Sandbox & Security Configuration

Gemini CLI's sandbox setting controls where tool executions run. The default ("none") runs everything on your host machine with approval prompts. Docker and Podman sandbox modes run all tool executions inside containers — isolating the AI from your filesystem, network, and system resources. This is not theoretical security. For untrusted codebases, CI/CD pipelines, and multi-tenant environments, sandbox mode is a hard requirement.

Trusted folders bypass the approval prompt for file operations within specified directories. This is the middle ground between full sandboxing and --yolo. Mark your active project as trusted so Gemini can read, write, and edit files without interrupting your flow. Leave everything else untrusted. The configuration is explicit — you list exact paths. No wildcards, no inference.

{
  "sandbox": "none",
  "trustedFolders": [
    "/home/user/projects/dashboard",
    "/home/user/projects/api-server"
  ]
}

// For CI/CD or untrusted codebases:
// {
//   "sandbox": "docker"
// }

1. Individual Development Use trusted folders for your active projects. Default approval prompts for everything else. No sandbox overhead, reasonable protection.
2. Team/Shared Environments Default approval prompts everywhere. No trusted folders (different users have different permissions). Consider Docker sandbox for shared CI runners.
3. CI/CD Pipelines Docker sandbox is mandatory. Headless mode means no human to approve operations. Sandbox ensures the AI cannot escape its designated boundaries.