Claude in a Devcontainer: God Mode On, Babysitter Gone, Codebase Still Intact
Full access. No supervision. No guardrails. The container is doing all the work.
Full access. No supervision. No guardrails. The container is doing all the work.
TL;DR
We wanted Claude to work autonomously without asking permission for every little thing. We also didn't want it touching our SSH keys, our credentials, or anything outside the codebase. Turns out those two things are not in conflict. You just need a box.
The Problem Nobody Talks About
Running Claude with full permissions on your actual machine means it can see everything. Your .env files. Your AWS credentials. Your very embarrassing git history.
So by default, Claude asks you to approve every single action. Every file write. Every bash command. You're just sitting there clicking "allow" like you're accepting cookies for a robot.
There's a way out of this loop. But the name of the exit is not encouraging.
The Flag
--dangerously-skip-permissions
We read that and immediately closed the terminal.
Here's what the docs actually say:
"The container's enhanced security measures allow you to run
claude --dangerously-skip-permissionsto bypass permission prompts for unattended operation."
Anthropic didn't build that flag for chaos. They built it for containers. The container is the responsible choice. The flag is just what you run inside it.
What the Box Actually Does
The official devcontainer ships with three things that matter:
Filesystem isolation — Claude can only touch what you mount in. Your host machine is invisible.
Network firewall — outbound connections are allowlisted. npm, GitHub, Claude API. Everything else is blocked.
Pre-installed everything — tooling, plugins, MCP servers, org config — all baked in.
+------------------------------------------+
| devcontainer |
| |
| Claude (--dangerously-skip-perms) |
| + your code |
| + pre-installed tools + org plugins |
| |
| firewall: npm, GitHub, Claude API only |
+------------------+-----------------------+
|
cannot reach
|
+---------v-----------------+
| host machine |
| - SSH keys |
| - credentials |
| - .env files |
| - real filesystem |
+---------------------------+
Claude goes wild inside the box. Nothing outside the box moves. That's the whole trick.
The Distribution Win
Before: install the right Node version, configure the tooling, read the onboarding doc that's three months out of date, give up and ask a senior.
After: open the repo in VS Code, click "Reopen in Container", done.
Everyone gets the exact same environment. Same Claude version, same plugins, same MCP servers. Day one. No setup. No "works on my machine."
The Headless Angle
Once you're in a container, you can go further:
claude -p "Review this PR and summarise issues" --output-format json
Non-interactive. No prompts. No babysitter required.
Container + no permission prompts + headless mode = an agent running unattended, doing real work, and completely unable to escape the box.
Teams are already doing this in CI — automated PR reviews, test generation, doc updates. Docker built a whole product around it. Trail of Bits ships it as their default security audit environment.
We're getting there. The container is ready. The pipeline is next.
What We Learned
The container isn't the limitation. It's what makes full autonomy safe.
Pass the API key as an env var. Do not attempt browser OAuth inside a container. You will regret it.
Network allowlists are aggressive by default. Too tight and Claude can't reach its own API. Start open, tighten later.
The VS Code devcontainer extension makes team distribution stupidly simple. Use it.
What's Next
Headless CI: automated PR reviews running in containers, no human in the loop
Per-project container profiles with different tool stacks
Full audit logs piped out of the container
We spent weeks worrying about what Claude might do with full access.
Then we gave it full access. Inside a box.
The box is the trick.
Running Claude headlessly in CI? Found a way to break the container? Drop it below.
