claude-sandbox — Run Claude Code in an Isolated Docker Environment

Claude Code has a flag called --dangerously-skip-permissions that lets it work autonomously without asking for confirmation on every action. It is extremely productive for long tasks but running it on your host machine means any mistake happens directly on your system — a wrong file deletion, an unintended command, or a script that does more than expected.

claude-sandbox wraps your session in a Docker container. Same tools, same credentials, same workflow — but with the blast radius limited by Docker.

Install

git clone git@github.com:aeanez/claude-sandbox.git
cd claude-sandbox
make install
source ~/.bashrc   # or ~/.zshrc on macOS

The three commands

sandbox      # interactive shell inside the container at your current directory
yolo         # runs claude --dangerously-skip-permissions, resumes last session
yolonew      # same as yolo but always starts a fresh session

yolo is the main one. It drops you into Claude Code running autonomously inside a container where the only things at risk are the files in your current directory and the other explicitly mounted paths.

[!warning] This sandbox prioritizes convenience over isolation. It limits blast radius but is not a hard security boundary. SSH keys and Claude credentials are mounted (SSH read-only, Claude read-write). Do not use it for untrusted code — for that, the official Anthropic devcontainer with network isolation is the right tool.

What it shares with the host

Claude-sandbox selectively mounts things from your host so the session feels seamless:

• SSH keys — read-only (git operations work normally)
• Git config — read-only (commits use your identity)
• AWS credentials — read-write (SSO token refresh works inside the container)
• Claude session — read-write (continues the same Claude session as your host)
• Current directory — read-write (your project files)

Everything else is an ephemeral tmpfs. Files written inside the container to $HOME paths not on this list disappear when the container exits.

[!note] On Linux and WSL2 the startup is instant — host binaries are mounted directly into the container, no image to build. On macOS a Docker image is built once during install, then cached.

Diffchestrator integration

If you use Diffchestrator, the Alt+D, Y shortcut launches a yolo session for the currently selected repo. Alt+D, Alt+Y launches yolonew. No need to switch to a terminal.

You can also configure per-project environment variables by creating a .sandbox.env file in your project directory — it is loaded automatically when you launch from that directory.

Get it: github.com/aeanez/claude-sandbox — Linux, WSL2, and macOS.