Skip to main content

Crate kavach

Crate kavach 

Source
Expand description

§Kavach — Sandbox Execution Framework

Kavach (कवच, Sanskrit: armor/shield) provides a unified sandbox abstraction for executing untrusted code across multiple isolation backends. Extracted from SecureYeoman’s production sandbox framework.

§Modules

  • backend — Sandbox backend trait and implementations (process, gVisor, Firecracker, WASM, OCI, SGX, SEV)
  • scoring — Quantitative security strength scoring (0–100)
  • policy — Seccomp profiles, Landlock rules, network allowlists, resource limits
  • credential — Secrets injection without exposing to sandboxed processes
  • lifecycle — Create, start, checkpoint, migrate, destroy with audit hooks
  • scanning — Multi-stage output scanning (secrets, code violations, PII/compliance)

§Quick start

use kavach::{Sandbox, SandboxConfig, Backend};

let config = SandboxConfig::builder()
    .backend(Backend::Process)
    .policy_seccomp("basic")
    .network(false)
    .build();

let sandbox = Sandbox::create(config).await?;
let result = sandbox.exec("echo hello").await?;
println!("exit: {}, stdout: {}", result.exit_code, result.stdout);
sandbox.destroy().await?;

Re-exports§

pub use backend::exec_util::SpawnedProcess;
pub use backend::health::HealthStatus;
pub use backend::metrics::SandboxMetrics;
pub use backend::Backend;
pub use backend::SandboxBackend;
pub use credential::CredentialProxy;
pub use credential::FileInjection;
pub use credential::SecretRef;
pub use lifecycle::ExecResult;
pub use lifecycle::Sandbox;
pub use lifecycle::SandboxConfig;
pub use lifecycle::SandboxPool;
pub use lifecycle::SandboxState;
pub use policy::LandlockRule;
pub use policy::NetworkPolicy;
pub use policy::SandboxPolicy;
pub use policy::SeccompProfile;
pub use scanning::ExternalizationGate;
pub use scanning::CodeScanner;
pub use scanning::DataScanner;
pub use scanning::ExternalizationPolicy;
pub use scanning::ScanVerdict;
pub use scanning::Severity;
pub use scoring::StrengthScore;
pub use scoring::score_backend;

Modules§

backend
Sandbox backend trait and implementations.
credential
Credential proxy — inject secrets into sandboxes without exposing them.
lifecycle
Sandbox lifecycle — create, start, exec, checkpoint, migrate, destroy.
policy
Sandbox security policy — seccomp, Landlock, network, resource limits.
scanning
Output scanning and externalization gate.
scoring
Quantitative security strength scoring (0–100).

Enums§

KavachError
Errors produced by kavach operations.

Type Aliases§

Result
Result type alias for kavach operations.