This Claude Code Container implementation prioritizes security through multiple layers of isolation and access control.

What's Protected:

• Your home directory remains untouched
• System files are completely isolated
• Claude Code can only access designated workspace folders

Access Boundaries:

Container Access:
✅ /workspace/Projects
✅ /workspace/Documentation  
✅ /workspace/Research
✅ /workspace/shared (bidirectional)
✅ /workspace/imports (read)
✅ /workspace/exports (write)

❌ Your home directory
❌ System directories
❌ Other applications' data
❌ Network shares (unless explicitly mounted)

Docker Implementation:

• Runs with no-new-privileges flag
• Drops all Linux capabilities except essential ones
• Memory limited to 8GB (configurable)
• CPU limited to 4 cores (configurable)
• Non-root user by default

Apple Virtualization Framework:

• Full VM isolation
• Separate kernel space
• VirtioFS for controlled file sharing
• Network isolation with NAT

Default Configuration:

• Isolated network bridge (172.28.0.0/24)
• Internet access for package installation and Claude API
• No incoming connections allowed
• No access to local network services

What Claude Code Can Access:

• ✅ Internet (for API calls and package downloads)
• ✅ DNS resolution
• ❌ Local network devices
• ❌ Host machine services
• ❌ Other containers

Persistence Model:

• Work persists in ~/ClaudeCodeWorkspace
• Container can be destroyed without losing data
• Volumes are named and managed separately
• Easy backup with single command

Clean Deletion:

# Remove container only (keeps data)
./manage.sh reset

# Remove container and images (keeps data)
./manage.sh clean

# Remove everything including data (requires confirmation)
./manage.sh destroy

# Create timestamped backup
./manage.sh backup
# Creates: ~/claude-workspace-YYYYMMDD-HHMMSS.tar.gz

Keep different projects in separate folders:

/workspace/Projects/
├── client-work/      # Sensitive client data
├── personal/         # Personal projects
└── experiments/      # Testing and experiments

• Never put credentials in /workspace/shared
• Use environment variables for API keys
• Keep secrets in .env files (git-ignored)
• Use the imports folder for one-time sensitive file transfers

Inside the container:

# Use SSH keys for git
ssh-keygen -t ed25519 -C "container@claude-code"

# Configure git with container-specific identity
git config --global user.email "dev@container.local"
git config --global user.name "Claude Container Dev"

If you need to expose services:

# In docker-compose.yml, explicitly map ports:
ports:
  - "127.0.0.1:8080:8080"  # Local only
  # NOT: "8080:8080"       # This would expose to network

# View container activity
./manage.sh logs

# Docker logs location
docker inspect claude-code-env | grep LogPath

# Inside container - see what's changed
find /workspace -type f -mtime -1  # Files modified in last day

# Monitor container resources
docker stats claude-code-env

1. Malicious code execution - If you run malicious code inside the container, it can still:

   • Delete files in /workspace
   • Make network requests
   • Consume resources

2. Supply chain attacks - Packages installed via pip/npm are not vetted

3. Data exfiltration - The container has internet access for Claude API

For Highly Sensitive Work:

1. Disable network access entirely:

   # In docker-compose.yml
   network_mode: none

2. Use read-only mounts for sensitive data:

   volumes:
     - ./sensitive-data:/workspace/data:ro

3. Run periodic security scans:

   # Scan for vulnerabilities
   docker scan claude-code-container:latest

1. Immediately stop the container:

   ./manage.sh stop

2. Backup current state for investigation:

   ./manage.sh backup
   mv ~/claude-workspace-*.tar.gz ~/incident-backup.tar.gz

3. Check logs:

   ./manage.sh logs > incident-logs.txt

4. Reset environment:

   ./manage.sh clean
   ./setup.sh

Before starting work:

• Workspace directory has correct permissions (755)
• No sensitive files in shared folders
• Git configured with container-specific identity
• Recent backup exists

During work:

• Only install trusted packages
• Review code before execution
• Keep sensitive data in appropriate folders
• Use imports/exports for controlled file transfer

After work:

• Export important files
• Commit and push code changes
• Stop container when not in use
• Backup if significant changes made

# Add to docker run command
--security-opt label=level:s0:c100,c200

# Create secret
echo "my-api-key" | docker secret create claude_api_key -

# Use in container
docker service create --secret claude_api_key ...

# Restrict to specific DNS
networks:
  claude-net:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: claude0
    ipam:
      config:
        - subnet: 172.28.0.0/24
          aux_addresses:
            dns: 172.28.0.253

Security is a shared responsibility. This container provides isolation and controls, but secure usage depends on following best practices and being mindful of what code you run and what data you expose.