We need to run unit tests under Jenkins whenever someone submit a new patchset regardless of the submitter status (ie a potential attacker). To achieve that, the Jenkins job need to be properly isolated.
Following an internal WMF meeting, we could setup virtual machines using vagrant. They would be booted on a second box and controlled by Jenkins vagrant plugin.
Note: this tracking task comes from Bugzilla, although it still serves its purpose, most of the activity is tracked on the workboard for .Continuous-Integration-Scaling