Repo-quarantine – run untrusted repos in a disposable VirtualBox VM

I kept hitting the same problem: someone sends a repo and says "clone this and run it."

A hiring challenge. An unvetted dependency. A "just try this and tell me what you think."

The catch is that running unfamiliar code is genuinely risky — and not in an abstract way. The install step alone (npm install, composer install) can execute arbitrary code before you've read a single line. There's a known social-engineering pattern that weaponizes exactly this against engineers and job-seekers.

So I built a small workflow to do it safely-ish, and I want to be precise about that "ish."

repo-quarantine is two scripts and a README:

→ Harden a disposable VirtualBox VM (escape channels off, non-privileged user, snapshot baseline)

→ One command: boot clean → drop into the VM → do your poking → exit → roll back, wiping everything the code did

The honest scope, which I lead with in the README: it isolates your host filesystem via disposable rollback. That's the guarantee. It does NOT isolate the network, so nothing real — keys, credentials, wallets — ever goes in the VM. I'd rather ship a tool with clearly-stated limits than one that overpromises "safety" and quietly leaves a gap.

That framing discipline mattered more than the code. The first version was literally called "safely-run-repo," and the most useful thing I did was admit that name was a promise I couldn't keep, and rebuild the threat model around what's actually true.

Built under Pigfox LLC. It's a workflow I use, not a battle-tested product — feedback welcome, especially on the network-exposure tradeoff.

GitHub - pigfox/repo-quarantine: Safely run an unknown repo on local machine · GitHub

#engineering #security #golang #opensource