38 comments

[ 5.3 ms ] story [ 83.8 ms ] thread
2-ish questions:

Is this level of fear typical or reasonable? If so, why doesn’t Anthropic / AI code gen providers offer this type of service? Hard to believe Anthropic is not secure in some sense — like what if Claude Code is already inside some container-like thing?

Is it actually true that Claude cannot bust out of the container?

I put in a full day trying to get Claude Code and VSCode to work inside Docker. I wasn't able to get the window to properly display in my wayland session.
If you are a VSCode hater (like me), you can achieve the same thing using the open-source, Microsoft-built, official devcontainer CLI [0], which is exactly what VSCode uses under the hood. You don't get automatic port forwarding with this tool, which includes SSH Agent forwarding, so you'll likely want to pair this with installing SSH into your devcontainers, or using some other tool that does the job. I built a tool [1] to do the port forwarding part, which I'd like to be more magic like VSCode's but haven't put the effort into doing, since it works for my purposes.

Using these, I can SSH into my devserver, use the devcontainer CLI to open a tmux session with iTerm2 Tmux integration, and it feels just like a local window. Combine that with Neovide and remote Neovim over the same channel, and I have a native-feeling dev environment running on a remote devcontainer in a nearby data center.

[0] https://github.com/devcontainers/cli

[1] https://gitlab.com/CGamesPlay/qtm

Not loving that the devcontainers CLI is node. The appeal of devcontainers is to limit the amount of code I have to trust on my host. Give me a small static binary I can deploy to new systems.
Oh the gitlab link is really really really cool. I can't express in words how happy I am since I know about iroh and I always wanted to create such a tool myself too but never could figure out iroh.

Now the way I did port forwarding was really wild and really complicated and I think that it might demand a blog post if I am being honest, but yes this project is absolutely godsend. Thanks!!

I have enjoyed running Claude Code in a container. The biggest advantage for me isn't security though, it's how easy it becomes to spin off agents to work in the background.

I use a simple script that copies my working directory into a container, prompts Claude Code, and then either saves a planning document locally, or opens a pull request in GitHub for me to review.

I quite like this because it makes starting agents when I have ideas really frictionless, and then I can easily discard the results and try again if it went off the rails. The Max plan makes me not worry about the cost of this whole process as well.

I also set up containers initially out of caution, but honestly, I've never seen Claude Code do anything that git couldn't easily reverse, so I'm not that worried about that any more.

> I've never seen Claude Code do anything that git couldn't easily reverse, so I'm not that worried about that any more.

I had one agent that installed something with pip and used it to rewrite my git history. It used the wrong flag and what was left was one file. I am glad I caught it before auto-commit and push triggered. It was one of my hobby projects, so not a huge deal. I can't imagine the fallout of this happening in a work environment.

Yes please, more containers-first thinking for all things AI. The fact that this has been largely absent from most discussions and demos regarding agents and vibe-coding seems like a big red flag to me. I mean if we're going to YOLO the code, perhaps we should at least pay some attention to the dev / test harness?

It's worth thinking about reproducibility even if you're not concerned about security. We would not have to argue so much about the effectiveness of something like vibe-coding if everyone could simply share process/tooling without tons of custom setup. And even if you're not worried about filesystem sandboxing and leaking secrets like ssh keys, even if versioning with git is enough of an undo button for you.. who wants to clutter their whole system with a ton of new language stacks and/or weird dependencies for every small experiment? Most experiments with the new hotness are going to fail, so we should expect to do a lot..

Containers do seem to work really well for agents. It lets them run in parallel! Giving them sudo also lets them do interesting things you wouldn’t want them doing on your desktop, eg. installing tools or debugging with tcpdump. (I am working on agent-in-a-container: sketch.dev)
From what I can gather, this is part of the idea/appeal behind something like https://phoenix.new/. The AI Agents have total control over the environment and can use all of the associated system tools as a result, without putting your own machine at risk. Once things are kinda working, you can pull it out and work locally.
This kind of behaviour is hilarious, either use the tools with their caveats, or actually make a stand by not using them.

60's movements would not be possible in current times.

