Skip to main content
Every task runs in its own isolated sandbox. Sandboxes are ephemeral: spun up for the task, destroyed when it’s done. No code or state persists after execution.

Sandbox types

Small (default)

Container-based. Fast startup, scalable, no infrastructure to manage.
  • Workloads run as non-root
  • Docker daemon is not exposed inside the sandbox
  • Each task gets its own isolated network namespace
  • Standard container hardening best practices
Best for most tasks: code analysis, fixes, features, reviews.

Large (Full VM)

Dedicated Linux VM per task. No two tasks share the same VM.
  • 4 vCPU / 8 GB RAM (adjustable)
  • 100 GB disk
  • Full nested virtualization (Docker-in-Docker)
  • Stronger isolation boundary
Best for tasks that need Docker (integration tests, building images, multi-container setups) or when your security posture requires VM-level isolation. If your org requires that untrusted code only runs with a VM boundary, we can enforce a VM-only posture. Contact support@tembo.io.

Pre-installed tools

Both sandbox types come with:
CategoryTools
JavaScriptNode.js 22, Bun, pnpm, Yarn
PythonPython 3.12, pipx, uv, ruff
RubyRuby 3.3, Bundler, RuboCop
.NET.NET SDK 9
CloudGoogle Cloud SDK
ContainersDocker 28, Docker Compose 2.31 (Large VM only)
OtherGit, curl, ShellCheck, httpie
Go, Rust, Java, and Elixir are available through Nix dev shells. Add a flake.nix to install language-specific tooling for your project.

Add custom dependencies

To add custom dependencies in the sandbox, include a flake.nix with devShells.x86_64-linux.default. Tembo automatically detects it and runs commands inside your Nix dev shell. Here is a minimal flake.nix example you can copy and adapt: 
{
  description = "Dev shell";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
      in {
        devShells.default = pkgs.mkShell {
          buildInputs = with pkgs; [
            go
            # Add other packages here, e.g. rustc cargo jdk
          ];
        };
      }
    );
}