Here’s a scenario: my development pipeline scans every package in the build but I can’t reach into a developer’s local shell session to prevent them from making a typo. Using a dev container changes that from “the attacker gets their data, keys, and anything their session credentials can access” to a more limited exposure and gives your other safeguards a chance to catch it.
So you force your devs to use your favortie IDE rhater then the best one? why not force them to use soem better stuff for this security purpose like virtual machines, docker , something that would be usefull for them to have experience with
This does use Docker - it’s literally just working in a container so it’s both useful experience and overlaps with your deployments so you avoid multiple layers of waste from VMs: everything is reproducible, people don’t hit problems due to untracked local state, and they don’t spend time on sysadmin work which isn’t directly related to what you deploy.
I am 100% sure that everything you deploy you review?
Maybe is safer to setup a secure environment for your system and for production if you use dangerous packages.