Why Sandbox Claude Code
AI coding assistants like Claude Code execute real commands on real systems. This guide explains why sandboxing matters and when it’s essential.
The Reality of AI Code Execution
Section titled “The Reality of AI Code Execution”Claude Code is powerful because it can:
- Read and write files in your project
- Execute shell commands
- Run git operations
- Install dependencies
- Make API calls
This power comes with responsibility. While Claude Code is designed to be helpful and careful, any system that executes commands can cause unintended effects.
Risks Without Sandboxing
Section titled “Risks Without Sandboxing”Filesystem Access
Section titled “Filesystem Access”Without isolation, Claude Code can access any file your user account can access:
| Accessible | Risk |
|---|---|
~/.ssh/ | SSH keys for servers and services |
~/.aws/ | AWS credentials |
~/.config/ | Application configurations |
| Other projects | Cross-project contamination |
With SCC, Claude Code only sees the workspace you explicitly mount.
Git History Damage
Section titled “Git History Damage”AI coding sessions involve experimentation. Without guardrails:
| Command | Impact |
|---|---|
git push --force | Overwrites remote history, affects entire team |
git reset --hard | Discards uncommitted work |
git branch -D | Force-deletes branches without merge check |
git clean -fd | Deletes untracked files permanently |
SCC’s Safety Net plugin blocks these commands by default.
Configuration Drift
Section titled “Configuration Drift”When each developer configures Claude Code independently:
- Plugins vary across the team
- Settings differ between machines
- Behavior is inconsistent and hard to debug
SCC provides team profiles that ensure consistent configuration.
How Sandboxing Helps
Section titled “How Sandboxing Helps”Docker Isolation
Section titled “Docker Isolation”SCC runs Claude Code inside Docker containers:
┌─────────────────────────────────┐│ Host System ││ ~/.ssh ~/.aws ~/other-work ││ ▲ ││ │ (blocked) ││ ┌────────┴────────────────┐ ││ │ Docker Container │ ││ │ /workspace (mounted) │ ││ │ Claude Code runs here │ ││ └─────────────────────────┘ │└─────────────────────────────────┘Claude Code can only access /workspace—your mounted project directory.
Controlled Environment
Section titled “Controlled Environment”SCC provides layers of control:
- What files: Only mounted paths are visible
- What plugins: Only org-approved plugins run
- What git ops: Safety Net filters dangerous commands
- What network: Network policies control outbound access
Blast Radius Reduction
Section titled “Blast Radius Reduction”If something goes wrong, damage is contained:
| Without Sandbox | With SCC |
|---|---|
| Could affect entire system | Limited to mounted workspace |
| Could damage git history | Safety Net blocks destructive commands |
| Could install anything | Only approved plugins |
| Inconsistent recovery | Worktrees provide clean rollback |
When Sandboxing Is Essential
Section titled “When Sandboxing Is Essential”Enterprise Environments
Section titled “Enterprise Environments”- Multiple teams sharing AI tools
- Compliance requirements
- Need for audit trails
- Consistent security posture
Sensitive Codebases
Section titled “Sensitive Codebases”- Financial or healthcare systems
- Code with embedded secrets
- Production infrastructure
Team Adoption
Section titled “Team Adoption”- Onboarding new developers
- Standardizing AI tool usage
- Reducing support burden from inconsistent setups
When Sandboxing May Be Optional
Section titled “When Sandboxing May Be Optional”Solo Development
Section titled “Solo Development”Individual developers with:
- Full system backups
- Git remotes as backup
- Understanding of risks
Quick Experiments
Section titled “Quick Experiments”One-off tests where:
- No sensitive data involved
- Results are disposable
- Speed matters more than safety
Getting Started with Sandboxing
Section titled “Getting Started with Sandboxing”# Install SCCuv tool install scc-cli
# Configure (one time)scc setup
# Run sandboxedscc start ~/your-project