You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I built a small Docker sandbox shim for pi-coding-agent that makes using pi "less YOLO".
The problem: pi runs with full access to your filesystem by default. A misunderstood instruction or a loop going sideways can touch files outside the project you're working in.
pi-less-yolo wraps pi in a Chainguard-based container that only mounts your current working directory and the necessary pi configuration files -- nothing else on the host is reachable. It scopes the permissions to avoid privilege escalation. A mise task makes it mise run pi from any project directory.
I made sure to keep the real path the same, so per-project session tracking in pi is correctly maintained. Another useful feature is that you can customize the Dockerfile easily to include the tools you need. The Chainguard base image has low CVEs, so vulnerabilities are kept to a minimum.
While this is "less YOLO", there are still serious security gaps. Network access is unrestricted, which can allow exfiltration of files. Container escapes exist, and the mounted directory is fully writable.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I built a small Docker sandbox shim for
pi-coding-agentthat makes usingpi"less YOLO".The problem:
piruns with full access to your filesystem by default. A misunderstood instruction or a loop going sideways can touch files outside the project you're working in.pi-less-yolowrapspiin a Chainguard-based container that only mounts your current working directory and the necessarypiconfiguration files -- nothing else on the host is reachable. It scopes the permissions to avoid privilege escalation. Amisetask makes itmise run pifrom any project directory.I made sure to keep the real path the same, so per-project session tracking in
piis correctly maintained. Another useful feature is that you can customize theDockerfileeasily to include the tools you need. The Chainguard base image has low CVEs, so vulnerabilities are kept to a minimum.While this is "less YOLO", there are still serious security gaps. Network access is unrestricted, which can allow exfiltration of files. Container escapes exist, and the mounted directory is fully writable.
https://github.com/cjermain/pi-less-yolo
Happy to take feedback in the pi-less-yolo GitHub Issues.
Beta Was this translation helpful? Give feedback.
All reactions