pinocchio

Pinocchio employs a robust defense-in-depth security model. Key mitigations include a Docker socket proxy to block dangerous operations (BUILD, COMMIT, EXEC, VOLUMES, SECRETS), a workspace allowlist enforced with `fs.realpath` to prevent symlink attacks and non-existent paths, read-only default mounts for workspaces with granular write access via validated glob patterns, and comprehensive input sanitization. GitHub tokens are handled securely via temporary files with restrictive permissions rather than environment variables. Rate limiting is implemented to prevent DoS attacks, and containers are hardened with non-root users, dropped capabilities, and resource limits. The WebSocket server defaults to `0.0.0.0` bind address with no authentication, which could be a minor exposure risk if unintentionally published externally, but `api-key` authentication is available.