Skip to main content
The Tembo Sandbox provides a secure, isolated environment where Tembo operates to analyze and modify your code. This environment comes pre-installed with a comprehensive set of development tools and runtime environments to support a wide variety of programming languages and frameworks.

Sandbox Types

Tembo supports two sandbox environment types, each designed for different use cases:

Standard (Default)

The Standard sandbox provides a lightweight container-based environment:
  • Fast startup: Starts quickly for rapid task execution
  • Wide compatibility: Works with most common development workflows
  • Resource efficient: Minimal overhead for general development tasks
  • Best for: Most general-purpose tasks, web applications, and standard development workflows

Large VM

The Large VM sandbox provides a full virtual machine with enhanced capabilities:
  • Complete isolation: Full VM-level isolation for enhanced security
  • Nested virtualization: Enables agents to run Docker containers inside the sandbox (an alternative to traditional Docker-in-Docker approaches)
  • System-level access: Support for tasks requiring deeper system integration
  • Custom kernels: Ability to run specialized kernel configurations
  • Best for: Testing and building containerized applications, running databases in Docker, and complex multi-container setups
Note: For agents to run Docker containers inside the sandbox (e.g., for testing with Postgres, Redis, or other services), you must use the Large VM sandbox type.

Pre-installed Tools and Runtimes

The Tembo Sandbox includes the following base dependencies and their versions:

System Tools

ToolVersionDescription
curl8.14.1Command-line tool for transferring data with URLs
lsof4.99.4Lists open files and network connections
strace6.15System call tracer for debugging and monitoring

Docker and Container Tools

ToolVersionDescription
docker28.0.0Container runtime for building and running containers
docker-compose2.31.0Multi-container orchestration tool

Version Control and Authentication

ToolVersionDescription
git-credential-tembounknownTembo-specific Git credential helper

Code Quality and Analysis

ToolVersionDescription
ShellCheck0.10.0Static analysis tool for shell scripts

HTTP and API Tools

ToolVersionDescription
httpie3.2.4Modern, user-friendly HTTP client for API testing

JavaScript/Node.js Ecosystem

ToolVersionDescription
nodejs22.17.0JavaScript runtime built on Chrome’s V8 engine
bun1.2.18Fast all-in-one JavaScript runtime and toolkit
pnpm10.12.4Fast, disk space efficient package manager

Python Ecosystem

ToolVersionDescription
python33.12.11Modern Python programming language
pipx1.7.1Install and run Python applications in isolated environments

Ruby Ecosystem

ToolVersionDescription
ruby3.3.6Dynamic, object-oriented programming language
bundler-2.6.92.6.9Manages Ruby gem dependencies
ruby3.3-rubocop-1.75.21.75.2Ruby static code analyzer and formatter

Elixir/Erlang Ecosystem

ToolVersionDescription
erlang-28.0.128.0.1Concurrent, fault-tolerant programming platform
elixir1.18.4Dynamic, functional programming language
hex2.2.2Package manager for the Erlang ecosystem
rebar33.25.0Erlang build tool and package manager
erlfmt1.7.0Erlang code formatter

Java Ecosystem

ToolVersionDescription
jdk21Java Development Kit for building and running Java applications
gradlelatestBuild tool for Java projects
mavenlatestProject management and build tool for Java

Go Ecosystem

ToolVersionDescription
go1.24.4Open source programming language from Google

Rust Ecosystem

ToolVersionDescription
rustup1.28.2Rust toolchain installer and version management tool

Docker-in-Docker Support

The Large VM sandbox supports running Docker containers inside the environment. When Tembo agents operate in this sandbox, they can use Docker to:
  • Run integration tests with databases (Postgres, MySQL, Redis, etc.)
  • Build Docker images as part of CI/CD workflows
  • Test multi-container applications with Docker Compose

Example: Running Postgres in Docker

Here’s how an agent might run a Postgres database inside the sandbox for testing: 
# Start a Postgres container
docker run -d \
  --name postgres-test \
  -e POSTGRES_USER=testuser \
  -e POSTGRES_PASSWORD=testpass \
  -e POSTGRES_DB=testdb \
  -p 5432:5432 \
  postgres:16

# Wait for the database to be ready
until docker exec postgres-test pg_isready -U testuser; do
  echo "Waiting for Postgres..."
  sleep 1
done

echo "Postgres is ready!"

Prerequisites for Docker-in-Docker

  • Use the Large VM sandbox type
  • Docker daemon is pre-installed and ready to use
  • No additional configuration required
You can configure the sandbox type in your organization settings, per issue, or per job.

Environment Characteristics

Isolation and Security

The Tembo Sandbox provides strong isolation and security guarantees:
  • Process isolation: Each task runs in its own isolated environment
  • File system isolation: Changes are contained within the sandbox
  • Network security: Controlled network access for security
  • Resource limits: CPU and memory constraints to ensure stability

Resource Limits

Sandbox TypeCPUMemoryDiskNested Virtualization
Standard4 cores8 GB20 GBNo
Large VM8 cores32 GB100 GBYes

Development Workflow Integration

The sandbox environment is designed to integrate seamlessly with your development workflow:
  • Hook support: Execute custom commands at different stages via Tembo Hooks
  • Repository access: Full access to your repository contents and history
  • Build tool compatibility: Support for common build systems and package managers
  • Testing frameworks: Compatible with popular testing tools and frameworks
  • Nix dev shell support: Automatically detects and uses Nix flakes for reproducible development environments

Nix Development Shells

Tembo’s sandbox environment supports Nix flakes for reproducible development environments. To use this feature, your repository must have a flake.nix file in the root directory that defines a development shell named default for the x86_64-linux platform. Requirements:
  • Your flake.nix must specify devShells.x86_64-linux.default
  • The development shell must target the x86_64-linux platform (Tembo’s sandbox runs on x86_64 Linux)
  • The flake must be in your repository’s root directory
Example flake.nix: 
{
  description = "My project development environment";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  };

  outputs = { self, nixpkgs }: {
    devShells.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.mkShell {
      packages = with nixpkgs.legacyPackages.x86_64-linux; [
        nodejs
        python3
        # Add any other tools your project needs
      ];
    };
  };
}
When configured correctly, Tembo will:
  • Automatically detect your flake.nix file at the repository root
  • Load the default devshell for the x86_64-linux platform
  • Make available all packages and environment variables defined in your Nix development shell
  • Ensure reproducibility across different tasks and environments
How it works: When a coding agent executes commands in the sandbox, it automatically runs them within your Nix development shell if a flake.nix is detected. This means all build commands, tests, and scripts will have access to the exact dependencies specified in your flake, ensuring consistent behavior across all task executions.

Best Practices

Choosing the Right Sandbox

Use CaseRecommended Sandbox
Code analysis, simple fixesStandard (default)
Agent needs to run tests with Docker databasesLarge VM
Agent needs to build Docker imagesLarge VM
Complex multi-container setupsLarge VM
System-level operationsLarge VM
General developmentStandard

General Tips

  • Leverage pre-installed tools and pin versions when adding dependencies
  • Minimize installations and clean up temporary files to optimize resources
  • Be version-aware when writing build scripts for the multi-language environment
  • Use Nix for complex dependencies—test locally with nix develop and keep flakes minimal
  • Use Large VM when agents need Docker—Standard sandbox cannot run nested containers

Support and Updates

The Tembo Sandbox environment is regularly updated to include:
  • Security patches for all installed tools
  • Updates to major language runtimes and package managers
  • New tools based on community feedback and usage patterns
If you need a specific tool or version that isn’t currently available, please reach out to the Tembo team through your dashboard or contact support.