Skip to main content

Use case

Auditing infrastructure-as-code is exactly the kind of job you want in a sandbox: the input is often untrusted (someone’s checked in config) and the tooling is heavy (hadolint, kubeval, trivy, terraform, kubectl). The devops template has the tooling pre-installed. A TransformationRule keeps real credentials out of LLM traces even if the manifest accidentally ships one.

Template

devops — git, kubectl, terraform, docker, hadolint, aws-cli, yq, jq. Heaviest of the built-in templates; first cold-start in a fresh worker is slower than python.

Run it

export DECLAW_API_KEY=dcl_...
export DECLAW_DOMAIN=api.declaw.ai
export OPENAI_API_KEY=sk-...

python cookbook/openai_agents_devops_audit.py

Security policy

SecurityPolicy(
    injection_defense=InjectionDefenseConfig(enabled=True, sensitivity="high"),
    transformations=[
        TransformationRule(
            match=r"AKIA[0-9A-Z]{16}",
            replace="***AWS_KEY_REDACTED***",
        ),
    ],
    network=NetworkPolicy(allow_out=["api.openai.com"]),
)
Why transformations matter here. The sample Dockerfile in the recipe contains ENV AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE. Without the rule, that value would travel through the LLM and be recorded in every trace / audit log / debug output downstream. With the rule, the edge proxy rewrites it to ***AWS_KEY_REDACTED*** on every outbound request. The auditor sees the placeholder and can still reason about “there’s a credential here that needs to move to a secret” — it just doesn’t get to see the value.

Env isolation

envs={
    "CLUSTER_NAME": "prod-us-east",
    "SEVERITY_FLOOR": "medium",
    "AUDIT_ID": "aud-2026-04-19",
}
Audit IDs, cluster names, and severity thresholds travel as env, not prompt. The agent’s instructions tell it to printenv to pick them up.

What the agent does

  1. printenv CLUSTER_NAME SEVERITY_FLOOR AUDIT_ID.
  2. hadolint /workspace/audit/Dockerfile — catches Dockerfile smells (latest tag, missing USER, apt-get update-without-install).
  3. Parse /workspace/audit/deploy.yaml — flag runAsUser: 0, privileged: true, :latest image tag.
  4. Write /workspace/audit/findings.md with sections:
    • ## Metadata (from env)
    • ## Dockerfile findings
    • ## Kubernetes findings
    • ## Remediation
  5. Return findings.md.

Filesystem isolation

The sample Dockerfile + deploy.yaml are seeded by the Python driver calling inner._sbx.write_file(...) — they never touch your host. All reports come back through read_file. The next audit run gets a fresh VM with none of this run’s state.

Full source

See cookbook/openai_agents_devops_audit.py in the repo.