Sandboxing & Security

Gemini CLI uses an approval-based security model. When the AI wants to execute a potentially dangerous operation — running a shell command, writing to a file, deleting something — it prompts you for approval first. This is the default behavior and the right one. You stay in the loop for every consequential action.

For stronger isolation, Gemini CLI supports Docker and Podman sandboxing. When configured, all tool executions run inside a container rather than on your host machine. This is ideal for untrusted codebases, security-sensitive work, or CI/CD pipelines where you want hard boundaries around what the AI can access.

# Run Gemini CLI with Docker sandboxing
gemini --sandbox docker

# Run with Podman sandboxing
gemini --sandbox podman

Trusted folders let you skip approval prompts for specific directories. If you're working in a project you fully control, you can mark that folder as trusted so Gemini CLI operates without constant interruptions. The /restore command works as a checkpoint system — if the AI makes changes you don't like, you can restore to a previous state. Think of it as a lightweight git revert built into the session.