read or write host paths that aren't mounted.
265
+
-**Network boundary.**`--network none` completely disables networking. Without it, the container has outbound access but no access to host-only services unless `--network host` is used.
266
+
-**Process isolation.** Processes inside the container cannot see or signal host processes.
267
+
-**Resource limits.** Docker's `--memory`, `--cpus`, and `--pids-limit` flags can cap resource usage to prevent denial of service.
268
+
269
+
#### Combining sandbox and container
270
+
271
+
The just-bash sandbox and Docker container address different layers. Used together, they provide defense in depth:
272
+
273
+
| Layer | Protects against |
274
+
|---|---|
275
+
|**just-bash sandbox**| Arbitrary native process execution — no `git`, `curl`, `rm`, etc. Commands run in a TypeScript interpreter, not the OS shell. |
276
+
|**Docker container**| Host filesystem/network access — even if the sandbox has a bug or is bypassed, the container limits blast radius to mounted paths and allowed networks. |
277
+
278
+
```bash
279
+
# Maximum isolation: sandbox inside a container, overlay fs, no network
For the highest security posture, also run the container as a non-root user (`--user`), drop all capabilities (`--cap-drop ALL`), and set the filesystem read-only (`--read-only`) with a tmpdir for any needed writes:
See [Docker](#docker-1) for full usage instructions including mounting paths, networking, and building custom images.
303
+
304
+
## Docker
305
+
306
+
The Docker image is based on Debian Bookworm (slim) and includes ripgrep. Multi-arch images (`linux/amd64`, `linux/arm64`) are published to GitHub Container Registry on every tagged release.
The image uses Debian, so you can install packages with `apt-get` at runtime. This is useful for quick experiments but adds startup latency — for production use, build a custom image instead (see below).
368
+
369
+
```bash
370
+
docker run --rm -p 3100:3100 ghcr.io/scriptsmith/platter \
0 commit comments