Docker Sandbox Lets Copilot Agents Refactor Your Code Without Risking Your Machine

Emiliano Montesdeoca — Fri, 17 Apr 2026 00:00:00 +0000

If you’ve used Copilot’s agent mode for anything beyond small edits, you know the pain. Every file write, every terminal command — another permission prompt. Now imagine running that across 50 projects. Not fun.

The Azure team just dropped a post about Docker Sandbox for GitHub Copilot agents, and honestly, this is one of the most practical agentic tooling improvements I’ve seen. It uses microVMs to give Copilot a fully isolated environment where it can go wild — install packages, run builds, execute tests — without touching your host system.

What Docker Sandbox actually gives you

The core idea is simple: spin up a lightweight microVM with a full Linux environment, sync your workspace into it, and let the Copilot agent operate freely inside. When it’s done, changes sync back.

Here’s what makes it more than just “run stuff in a container”:

Bidirectional workspace sync that preserves absolute paths. Your project structure looks identical inside the sandbox. No path-related build failures.
Private Docker daemon running inside the microVM. The agent can build and run containers without ever mounting your host’s Docker socket. That’s a big deal for security.
HTTP/HTTPS filtering proxies that control what the agent can reach on the network. You decide which registries and endpoints are allowed. Supply chain attacks from a rogue npm install inside the sandbox? Blocked.
YOLO mode — yes, that’s what they call it. The agent runs without permission prompts because it literally cannot damage your host. Every destructive action is contained.

Why .NET developers should care

Think about the modernization work so many teams are facing right now. You have a .NET Framework solution with 30 projects, and you need to move it to .NET 9. That’s hundreds of file changes — project files, namespace updates, API replacements, NuGet migrations.

With Docker Sandbox, you can point a Copilot agent at a project, let it refactor freely inside the microVM, run dotnet build and dotnet test to validate, and only accept the changes that actually work. No risk of it accidentally nuking your local dev environment while experimenting.

The post also describes running a fleet of parallel agents — each in its own sandbox — tackling different projects simultaneously. For large .NET solutions or microservice architectures, that’s a massive time saver. One agent per service, all running isolated, all validated independently.

The security angle matters

Here’s the thing most people skip over: when you let an AI agent execute arbitrary commands, you’re trusting it with your entire machine. Docker Sandbox flips that model. The agent gets full autonomy inside a throwaway environment. The network proxy ensures it can only pull from approved sources. Your host filesystem, Docker daemon, and credentials stay untouched.

For teams with compliance requirements — and that’s most enterprise .NET shops — this is the difference between “we can’t use agentic AI” and “we can adopt it safely.”

Takeaway

Docker Sandbox solves the fundamental tension of agentic coding: agents need freedom to be useful, but freedom on your host machine is dangerous. MicroVMs give you both. If you’re planning any large-scale .NET refactoring or modernization, this is worth setting up now. The combination of Copilot’s code intelligence with a safe execution environment is exactly what production teams have been waiting for.

GitHub Copilot's Modernization Assessment Is the Best Migration Tool You're Not Using Yet

Emiliano Montesdeoca — Fri, 10 Apr 2026 00:00:00 +0000

Migrating a legacy .NET Framework app to modern .NET is one of those tasks everyone knows they should do but nobody wants to start. It’s never just “change the target framework.” It’s APIs that disappeared, packages that don’t exist anymore, hosting models that work completely differently, and a million small decisions about what to containerize, what to rewrite, and what to leave alone.

Jeffrey Fritz just published a deep dive into GitHub Copilot’s modernization assessment, and honestly? This is the best migration tooling I’ve seen for .NET. Not because of the code generation — that’s table stakes now. Because of the assessment document it produces.

It’s not just a code suggestion engine

The VS Code extension follows an Assess → Plan → Execute model. The assessment phase analyzes your entire codebase and produces a structured document that captures everything: what needs to change, what Azure resources to provision, what deployment model to use. Everything downstream — infrastructure-as-code, containerization, deployment manifests — flows from what the assessment finds.

The assessment is stored under .github/modernize/assessment/ in your project. Each run produces an independent report, so you build up a history and can track how your migration posture evolves as you fix issues.

Two ways to start

Recommended Assessment — the fast path. Pick from curated domains (Java/.NET Upgrade, Cloud Readiness, Security) and get meaningful results without touching configuration. Great for a first look at where your app stands.

Custom Assessment — the targeted path. Configure exactly what to analyze: target compute (App Service, AKS, Container Apps), target OS, containerization analysis. Pick multiple Azure targets to compare migration approaches side-by-side.

That comparison view is genuinely useful. An app with 3 mandatory issues for App Service might have 7 for AKS. Seeing both helps drive the hosting decision before you commit to a migration path.

The issue breakdown is actionable

Each issue comes with a criticality level:

Mandatory — must fix or migration fails
Potential — might impact migration, needs human judgment
Optional — recommended improvements, won’t block migration

And each issue links to affected files and line numbers, provides a detailed description of what’s wrong and why it matters for your target platform, gives concrete remediation steps (not just “fix this”), and includes links to official documentation.

You can hand individual issues to developers and they have everything they need to act. That’s the difference between a tool that tells you “there’s a problem” and one that tells you how to solve it.

The upgrade paths covered

For .NET specifically:

.NET Framework → .NET 10
ASP.NET → ASP.NET Core

Each upgrade path has detection rules that know which APIs were removed, which patterns have no direct equivalent, and what security issues need attention.

For teams managing multiple apps, there’s also a CLI that supports multi-repo batch assessments — clone all repos, assess them all, get per-app reports plus an aggregated portfolio view.

My take

If you’re sitting on legacy .NET Framework apps (and let’s be real, most enterprise teams are), this is the tool to start with. The assessment document alone is worth the time — it turns a vague “we should modernize” into a concrete, prioritized list of work items with clear paths forward.

The collaborative workflow is smart too: export assessments, share with your team, import them without re-running. Architecture reviews where the decision-makers aren’t the ones running the tools? Covered.

Wrapping up

GitHub Copilot’s modernization assessment transforms .NET migration from a scary, undefined project into a structured, trackable process. Start with a recommended assessment to see where you stand, then use custom assessments to compare Azure targets and build your migration plan.

Read the full walkthrough and grab the VS Code extension to try it on your own codebase.

Modernization | The .NET Blog