Code on Incus: Security-Hardened Container Runtime for AI Coding Agents (github.com)

Incus has introduced a security-hardened container runtime specifically designed for AI coding agents called Code on Incus (COI). This platform allows users to run AI tools like Claude Code and opencode in isolated, production-grade containers, minimizing security risks associated with traditional environments like Docker. Key features include automatic credential isolation, where system variables and SSH keys are never exposed to AI agents, and real-time threat detection enabled by a built-in monitoring daemon. If a threat is detected, the system can automatically pause or kill the container without manual intervention, effectively containing potential damage. The significance of COI for the AI/ML community lies in its proactive focus on security while providing a robust coding environment. Unlike Docker, COI's system containers mimic lightweight virtual machines, which offer better isolation and security properties, including automatic UID mapping and kernel-level threat monitoring. This allows developers to safely leverage the capabilities of AI coding tools without compromising their host systems, thus paving the way for more secure AI integrations in software development workflows. Moreover, features like session persistence and multi-session support enhance usability, making it easier to manage multiple AI coding sessions in a secure manner.