And you don't need to stop there. Claude Code also has great open alternatives you can run in any environment you like, with any model, and under economic arrangements you define. See https://oss-ai-swe.org/ for a few. My current favs are OpenHands and Codex CLI.
I use DevPod [1] to run Claude Code within Docker-based dev container environments, and it's been fairly seamless. It lets me run environments locally and focus Claude's context on just the repo I want it to work on.

[1]: https://devpod.sh/

If you are using Claude Code on macOS running it in a devcontainer has a few upsides like fewer cli tool call failures, meaning less waiting time and less context window spam.

But there are some things you lose as well @ ergonomics:

- "done" notifications are not working by default (might be possible trigger and send to host using hooks feature)

- more difficult to give playwright a session (need to get cookies into playwright in the container)

- can't easily paste screenshots into the devcontainer (Claude Code has to take a screenshot or you have to put it into a mounted dir)

and of course the usual advantages of using containers still apply (dependency management, reproducibility and so on).

I still wonder though if nix would allow me to remove the container overhead (they do noticeably tax the macbook battery).

How can I preserve the local configuration files I have with this container? (the custom slash commands, config.json etc)
Another advantage of running claude inside a container is that you can use "--dangerously-skip-permissions" and let it do a thing in full autonomy for 2 hours. With a good prompt, abundant feedback like centralized logging and tests and a clear Claude.md, it can get pretty far on its own.
I have actually been working on something similar but instead of Docker, I am using Apple’s builtin container[1] support to run shell commands and code with real OS-level isolation. It’s fast (spawns in milliseconds) and integrates nicely with things like Claude Code and the Gemini CLI. I open sourced it as CodeRunner[2]. Would love to hear what people think or chat about how it compares.

1. Apple container: https://github.com/apple/container

2. CodeRunner: https://github.com/BandarLabs/coderunner

Caveat: You need M1/M2/M3/M4 mac for this to work. MacOS 26 is optional but recommended.

I'm ashamed I didn't think of it. Great article, thank you!

Also can we please differentiate vibe coding and prompt based development.

There is a difference between prompting "write me a website" and just using the LLM for typing faster than you do.

This is exactly why I’m using chatGPT codex over Claude Code (even though I suspect CC might be better). Each chat runs in its own cloud based container. There’s no risk of exposing secrets/deleting files/breaking environment. I can run 3 in parallel while I continue to code locally. It works in a branch and integrates via PR. It’s a great DevEx.

Someone please build a nice macOS app using hypervisor framework that lets me do this locally :)

This is my approach but it wasn’t all smooth especially with MCPs. And Docker wants you to install their Desktop software which is crap. I am not touching that thing. Yes, devcontainer extension is a thing but it’s a simple tool. We need something robust OOTB.
Honest question: why do people prefer developing code inside a docker? I get the benefits of docker as a deployment unit, but wouldn’t configuring a dev container and using it a hassle nonetheless, compared to not doing them at all?
I don't get these posts. I'm using claude --dangerously-skip-permissions all day and haven't had a single issue. In my experience it doesn't just randomly start erasing your hard drives. Also having a proper CLAUDE.md probably helps.
You ignore safety features unless you have already experienced disaster? Do you wear a seat belt? Run all commands as root?

The history of computing says that everything is a porous security boundary just waiting for a motivated individual to attack it. Defense in layers, especially in the wild west of AI where everybody is playing move fast and break things at breakneck speed.

Some people never create backups and they never had a problem either.
i don’t get the worry. i run these models all day without any sandbox and even leave them running while i walk away. i haven’t had a rm -rf kind of situation ever or even a hint of model going towards it. even gemini 2.5 at it’s lowest doesn’t do that.

has anyone faced this?

I thought it was more commonplace to develop inside containers or vms. I don’t trust running npm or pip or gradle or go install in my own machine.
I use VMs myself. I use Proxmox and have it setup so that I can spin up a fresh VM in around 10-20 seconds when needed. I also like that I can take snapshots.

I really want to limit the amount of software I am installing on my main system due to possible security issues.

I can highly recommend bubblewrap for sandboxing -- configuration is just CLI arguments, one per a mounted path; I use a little script that mounts CWD, claude stuff, and XDG data directories in RW, and the rest in RO.

To me it seems like the only reason to fiddle with docker is if your dev env is already in a container