A hardened devcontainer configuration for safely reviewing potentially malicious code in Cursor/VS Code.
- π Network isolated - No outbound connections from container
- π Read-only filesystem - Container can't be modified
- π« Dropped capabilities - No privilege escalation
- πΎ Resource limits - Prevents fork bombs and memory exhaustion
- π‘οΈ No credential leakage - Git/SSH credentials stay on host
- π€ AI-assisted review - Cursor/Copilot still works (runs on host)
Create .devcontainer/ folder in your project with these two files:
{
"name": "Secure Code Review Sandbox",
"build": {
"dockerfile": "Dockerfile"
},
"remoteUser": "sandbox",
"workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,readonly",
"workspaceFolder": "/workspace",
"customizations": {
"vscode": {
"settings": {
"security.workspace.trust.enabled": true,
"security.workspace.trust.untrustedFiles": "open",
"task.allowAutomaticTasks": "off",
"git.enabled": false,
"git.autofetch": false,
"terminal.integrated.inheritEnv": false,
"extensions.autoUpdate": false,
"extensions.autoCheckUpdates": false,
"npm.autoDetect": "off",
"typescript.disableAutomaticTypeAcquisition": true
},
"extensions": [
"oderwat.indent-rainbow",
"aaron-bond.better-comments"
]
}
},
"postCreateCommand": "echo 'β οΈ SANDBOX MODE - Network disabled, filesystem read-only. Run LLM security scan with @workspace prompt.'",
"runArgs": [
"--cap-drop=ALL",
"--security-opt=no-new-privileges",
"--network=none",
"--read-only",
"--memory=2g",
"--memory-swap=2g",
"--pids-limit=256",
"--tmpfs=/tmp:rw,noexec,nosuid,size=256m"
]
}FROM node:20-slim
RUN useradd -m -s /bin/bash sandbox \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
less \
file \
&& rm -rf /var/lib/apt/lists/* \
&& rm -rf /root/.npm /root/.node-gyp
USER sandbox
WORKDIR /workspaceOnce the container is running, use this prompt in Cursor's AI chat (Cmd+L / Ctrl+L):
@workspace Perform a security audit of this codebase. Look for:
1. **Malicious patterns**
- Obfuscated code (eval, Function constructor, atob/btoa chains)
- Data exfiltration (fetch/axios to external URLs, process.env access)
- Credential harvesting (keyloggers, form hijacking)
- Crypto miners or botnet code
2. **Supply chain risks**
- Suspicious postinstall/preinstall scripts in package.json
- Typosquatted dependencies
- Pinned versions pointing to compromised releases
- Git hooks that execute code
3. **Backdoors**
- Hidden API endpoints
- Hardcoded credentials or tokens
- Base64 encoded payloads
- Unusual network connections
4. **File system risks**
- Code that reads ~/.ssh, ~/.aws, ~/.gitconfig
- Writes outside project directory
- Accesses browser profiles or cookies
Report findings with file paths and line numbers. Rate overall risk: LOW / MEDIUM / HIGH / CRITICAL
@workspace Security scan: Look for eval(), obfuscated code, postinstall scripts,
external network calls, credential access (~/.ssh, ~/.aws, env vars), and
base64 encoded strings. List suspicious files with line numbers.
| Flag | Purpose |
|---|---|
--cap-drop=ALL |
Remove all Linux capabilities |
--security-opt=no-new-privileges |
Prevent privilege escalation via setuid/setgid |
--network=none |
Complete network isolation |
--read-only |
Immutable container filesystem |
--memory=2g |
Cap memory to prevent exhaustion |
--pids-limit=256 |
Prevent fork bombs |
--tmpfs=/tmp:noexec |
Temp dir exists but can't execute binaries |
The network isolation (--network=none) only affects processes inside the container. Cursor/VS Code AI features run on your host machine and connect to AI APIs from there. The container just provides the sandboxed filesystem view.
βββββββββββββββββββββββββββββββββββββββββββ
β Your Machine (Host) β
β βββββββββββββββββββββ β
β β Cursor/VS Code βββββΊ AI APIs β
β
β β (has network) β (Claude, β
β ββββββββββ¬βββββββββββ OpenAI) β
β β β
β ββββββββββΌβββββββββββ β
β β Dev Container β β
β β --network=none βββββΊ Internet β β
β β (isolated) β β
β βββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββ
Remove readonly from the workspace mount:
"workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind",Replace the Dockerfile with:
FROM debian:bookworm-slim
RUN useradd -m -s /bin/bash sandbox \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
less \
file \
tree \
&& rm -rf /var/lib/apt/lists/*
USER sandbox
WORKDIR /workspace- Clone/download untrusted repo to a folder
- Add
.devcontainer/folder with these files - Open folder in Cursor/VS Code
- "Reopen in Container" when prompted
- Run LLM security scan with prompt above
- Manually review flagged files
- Cannot install dependencies (
npm install,pip install, etc.) - Cannot run the code (by design - static analysis only)
- LLM may miss sophisticated obfuscation
- For dynamic analysis, use a VM instead
- LLM scan completed
- Reviewed all
postinstall/preinstallscripts - Checked for obfuscated/minified source files
- Verified dependencies against known packages
- No suspicious file system access patterns
- No hardcoded external URLs or IPs
Created for safe code review workflows. Contributions welcome.