{"id":40733057,"url":"https://github.com/debfx/runjail","last_synced_at":"2026-01-21T14:37:29.132Z","repository":{"id":41964386,"uuid":"277157917","full_name":"debfx/runjail","owner":"debfx","description":"ad-hoc sandboxes on Linux","archived":false,"fork":false,"pushed_at":"2025-12-01T18:01:55.000Z","size":230,"stargazers_count":19,"open_issues_count":3,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-12-04T07:52:14.732Z","etag":null,"topics":["linux","sandbox","seccomp","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/debfx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-07-04T17:41:20.000Z","updated_at":"2025-12-01T18:01:52.000Z","dependencies_parsed_at":"2023-01-20T02:18:35.668Z","dependency_job_id":"a6d26808-f7a1-436e-9d53-ceb9e4189481","html_url":"https://github.com/debfx/runjail","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/debfx/runjail","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debfx%2Frunjail","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debfx%2Frunjail/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debfx%2Frunjail/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debfx%2Frunjail/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/debfx","download_url":"https://codeload.github.com/debfx/runjail/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/debfx%2Frunjail/sbom","scorecard":{"id":331099,"data":{"date":"2025-08-11","repo":{"name":"github.com/debfx/runjail","commit":"05b238314d053f1e0b0f15c103f60140ce850e01"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.4,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Code-Review","score":0,"reason":"Found 0/19 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:15","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:16","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/golangci-lint.yml:1","Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":3,"reason":"4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/codeql-analysis.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/golangci-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/debfx/runjail/main.yml/main?enable=pin","Info:   0 out of   7 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 3 commits out of 11 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-18T03:39:42.700Z","repository_id":41964386,"created_at":"2025-08-18T03:39:42.700Z","updated_at":"2025-08-18T03:39:42.700Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28634878,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-21T04:47:28.174Z","status":"ssl_error","status_checked_at":"2026-01-21T04:47:22.943Z","response_time":86,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","sandbox","seccomp","security"],"created_at":"2026-01-21T14:37:28.244Z","updated_at":"2026-01-21T14:37:29.128Z","avatar_url":"https://github.com/debfx.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# runjail\n\nrunjail is a tool to create ad-hoc sandboxes on Linux.\n\nIt is intended to restrict access of the applications inside the sandbox\nto your system but not to provide a completely different runtime environment\nlike Docker or Flatpak does.\n\nA common use case might be quickly testing a new tool you just discovered\nwithout allowing it access to all your data.\n\n`runjail --rw . --net yes -- bash` opens a shell with access to just the\ncurrent directory.\n\n\n# Features\n\n* Mount paths read-write or read-only from the host inside the sandbox\n* Disable network access\n* Isolate from the host processes (separate PID and IPC namespace)\n* Reduce the kernel attack surface using seccomp filters\n\n\n# Security considerations\n\nWithout any parameters runjail mounts /etc, /sys and /usr read-only\nin the sandbox. Additionally /proc is mounted.\nMake sure these directiories don't contain any secret user-readable data\nor disable access to them by passing `--hide PATH`.\n\nIn the default configuration X11 opens an anonymous socket which makes it\na bit more difficult to prevent sandboxed applications to connect to it.\n\nYou can either disable network access from the sandbox or start X11 with\nthe parameter `-nolisten local`.\n\n\n# Usage\n\n```\nusage: runjail [--flag [--flag ...]] -- [command [command ...]]:\n--bind-ro strings       Bind mount source file/directory from parent namespace to target read-only (format: \"source:target\").\n--bind-ro-try strings   Bind mount source file/directory from parent namespace to target read-only (format: \"source:target\"). Ignores non-existent source.\n--bind-rw strings       Bind mount source file/directory from parent namespace to target read-write (format: \"source:target\").\n--bind-rw-try strings   Bind mount source file/directory from parent namespace to target read-write (format: \"source:target\"). Ignores non-existent source.\n--config string         Fetch options from config file.\n--cwd string            Set the current working directory. (default \".\")\n--debug                 Enable debug mode.\n--empty strings         Mount empty tmpfs on the specified directory.\n--env strings           Set the environment variable (format: \"name=value\").\n--hide strings          Make file/directory inaccessible.\n--hide-try strings      Make file/directory inaccessible. Ignore non-existent path.\n--ipc                   Allow IPC (don't start an own IPC namespace).\n--net string            Enable/disable network access \u003cyes|no\u003e. (default \"no\")\n--profile strings       Enable predefined profile: \u003cx11|wayland|flatpak\u003e.\n--ro strings            Mount file/directory from parent namespace read-only.\n--ro-try strings        Mount file/directory from parent namespace read-only. Ignores non-existent source.\n--rw strings            Mount file/directory from parent namespace read-write.\n--rw-try strings        Mount file/directory from parent namespace read-write. Ignores non-existent source.\n--seccomp string        Enable seccomp syscall filtering: \u003cyes|devel|minimal|no\u003e. (default \"yes\")\n```\n\n\n# Examples\n\n* Open a shell with network access that can access the current directory\n\n  `runjail --rw . --net yes -- bash`\n\n* Run firefox in a completely separate home directory and only access to the Downloads folder\n\n  `runjail --cwd ~ --bind-rw ~/firefox-test:~ --rw ~/Downloads --profile x11 --net=yes -- firefox -no-remote`\n\n\n# Config\n\nInstead of passing all settings on the command line you can use --config to read a config file.\n\nA commented example is provided in [config-sample.yml](config-sample.yml)\n\nWherever paths are accepted `$UID`, `$USER`, `$HOME` and `$XDG_RUNTIME_DIR` with their respective values.\n\n\n# Requirements\n\nrunjail is tested on Linux \u003e= 5.9\n\nIt uses unprvileged user namespaces which is disabled by default on some\ndistributions.\n\nTo enable it on Debian (\u003c= 10) the sysctl `kernel.unprivileged_userns_clone` needs\nto be set to `1`.\n\n\n# Building\n\nGolang \u003e= 1.18 and the development files for libseccomp are required.\n\nrunjail can be built by running `go build` inside a Git checkout or with\n`go get -u github.com/debfx/runjail`\n\n\n# License\n\nUnless otherwise noted all code of runjail is licensed under the GNU General\nPublic License version 3 or (at your option) version 2.\nThe full text of the GPLv3 can be found in the LICENSE file.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebfx%2Frunjail","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdebfx%2Frunjail","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdebfx%2Frunjail/lists"}