{"id":13570637,"url":"https://github.com/google/sandboxed-api","last_synced_at":"2026-02-25T15:21:33.417Z","repository":{"id":37752475,"uuid":"174313852","full_name":"google/sandboxed-api","owner":"google","description":"Generate sandboxes for C/C++ libraries automatically","archived":false,"fork":false,"pushed_at":"2026-02-19T15:31:38.000Z","size":138656,"stargazers_count":1726,"open_issues_count":23,"forks_count":195,"subscribers_count":49,"default_branch":"main","last_synced_at":"2026-02-22T11:35:40.293Z","etag":null,"topics":["apache-license-2","cplusplus","cplusplus-17","sandbox","sandboxing","sapi","security","security-hardening"],"latest_commit_sha":null,"homepage":"https://developers.google.com/sandboxed-api/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-03-07T09:30:45.000Z","updated_at":"2026-02-20T06:57:51.000Z","dependencies_parsed_at":"2023-09-26T15:36:08.413Z","dependency_job_id":"991acbb6-8c78-4c14-813d-bea8753b1527","html_url":"https://github.com/google/sandboxed-api","commit_stats":{"total_commits":1472,"total_committers":48,"mean_commits":"30.666666666666668","dds":0.7126358695652174,"last_synced_commit":"7c290267c77e9bb03c53375112d68d5c9b4cef33"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/google/sandboxed-api","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsandboxed-api","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsandboxed-api/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsandboxed-api/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsandboxed-api/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/sandboxed-api/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fsandboxed-api/sbom","scorecard":{"id":102974,"data":{"date":"2025-08-11","repo":{"name":"github.com/google/sandboxed-api","commit":"745466c2ef5c502d78c8c86021b0c92d85e90ec8"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.4,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/generator-tool.yml:73","Warn: no topLevel permission defined: .github/workflows/fedora-cmake.yml:1","Warn: no topLevel permission defined: .github/workflows/generator-tool.yml:1","Warn: no topLevel permission defined: .github/workflows/ubuntu-cmake-contrib.yml:1","Warn: no topLevel permission defined: .github/workflows/ubuntu-cmake.yml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact latest not signed: https://api.github.com/repos/google/sandboxed-api/releases/221472760","Warn: release artifact latest does not have provenance: https://api.github.com/repos/google/sandboxed-api/releases/221472760"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fedora-cmake.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/fedora-cmake.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fedora-cmake.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/fedora-cmake.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/generator-tool.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/generator-tool.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake-contrib.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake-contrib.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake-contrib.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake-contrib.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake-contrib.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake-contrib.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake-contrib.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake-contrib.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ubuntu-cmake.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/google/sandboxed-api/ubuntu-cmake.yml/main?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/fedora-cmake.yml:65","Warn: downloadThenRun not pinned by hash: .github/workflows/generator-tool.yml:39","Warn: pipCommand not pinned by hash: .github/workflows/ubuntu-cmake-contrib.yml:87","Warn: pipCommand not pinned by hash: .github/workflows/ubuntu-cmake.yml:89","Info:   0 out of  12 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned","Info:   0 out of   3 pipCommand dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/google/.github/SECURITY.md:1","Info: Found linked content: github.com/google/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/google/.github/SECURITY.md:1","Info: Found text in security policy: github.com/google/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}}]},"last_synced_at":"2025-08-15T10:33:32.042Z","repository_id":37752475,"created_at":"2025-08-15T10:33:32.043Z","updated_at":"2025-08-15T10:33:32.043Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29741144,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-23T07:44:07.782Z","status":"ssl_error","status_checked_at":"2026-02-23T07:44:07.432Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache-license-2","cplusplus","cplusplus-17","sandbox","sandboxing","sapi","security","security-hardening"],"created_at":"2024-08-01T14:00:53.898Z","updated_at":"2026-02-23T09:56:01.309Z","avatar_url":"https://github.com/google.png","language":"C++","readme":"\u003cp