« All posts

Real-World gVisor Lessons from Auditing 8,764 MCP Servers

MarketNow shares practical lessons from running gVisor sandboxing in production, backed by real audit results across 8,764 MCP servers.

The MarketNow team shares hands-on lessons from running a gVisor-based sandbox layer (L2.5) for auditing MCP servers on GitHub Actions. Practical details include the sudo requirement for installation, how build-time network restrictions break npm install, and how gVisor intercepts syscalls like ptrace and bpf differently than seccomp.

The most notable finding is that roughly half of MCP servers fail to start under gVisor due to unsupported syscalls — treated as a security feature but requiring a strict seccomp fallback. The team plans to move to Firecracker microVMs next, though this requires KVM access via self-hosted AWS runners rather than GitHub-hosted ones.

Out of 8,764 audited servers, 206 went through the gVisor sandbox stage: 69 passed clean, 103 failed to start, 6 were flagged high-risk, and 3 were removed for leaking environment variables. The results offer a concrete case study in navigating CI/CD constraints and compatibility tradeoffs for AI agent sandboxing beyond theoretical comparisons.

» SourceDev.to