Security validation for the CodeWire isol8 sandbox. Automated test scripts and an AI red team agent that probes container isolation boundaries.
scripts/— automated security test scripts (run from inside isol8 workspaces)redteam/— AI-driven red team agent that autonomously probes for container escapes
| Script | What it validates |
|---|---|
test-1-sysbox.sh |
Runtime isolation — container escape, nsenter, /dev/mem, raw sockets |
test-2-network.sh |
Network segmentation and egress filtering |
test-3-admission.sh |
Admission control enforcement |
test-4-rbac.sh |
Kubernetes RBAC boundaries |
test-5-node.sh |
Node-level access restrictions |
test-6-template.sh |
Template integrity |
test-7-dind.sh |
Docker-in-Docker isolation |
test-8-inter-workspace.sh |
Cross-workspace isolation |
test-9-resources.sh |
Resource limit enforcement |
test-10-secrets.sh |
Secret access controls |
test-11-runtime-hardening.sh |
Runtime & kernel hardening |
test-12-defense-depth.sh |
Defense-in-depth layering |
test-13-nonsysbox-rejection.sh |
Non-sysbox runtime rejection |
test-14-env-exposure.sh |
Environment & credential exposure |
test-15-network-isolation.sh |
Cross-tenant network isolation |
test-16-template-scope.sh |
Template/provisioner scope |
See redteam/ for the AI agent that runs inside isol8 pods and autonomously attempts container escapes using strategies like syscall fuzzing, namespace escape, memory WXE, and more.
Deploy with:
cd redteam && ./redteam-deploy.sh