You want to evaluate ContainAI's security - understand its isolation guarantees, threat model, attack surface, and what it explicitly does not protect against.
-
Read the threat model - SECURITY.md documents isolation modes, security guarantees, and explicit non-goals
-
Understand the isolation - ContainAI uses Sysbox for isolation: on Linux/WSL2 via ContainAI-managed docker-ce, on macOS via Lima VM. Both provide user namespace isolation (container root maps to unprivileged host UID). See SECURITY.md for details.
-
Review the attack scenarios - Security Scenarios shows what happens with and without isolation
- SECURITY.md - Threat model, security guarantees, unsafe opt-ins, reporting process
- Security Scenarios - Real-world attack chains with/without isolation
- Security Comparison - ContainAI vs Docker ECI, gVisor, microVMs, plain containers
- Architecture - System design and security boundaries
- Base Image Contract - What the container images guarantee
%%{init: {'theme': 'base'}}%%
flowchart TD
START["Start Here"]
SM["SECURITY.md<br/>Threat Model"]
SS["Security Scenarios<br/>Attack Chains"]
SC["Security Comparison<br/>vs Alternatives"]
ARCH["Architecture<br/>System Design"]
BIC["Base Image Contract<br/>Image Guarantees"]
START --> SM
SM --> SS
SS --> SC
SC --> ARCH
ARCH --> BIC
subgraph threat["Threat Understanding"]
SM
SS
end
subgraph comparison["Comparative Analysis"]
SC
end
subgraph implementation["Implementation"]
ARCH
BIC
end
SM -.->|"What we protect"| SRC1["src/lib/container.sh"]
SM -.->|"Detection logic"| SRC2["src/lib/doctor.sh"]
ARCH -.->|"Entry security"| SRC3["src/container/entrypoint.sh"]
ContainAI enforces sandbox-first execution using Sysbox:
- Linux/WSL2: Uses
--runtime=sysbox-runcwith ContainAI-managed docker-ce daemon - macOS: Uses Lima VM with Sysbox runtime
Both provide user namespace isolation (container root maps to unprivileged host UID), credential isolation, and Docker socket denial by default.
For the complete isolation guarantees table, see SECURITY.md > Security Guarantees.
ContainAI explicitly does not protect against malicious container images, network-based attacks, resource exhaustion, or host kernel exploits.
See SECURITY.md > Non-Goals for the complete list with rationale.
ContainAI provides explicit bypass flags for testing:
--force: Skips isolation verification (for development/testing only)
Credentials are synced via cai import from host to volume, not shared at runtime. Inner Docker (DinD) is used rather than mounting the host Docker socket.
See SECURITY.md > Unsafe Opt-ins for details and CLI Reference for flag documentation.
| Input | Validation Location | Notes |
|---|---|---|
| TOML config files | config.sh | Parsed without shell eval |
| Environment variables | entrypoint.sh | Key/value validation |
| Volume mount paths | entrypoint.sh | Symlink and traversal checks |
| Container names | container.sh | RFC 1123 hostname compliance |
- Container isolation bypasses
- Host credential exposure
- Path traversal vulnerabilities
- Docker socket access escalation
- Authentication/authorization issues
- Vulnerabilities in upstream dependencies (report to respective maintainers)
- Issues requiring physical access
- Social engineering attacks
- Denial of service against your own containers
| File | Security Role |
|---|---|
| src/lib/doctor.sh | Isolation detection and verification |
| src/lib/container.sh | Container start with isolation checks |
| src/container/entrypoint.sh | Volume mount security, .env parsing |
| src/lib/config.sh | TOML parsing (no shell eval) |
Do not report security vulnerabilities through public GitHub issues.
Use GitHub Security Advisories:
- Go to the Security tab in the repository
- Click Report a vulnerability
- Include: description, reproduction steps, impact assessment, suggested mitigations
Response timeline:
- Initial acknowledgment: Within 48 hours
- Detailed response: Within 7 days
See SECURITY.md for safe harbor policy.
- Sysbox Documentation - Runtime isolation details
- User Namespaces - Linux kernel feature
- CVE-2024-21626 - Example container escape (covered in security scenarios)
- For Users - Running AI agents safely
- For Contributors - Want to improve ContainAI? Start here