align=\"left\"\u003e\n  \u003cimg src=\"https://badge.buildkite.com/2f662d7bddfd1c07d25bf92d243538c8344bc6fbf38fe187f8.svg\" alt=\"Bazel build status\" href=\"https://buildkite.com/bazel/sandboxed-api\"\u003e\n  \u003cimg src=\"https://github.com/google/sandboxed-api/workflows/ubuntu-cmake/badge.svg\" alt=\"CMake build status\" href=\"https://github.com/google/sandboxed-api/actions/workflows/ubuntu-cmake.yml\"\u003e\n\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/sapi-lockup-vertical.png\" alt=\"Sandboxed API\" width=\"400\"\u003e\n\u003c/p\u003e\n\nCopyright 2019-2025 Google LLC\n\n### Introduction\n\nThe open-source Sandboxed API (SAPI) project builds on top of Google's\n[Sandbox2](https://developers.google.com/code-sandboxing/sandbox2) and\naims to make sandboxing of C/C++ libraries less burdensome.\n\nSandboxed API provides three main benefits:\n\n*   Instead of sandboxing entire programs or having to change source code to be\n    able to sandbox a part of a program as with Sandbox2, individual C/C++\n    libraries can be sandboxed with SAPI. As a result, the main program is\n    isolated from code execution vulnerabilities in the C/C++ library.\n\n*   Our working motto is: Sandbox once, use anywhere. Libraries sandboxed with\n    Sandboxed API can be reused easily, which removes the burden for future\n    projects. Before Sandboxed API, sandboxes available for use at Google\n    required additional implementation work with each new instance of a project\n    which was intended to be sandboxed, even if it reused the same software\n    library. Sandbox2 policies and other restrictions applied to the sandboxed\n    process had to be reimplemented each time, and data exchange mechanisms\n    between trusted and untrusted parts of the code had to be designed from\n    scratch.\n\n*   Each SAPI library utilizes a tightly defined security policy, in contrast\n    to the typical sandboxed project, where security policies must cover the\n    total syscall/resource footprint of all utilized libraries.\n\nSandboxed API (SAPI) has been designed, developed, and is maintained by members\nof the Google Sandbox Team. It also uses our field-tested Sandbox2. Currently,\nmany internal projects are using SAPI to isolate their production workloads.\n\nSandbox2 is also open-sourced as part of the SAPI project and can be used\nindependently.\n\n### Documentation\n\nDeveloper documentation is available at [Sandboxed API](https://developers.google.com/code-sandboxing/sandboxed-api)\nand [Sandbox2](https://developers.google.com/code-sandboxing/sandbox2).\n\nWe recommend reading [SAPI Getting Started](https://developers.google.com/code-sandboxing/sandboxed-api/getting-started)\nguide, or [Sandbox2 Getting Started](https://developers.google.com/code-sandboxing/sandbox2/full-getting-started)\nrespectively.\n\nIf you are interested in a general overview of sandboxing technologies, see\nhttps://developers.google.com/code-sandboxing.\n\n### Dependencies\n\nSAPI and Sandbox2 both support Bazel and CMake build systems. The following\ndependencies are required on Debian 10 Buster:\n\n```\nsudo apt-get update\nsudo apt-get install -qy\n  bazel \\\n  build-essential \\\n  ccache \\\n  cmake \\\n  g++-12 \\\n  gcc-12 \\\n  git \\\n  gnupg \\\n  libcap-dev \\\n  libclang-18-dev \\\n  libffi-dev \\\n  libncurses-dev \\\n  linux-libc-dev \\\n  llvm-18-dev \\\n  libzstd-dev \\\n  ninja-build \\\n  pkg-config \\\n  python3 \\\n  python3-absl \\\n  python3-clang-16 \\\n  python3-pip \\\n  unzip \\\n  wget \\\n  zip \\\n  zlib1g-dev\n```\n\n#### LLVM\n\nSAPI offers two header generators, based on\n[Python](tools/python_generator/BUILD) and\n[LLVM Libtooling](tools/clang_generator/BUILD).\n\nWe aim to provide support for at least the latest three LLVM release and\ncross-check with Debian stable.\n\n### Getting Involved\n\nIf you want to contribute, please read [CONTRIBUTING.md](CONTRIBUTING.md) and\nsend us pull requests. You can also report bugs or file feature requests.\n\nIf you'd like to talk to the developers or get notified about major product\nupdates, you may want to subscribe to our\n[mailing list](mailto:sandboxed-api-users@googlegroups.com) or sign up with this\n[link](https://groups.google.com/forum/#!forum/sandboxed-api-users).\n","funding_links":[],"categories":["C++","Secure Programming"],"sub_categories":["Tokens"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fsandboxed-api","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fsandboxed-api","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fsandboxed-api/lists"}