What is the worst a sandbox can do? Although the specifics of the sandbox technology affect the level of isolation, a sufficiently sandboxed Claude Code can make a sandboxed Claude Code look like a separate host. What network access am I allowing Claude Code to have?
What actions can Claude Code perform with this network access and the data it has? For example, almost all Claude Code instances have access to Anthropic API keys to be able to interact with the Anthropic API. Claude Code has access to all environment variables present in your terminal session (which are propagated to the Claude Code sandbox), and Claude Code has access to read the files from the directory where you run claude. Unfortunately, a lot of software requires secrets. For example, development on third-party integrations requires using secrets. This makes having separate development, staging, and production integration credentials especially valuable, but even development integration credentials are not designed to be publicly accessible: otherwise, they wouldn’t be credentials! What data am I providing to Claude Code?
What secrets or environment variables will Claude Code have access to?
Are the files (including the source code) I’m providing to Claude Code open-source or public? Consider the precedence of dotenv files to manage secrets on your local repo. Making sure that these .env files are properly .gitignored and .dockerignored is no longer sufficient: leaving these .env files in a folder where you are running claude gives Claude Code access to these secrets. You could also write your own sandbox using gVisor or Firecracker VMs! The themes around network isolation and proxies should transfer.
Unpacking the devcontainer firewall The provided devcontainer template has an init-firewall.sh script that applies a firewall to the devcontainer running Claude Code. This firewall permits network connections to the following hosts by default: registry.npmjs.org: allow installing npm packages
api.anthropic.com: interact with Anthropic’s API
sentry.io: a logging and error observability product that Anthropic is using
statsig.anthropic.com/statsig.com: a feature flagging product that Anthropic is using
marketplace.visualstudio.com: enable installing VSCode extensions
vscode.blob.core.windows.net/update.code.visualstudio.com: a blob store used by VSCode
... continue reading