{"slug": "introducing-deno-sandbox", "title": "Introducing Deno Sandbox", "summary": "Deno Sandbox is a new security feature from Deno Deploy that provides lightweight Linux microVMs for running untrusted code, such as LLM-generated scripts, with defense-in-depth isolation. It protects secrets by never exposing real API keys to the code environment, only materializing them during approved outbound requests, and enforces strict network egress control by blocking unauthorized host connections. The sandbox also allows direct deployment to Deno Deploy without rebuilding and offers features like persistent volumes and snapshots for development environments.", "body_md": "Introducing Deno Sandbox\nOver the past year, we’ve seen a shift in what Deno Deploy customers are building: platforms where users generate code with LLMs, and that code runs immediately without review. That code frequently calls LLMs itself, which means it needs API keys and network access.\nThis isn’t the traditional “run untrusted plugins” problem. It’s deeper: LLM-generated code, calling external APIs with real credentials, without human review. Sandboxing the compute isn’t enough. You need to control network egress and protect secrets from exfiltration.\nDeno Sandbox provides both. And when the code is ready, you can deploy it directly to Deno Deploy without rebuilding.\nSandboxes?\nYou don’t want to run untrusted code (generated by your LLMs, your users LLMs, or even hand written by users) directly on your server. It will compromise your system, steal your API keys, and call out to evil.com. You need isolation.\nDeno Sandbox gives you lightweight Linux microVMs (running in the Deno Deploy cloud) to run untrusted code with defense-in-depth security. You can create them programmatically via our JavaScript or Python SDKs, and they boot in under a second. You can also interact with them via SSH, HTTP, or even open a VS Code window directly into the sandbox.\nimport { Sandbox } from \"@deno/sandbox\";\nawait using sandbox = await Sandbox.create();\nawait sandbox.sh`ls -lh /`;\nSecrets That Can’t Be Stolen\nBut there is more. In Deno Sandbox, secrets never enter the environment. Code sees only a placeholder:\nimport { Sandbox } from \"@deno/sandbox\";\nawait using sandbox = await Sandbox.create({\nsecrets: {\nOPENAI_API_KEY: {\nhosts: [\"api.openai.com\"],\nvalue: process.env.OPENAI_API_KEY,\n},\n},\n});\nawait sandbox.sh`echo $OPENAI_API_KEY`;\n// DENO_SECRET_PLACEHOLDER_b14043a2f578cba75ebe04791e8e2c7d4002fd0c1f825e19...\nThe real key materializes only when the sandbox makes an outbound request to an\napproved host. If prompt-injected code tries to exfiltrate that placeholder to\nevil.com\n? Useless.\nNetwork Egress Control\nYou can also restrict which hosts the sandbox can talk to:\nawait using sandbox = await Sandbox.create({\nallowNet: [\"api.openai.com\", \"*.anthropic.com\"],\n});\nAny request to an unlisted host gets blocked at the VM boundary.\nBoth features are implemented via an outbound proxy similar to coder/httpjail. This gives us a chokepoint for policy enforcement. We plan to add more capabilities here: analytics for outbound connections and programmatic hooks for trusted code to inspect or modify requests.\nIf you’re running untrusted JavaScript or TypeScript, combine this with Deno’s\n--allow-net\nflag for defense in depth: VM-level network restrictions plus\nruntime-level permissions.\nSandbox to Production\nsandbox.deploy()\ndeploys code from your sandbox directly to Deno Deploy.\nconst build = await sandbox.deploy(\"my-app\", {\nproduction: true,\nbuild: { mode: \"none\", entrypoint: \"server.ts\" },\n});\nconst revision = await build.done;\nconsole.log(revision.url);\nOne call to go from sandbox to production deployment. No rebuilding in a different CI system, no re-authenticating with a different tool. Just turn your dev environment directly into a production ready, auto-scaling serverless deployment.\nPersistence\nSandboxes are ephemeral by default, but when you need state we have you covered:\n- Volumes: read-write storage for caches, databases, user data\n- Snapshots: read-only images for pre-installed toolchains and volume base\nRun apt-get install\nonce, snapshot it, and every future sandbox boots with\neverything already installed. Create read-write volumes from the snapshots to\ncreate a fresh development environment in seconds.\nTechnical Details\nPerfect for AI agents executing code, vibe-coding environments, secure plugin systems, ephemeral CI runners, and customer-supplied code.\nPricing\nDeno Sandbox is included in your Deno Deploy plan with competitive, usage-based pricing. You pay for compute time, not wall-clock time.\n- $0.05/h CPU time (40h included with Pro)\n- $0.016/GB-h memory (1000 GB-h included with Pro)\n- $0.20/GiB-month volume storage (5 GiB included with Pro)\nEnterprise pricing available—contact deploy@deno.com.\nGet Started\nDeno Sandbox launches in beta today, alongside the general availability of Deno Deploy.\n- Landing page: deno.com/sandbox\n- Docs: docs.deno.com/sandbox\n- JavaScript SDK: jsr.io/@deno/sandbox or npm\n- Python SDK: pypi.org/project/deno-sandbox\nWe’re excited to see what you (or your AI agents) build with Deno Sandbox.", "url": "https://wpnews.pro/news/introducing-deno-sandbox", "canonical_source": "https://deno.com/blog/introducing-deno-sandbox", "published_at": "2026-02-03 12:00:00+00:00", "updated_at": "2026-05-22 12:20:15.784986+00:00", "lang": "en", "topics": ["developer-tools", "cloud-computing", "cybersecurity", "large-language-models", "artificial-intelligence"], "entities": ["Deno Sandbox", "Deno Deploy", "LLM", "JavaScript", "Python", "SSH", "VS Code", "Linux"], "alternates": {"html": "https://wpnews.pro/news/introducing-deno-sandbox", "markdown": "https://wpnews.pro/news/introducing-deno-sandbox.md", "text": "https://wpnews.pro/news/introducing-deno-sandbox.txt", "jsonld": "https://wpnews.pro/news/introducing-deno-sandbox.jsonld"}}