How to Use SafeRun
Complete guide to secure code execution
⚡Quick Start
Enter Repository URL
Paste any public GitHub repository URL into the input field.
https://github.com/remix-run/examples/tree/main/basicAnalyze & Generate Plan
Click the "Analyze & Generate" button. SafeRun will:
- Fetch repository contents (README, manifests, config files)
- Run PromptShield security scan (30+ detection rules)
- Perform AI-powered security analysis with Claude
- Generate deterministic YAML execution plan
Review Security Analysis
Check the security cards that appear:
🛡️ Risk Score (0-100)
- • 0-24: Low Risk ✅
- • 25-49: Medium Risk ⚠️
- • 50-74: High Risk 🚫
- • 75-100: Critical Risk 🔴
✅ Readiness Score (0-100)
- • 0-24: Not Ready
- • 25-49: Needs Work
- • 50-74: Mostly Ready
- • 75-100: Production Ready
Execute the Plan
If the risk score is below 50, click "Execute Plan". SafeRun will:
- →Create an isolated Daytona workspace
- →Clone the repository
- →Execute steps sequentially (install → build → run)
- →Expose ports if it's a web application
- →Stream logs in real-time
Automatic Blocking: Repositories with High or Critical risk (score ≥ 50) cannot be executed.
Monitor Execution
Watch real-time logs and get results:
- ✓Color-coded logs (info, success, error)
- ✓Step-by-step execution progress
- ✓Preview URL for web applications
- ✓Final status (success/failed)
🔒Security Features
PromptShield Scanner
30+ regex-based detection rules for:
- • API keys and secrets
- • Data exfiltration patterns
- • Dangerous system commands
- • Prompt injection attempts
- • PII (Personal Identifiable Information)
AI Security Analysis
Claude 3.5 Sonnet analyzes:
- • Contextual threat assessment
- • Operational readiness
- • Risk categorization
- • Actionable recommendations
- • Safer alternatives for risky code
Execution Constraints
Runtime protection:
- • No raw shell commands (only 4 verbs)
- • Non-root execution
- • Memory limits (2GB default)
- • Network egress allowlist
- • 30-minute timeout
Isolated Workspaces
Daytona containers provide:
- • Complete isolation per execution
- • Automatic cleanup
- • Resource limits
- • Secure networking
- • No cross-contamination
💻Supported Languages & Frameworks
Node.js/TypeScript
Tools: npm, pnpm, yarn
Frameworks: Next.js, Remix, Express
Python
Tools: pip, poetry
Frameworks: Flask, Django, FastAPI
Rust
Tools: cargo
Frameworks: Actix, Rocket
Go
Tools: go mod
Frameworks: Gin, Echo
Java
Tools: maven, gradle
Frameworks: Spring Boot
Ruby
Tools: bundler
Frameworks: Rails, Sinatra
❓Frequently Asked Questions
What happens if my repository has a high risk score?
Repositories with a risk score of 50 or higher are automatically blocked from execution. You can review the security analysis to understand the threats detected and make necessary changes to your code.
How long does execution take?
Execution time varies by project size and complexity. Simple projects may complete in 1-2 minutes, while larger projects can take up to 30 minutes (the maximum timeout).
Can I execute private repositories?
Currently, SafeRun only supports public GitHub repositories. Private repository support may be added in future versions.
What are the 4 allowed verbs?
SafeRun only allows: install (dependencies), build (compile/bundle), run (start application), and test (run tests). This prevents arbitrary shell command execution.
How is my code isolated?
Each execution runs in a separate Daytona container with resource limits, network restrictions, and automatic cleanup. Containers are destroyed after execution.
What if execution fails?
Check the execution logs for error messages. Common issues include missing dependencies, incorrect build commands, or port conflicts. The workspace is automatically cleaned up on failure.