Sandbox AI Coding Agents with SCC CLI
AI coding agents like Claude Code and Codex execute real commands on real systems. SCC provides a governed sandbox that limits blast radius while letting them work normally.
Why sandbox an AI coding agent?
Section titled “Why sandbox an AI coding agent?”AI coding agents are powerful because they can read/write files, execute shell commands, run git operations, and make API calls. This power means mistakes can have real consequences.
Without sandboxing:
- The agent can access any file your user account can access (
~/.ssh,~/.aws, other projects) - Destructive git commands (
push --force,reset --hard) can damage team history - Configuration varies per developer, leading to inconsistent behavior
- No audit trail for what the agent did or which plugins it used
With SCC:
- Container isolation — the agent only sees the workspace you mount
- Built-in safety engine — blocks destructive git commands and intercepts network tools (fail-closed)
- Team profiles — consistent configuration distributed from a central org config
- Provider choice — use Claude Code, Codex, or both, governed by team policy
How SCC sandboxes agents
Section titled “How SCC sandboxes agents”scc setup # Configure org, connect providersscc start # Launch in a sandboxed containerSCC creates an OCI container, mounts your workspace, applies team configuration, and starts your chosen agent inside the sandbox. The agent works normally — SCC controls the environment it runs in.
What you can control
Section titled “What you can control”| Surface | Control |
|---|---|
| File access | Only the mounted workspace is visible to the agent |
| Network egress | open (unrestricted), web-egress-enforced (topology-enforced proxy), or locked-down-web (no network) |
| Git commands | Built-in safety engine blocks destructive operations by default |
| Plugins | Only org-approved plugins are allowed; security blocks are absolute |
| Provider | Choose Claude Code or Codex per session; governed by team policy |
| Team config | Consistent defaults applied automatically across all developers |
Network enforcement
Section titled “Network enforcement”When network_policy is set to web-egress-enforced, SCC creates an internal-only Docker network. The agent container can only reach the internet through a Squid proxy sidecar that enforces an ACL. This is real network topology enforcement — even if the agent ignores proxy environment variables, it physically cannot bypass the proxy.
That distinction matters because “runs in a container” is not the same thing as “cannot reach the network.” SCC treats those as separate controls.
Why provider choice matters
Section titled “Why provider choice matters”SCC is not just about sandboxing one agent. It lets organizations allow Claude, Codex, or both under the same governance model.
- Teams can standardize on the provider that fits their workflow
- Developers can switch providers per session when policy allows it
- Setup, safety policy, network controls, and audit surfaces stay consistent
What is SCC CLI?
Section titled “What is SCC CLI?”SCC CLI is a governed runtime for AI coding agents. It runs Claude Code and Codex inside container sandboxes with team-managed profiles, a built-in safety engine, and network egress control.
Can I sandbox AI coding agents without Docker?
Section titled “Can I sandbox AI coding agents without Docker?”SCC uses OCI containers for isolation. Any Docker-compatible runtime works: Docker Engine, OrbStack, Colima, or Docker Desktop. Podman support is planned but not yet fully validated.
Does SCC replace Claude Code or Codex?
Section titled “Does SCC replace Claude Code or Codex?”No. SCC wraps your chosen agent in a governed sandbox. The agent runs normally inside the container — SCC adds isolation, safety, and team configuration on top.