Comment by PunchyHamster
3 days ago
The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing
3 days ago
The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing
> The sandbox will need internet access (to update data) and you will need to send code to test into it; so compromise already equals leaking all your code, without even breaking the sandboxing
Compromising all code in one directory is bad. Compromising all my data in all other directories, including mounted cloud drives, is worse.
I restrict most dev tools to access only the current directory.
You only need internet access to grab the image, I don't think trivy requires internet access itself. All of my image scanning tools run in isolation.
It needs internet access for upgrading the check bundle and for full Java library resolution (pom.xml). See e.g. https://github.com/aquasecurity/trivy/discussions/9698
Nice, thanks! Yeah, so exfil is definitely still a thing to watch out for, even if you run in an unprivileged env.