GitHub, Security, DevSecOps
A coding agent is the most useful when it can run without stopping to ask permission at every step. The catch is that it borrows your permissions – your SSH keys, your cloud credentials, your whole home directory – and it spends all day reading instructions it can't vet: a fetched web page, a cloned repo's AGENTS.md, a tool response. One hostile instruction in the wrong place and a helpful agent becomes a way to leak credentials, delete the wrong directory, or pull in a poisoned dependency. Approval prompts don't help much here, because the thing writing the prompt is the same thing being manipulated.
This workshop takes the other route. Instead of trusting the agent to police itself, we build a boundary around it so mistakes and attacks stay contained. We start by mapping how things actually go wrong (untrusted input → dangerous capability → real damage), then work through the protections that cut each link: filesystem and network isolation, kernel-enforced boundaries that hold even after the model is confused, and keeping credentials out of the sandbox as much as possible. Then we build a working sandbox from scratch with a lightweight, cross-platform, open-source approach you can wrap around any agent, and we verify it with scripts that prove each control holds rather than taking it on trust. You'll leave with a setup you can drop into your own projects, and a way of understanding agent safety that isn't tied to any one tool.
2 hours