Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/fencesandbox/fence

Lightweight, container-free sandbox for running commands with network and filesystem restrictions
https://github.com/fencesandbox/fence

bubblewrap code-security coding-agent landlock sandbox seatbelt seccomp socat

Last synced: 16 days ago
JSON representation

Lightweight, container-free sandbox for running commands with network and filesystem restrictions

Awesome Lists containing this project

README 

          
![Fence Banner](assets/fence-banner.png)






![GitHub Release](https://img.shields.io/github/v/release/fencesandbox/fence)

[![Build and test](https://github.com/fencesandbox/fence/actions/workflows/main.yml/badge.svg?branch=main)](https://github.com/fencesandbox/fence/actions/workflows/main.yml)

[![Docs](https://img.shields.io/badge/docs-fencesandbox.com-4c1?logo=bookstack&logoColor=white&color=mediumslateblue)](https://fencesandbox.com/docs)

[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/fencesandbox/fence)

[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)






Fence wraps commands in a sandbox that blocks network access by default and restricts filesystem operations based on configurable rules. It's most useful for running semi-trusted code (package installs, build scripts, CI jobs, unfamiliar repos) with controlled side effects, and it can also complement AI coding agents as defense-in-depth.



```bash

# Block all network access (default)

fence curl https://example.com  # → 403 Forbidden



# Allow specific domains

fence -t code npm install  # → uses 'code' template with npm/pypi/etc allowed



# Block dangerous commands

fence -c "rm -rf /"  # → blocked by command deny rules

```





    Fence Claude Code demo




Fence is also a permission manager for your CLI agents. **Works with popular coding agents like Claude Code, Codex, Amp, Gemini CLI, GitHub Copilot, OpenCode, Factory (Droid) CLI, and many more** - see [agents.md](./docs/agents.md).



## Install



> [!NOTE]

> Fence has moved from `github.com/Use-Tusk/fence` to `github.com/fencesandbox/fence`.

> If you installed with Homebrew from the old Tusk tap, switch to the new tap:

>

> ```bash

> brew uninstall use-tusk/tap/fence

> brew untap use-tusk/tap

> brew tap fencesandbox/tap

> brew install fencesandbox/tap/fence

> ```

>

> If you installed with `go install`, reinstall from the new module path:

>

> ```bash

> go install github.com/fencesandbox/fence/cmd/fence@latest

> ```



**macOS / Linux:**



```bash

curl -fsSL https://cli.fencesandbox.com/install.sh | sh

```



**Homebrew (macOS):**



```bash

brew tap fencesandbox/tap

brew install fencesandbox/tap/fence

```



**Nix (macOS, Linux, Windows (WSL)):**



```sh

nix run nixpkgs#fence -- --help

```



This runs it directly from the repository, without installing `fence`. If you want to install it, follow the guidelines [from NixOS](https://nix.dev) or [nix-darwin](https://github.com/nix-darwin/nix-darwin).



Other installation methods



**Go install:**



```bash

go install github.com/fencesandbox/fence/cmd/fence@latest

```



**Build from source:**



```bash

git clone https://github.com/fencesandbox/fence

cd fence

go build -o fence ./cmd/fence

```



**Additional requirements for Linux:**



- `bubblewrap` (for sandboxing)

- `socat` (for network bridging)

- `bpftrace` (optional, for filesystem violation visibility when monitoring with `-m`)



## Usage



### Basic



```bash

# Run command with all network blocked (no domains allowed by default)

fence curl https://example.com



# Run with shell expansion

fence -c "echo hello && ls"



# Enable debug logging

fence -d curl https://example.com



# Use a template

fence -t code -- claude  # Runs Claude Code using `code` template config



# Monitor mode (shows violations)

fence -m npm install



# Send Fence's own monitor/debug logs to a file

fence -m --fence-log-file /tmp/fence.log -- claude

tail -f /tmp/fence.log



# Inspect the config inheritance chain and active merged config

fence config show



# Show all commands and options

fence --help

```



> [!TIP]

> Need to pass flags to the command you are running? Use `--` to separate Fence flags from command flags, for example:

>

> ```bash

> fence -- claude --dangerously-skip-permissions

> ```



### Configuration



When `--settings` is not provided, Fence first looks for `fence.jsonc` (or `fence.json`) in the current directory and parent directories. If none is found, it falls back to `~/.config/fence/fence.{jsonc,json}`. Both extensions are treated as JSONC (comments and trailing commas are allowed). See [configuration reference](./docs/configuration.md) for more details.



```json

{

  "$schema": "https://raw.githubusercontent.com/fencesandbox/fence/main/docs/schema/fence.schema.json",

  "extends": "code",

  "network": { "allowedDomains": ["private.company.com"] },

  "filesystem": { "allowWrite": ["."] },

  "command": { "deny": ["git push", "npm publish"] }

}

```



For repo-local overrides on top of each user's normal Fence config, use:



```json

{

  "extends": "@base",

  "filesystem": { "allowWrite": ["."] }

}

```



Use `fence --settings ./custom.json` to specify a different config.



Inspect the active config without running a command:



```bash

fence config show

fence config show --settings ./custom.json

fence config show --template code

```



`fence config show` prints the config chain to `stderr` and the fully resolved config as plain JSON to `stdout`, so you can pipe the JSON to tools like `jq`.



Create a starter config with sensible defaults:



```bash

# Creates config at the default path with:

# { "extends": "code" }

fence config init



# Include scaffold arrays as editable hints

fence config init --scaffold

```



### Import from Claude Code



```bash

fence import --claude --save

```



## Features



- **Network isolation** - All outbound blocked by default; allowlist domains via config

- **Filesystem restrictions** - Control read/write access paths

- **Command blocking** - Deny dangerous commands like `rm -rf /`, `git push`

- **SSH Command Filtering** - Control which hosts and commands are allowed over SSH

- **Built-in templates** - Pre-configured rulesets for common workflows

- **Violation monitoring** - Real-time logging of blocked requests (`-m`)

- **Cross-platform** - macOS (sandbox-exec) + Linux (bubblewrap)



Fence can be used as a Go package or CLI tool.



## Documentation



Full docs are hosted at **[fencesandbox.com/docs](https://fencesandbox.com/docs)**.



Quick links:



- [Quickstart](https://fencesandbox.com/docs/quickstart) ([source](docs/quickstart.md))

- [Configuration Reference](https://fencesandbox.com/docs/reference/configuration) ([source](docs/configuration.md))

- [Agent Hooks](https://fencesandbox.com/docs/guides/hooks) ([source](docs/hooks.md))

- [Security Model](https://fencesandbox.com/docs/reference/security-model) ([source](docs/security-model.md))

- [Go Library Usage](https://fencesandbox.com/docs/reference/library) ([source](docs/library.md))

- [Architecture](https://fencesandbox.com/docs/reference/architecture) ([source](ARCHITECTURE.md))



## Attribution



Inspired by Anthropic's [sandbox-runtime](https://github.com/anthropic-experimental/sandbox-runtime).