loading…
[OK] dns resolved
[OK] tcp handshake
[..] waiting on payload
GitHub put cloud and local sandboxes for Copilot into public preview. That sounds like a feature toggle. It is more interesting than that.
Copilot can now run shell commands inside restricted local environments, or inside GitHub-hosted ephemeral Linux environments started with copilot --cloud. The practical shift is simple: agent execution is no longer just “the model asked nicely.” It has an execution layer.
That matters because coding agents are becoming less like autocomplete and more like extremely confident interns with terminal access. Helpful, fast, and occasionally one typo away from becoming a filesystem-themed escape room.
The announcement covers two related sandbox modes:
/sandbox enable restricts the shell commands Copilot runs on the developer’s machine. GitHub says this limits filesystem, network, and system capability access. The changelog also says local sandboxing uses Microsoft MXC technology for a cross-platform isolation experience across macOS, Linux, and Windows.copilot --cloud starts a GitHub-hosted ephemeral Linux environment. The GitHub Docs page says cloud sandboxing is built on Azure Container Apps Sandboxes, with GitHub handling identity, policy, and billing.The docs are also explicit about scope: this is public preview and currently applies to Copilot CLI sessions, with cloud sandboxes also usable for sessions in the GitHub Copilot app.
There are a few operationally useful details buried in the docs:
$0.000024 per compute-second, memory at $0.000003 per GiB-second, and stopped-session storage at $0.005 per GiB-month. That works out to about $0.0864 per compute-hour before memory, and about $0.0108 per GiB-hour for memory.None of this makes agents magically safe. It does make their blast radius more legible, which is the part security teams can work with.
Most teams have treated coding-agent safety as a pile of conventions:
Those are good instincts, but they are not isolation. They are vibes with a README.
A sandbox turns some of that into an enforceable boundary. That changes the adoption conversation from “do we trust this agent?” to “what can this agent touch, from where, under which policy, and how much will it cost if someone schedules twenty of them?” That is a much better question.
The interesting part is not just local protection. It is the combination of:
That last one is easy to miss. Once agent sessions have compute, memory, snapshot storage, policy, identity, and lifecycle states, they belong in the same mental bucket as CI runners, dev containers, preview environments, and ephemeral test infrastructure.
If your team is experimenting with Copilot CLI or the Copilot app, the useful response is not “turn it on everywhere and call it innovation.” That phrase should be illegal in at least four jurisdictions.
Start with a small policy and measurement pass:
drop database to a background chore.The teams that get value here will be the ones that pair agent speed with boring controls: budgets, policies, logs, and review gates. The boring parts are where production usually hides.
This is still a preview, so the API surface, policy behavior, and operational details may change. The public docs describe the high-level isolation model, but they are not a substitute for testing the exact boundary in your environment.
Also, sandboxing is not the same thing as trust. A sandbox can limit filesystem and network access; it cannot decide whether the generated migration is semantically correct, whether the test suite is meaningful, or whether the agent misunderstood the ticket in a very expensive way.
The right mental model is: sandboxes make agents safer to run, not automatically safe to obey.
GitHub’s Copilot sandboxes are a useful sign that agentic development is maturing from chat UX into execution infrastructure. That is the right direction. Once an AI tool can run commands, edit files, and coordinate long-running work, it needs the same things every other workload needs: isolation, identity, policy, lifecycle, billing, and logs.
Autocomplete was a feature. Agent execution is infrastructure. Treat it accordingly.