Run devcontainers without Docker.
krate boots workloads in their own microVMs. 100% .devcontainer compatible. No Docker daemon required.
Zero to kernel-isolated dev environments in 3 commands.
# 1. Install $ brew install krate-dot-sh/tap/krate # 2. Authenticate (GitHub OAuth, takes 5 seconds) $ krate login # 3. Run a workload $ krate run hello-krate Hello from krate!
Run a workload in under 1 second.
devcontainer.jsonWhat you get
Kernel isolation
Each workload boots in its own microVM via Apple Hypervisor. No shared kernel. A compromised container can't escape to your Mac.
Devcontainer compatible
krate reads .devcontainer/devcontainer.json and docker-compose.yml verbatim. The same spec that works in VS Code Dev Containers and GitHub Codespaces works here.
Self-hostable
Solo: local on your Mac. Team: hosted on krate.sh. Enterprise: self-hosted on your own infrastructure.
Run any workload
Devcontainers, Docker containers, Docker compose, WebAssembly modules, and unikernels. Each in its own kernel-isolated microVM.
Policy as code
Declare what your team is allowed to run in a krate.policy file. Enforced at the daemon, audited locally, syncable across the org.
Real builds, real artifacts
krate build produces signed OCI artifacts you can pull from any standard registry. SLSA Level 3 attestation on the Enterprise tier.
How it works
Krate translates .devcontainer.json into krate.toml to run with applied policy in a microVM.
Bring your devcontainer
krate uses your existing devcontainer.json or compose.yml. No changes needed.
krate boots a microVM
Each workload gets its own kernel. No shared host kernel, no docker daemon.
Secure Dev Environments
Customized and policy enforced. Fast. Secure. Flexible. Enterprise ready.
Join the beta
We're inviting people in waves while we work through the beta. Drop your email and we'll be in touch.
We use your email to send you beta status updates. We never sell or share it. Privacy.