feat: add container isolation example with guard hook#30692
Open
zeitlinger wants to merge 7 commits intoanthropics:mainfrom
Open
feat: add container isolation example with guard hook#30692zeitlinger wants to merge 7 commits intoanthropics:mainfrom
zeitlinger wants to merge 7 commits intoanthropics:mainfrom
Conversation
Add examples/container/ with a complete setup for running Claude Code inside a Podman/Docker container instead of the built-in sandbox. Includes: - guard-destructive-git: PreToolUse hook that catches force push, hard reset, branch -D, rm -rf, and PR merges (works standalone, no container needed) - Dockerfile: minimal Ubuntu 24.04 base with build tools - claude-wrapper.sh: wrapper that launches Claude in a rootless Podman container with security hardening (cap-drop=ALL, no-new-privileges, read-only settings overlay) - settings.container.json: template with guard hook pre-wired - container-rules.md: context rules injected so Claude knows it's running in a container Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
- guard-destructive-git: add set -euo pipefail, fail closed with ask decision when jq is missing or JSON parse fails - claude-wrapper.sh: error out early if only Docker is found (uses Podman-specific --userns=keep-id and --passwd-entry flags) Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
The wrapper uses --userns=keep-id and --passwd-entry which are Podman-specific. Update prerequisites and Docker notes to match. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Add best-effort auto-detection for Go, Node.js, Python, Java, Rust, make, and cmake. Each detected toolchain gets its binary and associated directories mounted, plus relevant environment variables (GOROOT, GOPATH, JAVA_HOME). Missing tools are silently skipped. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Address common objections: why not sandbox, why not permissions, why Podman over Docker, and whether the container replaces permissions. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Rewrite sandbox FAQ to mention the real issue: shell expansion, pipes, and compound commands triggering constant prompts. Add explicit FAQ entry about outgoing network access not being restricted. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Name the specific risk (API key, GH token, SSH agent) and note that it's acceptable for most users since these are already host-exposed. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
This was referenced Mar 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
examples/container/with a complete setup for running Claude Code inside a Podman/Docker container instead of the built-in sandbox.guard-destructive-git— PreToolUse hook that catches force push, hard reset, branch -D, rm -rf, and PR merges. Works standalone without a container — useful on its own as a safety net.Dockerfile— Minimal Ubuntu 24.04 base with git and build tools. Host binaries (claude, gh) mounted at runtime.claude-wrapper.sh— Wrapper script that launches Claude in a rootless Podman container with--cap-drop=ALL,--security-opt=no-new-privileges, read-only settings overlay, andsettings.local.jsonblocked via/dev/null.settings.container.json— Template container settings with guard hook pre-wired.container-rules.md— Context rules injected so Claude knows it's in a container.README.md— Quick start (guard-only and full container), security model, customization, tool manager integration tips.Test plan
~/.claude/docker/and~/.claude/bin/, runclaude— verify container startsecho '{"tool_input":{"command":"git push --force"}}' | ./guard-destructive-gitreturns"permissionDecision": "ask"settings.jsonshows container settings,settings.local.jsonis empty--cap-drop=ALLand--security-opt=no-new-privilegesare applied (inspect withpodman inspect)