Kenneth Jørgensen

Isolating Claude in Docker

Written on .

I created claude-container to isolate Claude Code in Docker for security reasons. LLM security is a real problem and Docker isolation can significantly reduce the blast radius if something goes wrong.

Motivation

The risks are real:

  • Prompt injections can trick Claude (and other LLMs) into ignoring their guidelines or revealing system information. If Claude runs with access to your secrets or code, an injected prompt could compromise them.
  • Dependency compromises are increasingly common. In recent years, there have been a slew of dependencies which were compromised with malicious code. While not a problem specific to AI tools like Claude, they do significantly increase the available attack surface.

The Docker Solution

Docker isolates Claude in a container with:

  • Limited filesystem access
  • No direct access to system secrets
  • Separate from your host system
  • Reduced blast radius if something goes wrong

If something goes wrong, whether from a prompt injection or compromised dependency, the damage is contained. An attacker can't easily pivot to your other systems or steal unrelated data.

Docker isn't perfect. No, container escapes exist. A determined attackers might break out. But it's a lot better than nothing and it raises the barrier for any ecploits significantly.

Docker doesn't prevent network exfiltration. If Claude has internet access, it can still make outbound calls and potentially leak data over the network. You need additional network policies to prevent that. Docker protects your filesystem and processes, not your data if it crosses the network boundary.

Claude Container

claude-container on GitHub shows the implementation I came up with. The approach is straightforward: you put the script on your path and run claude from CLI like you normally would, and it gives you the normal interface like you normally would. It's designed to mimic the normal Claude workflow as close as possible, while isolating it in a container.

This repo is not about making dangerous features safe. It doesn't exist to justify using --dangerously-skip-permissions or other risky flags. Instead, it's about the container itself service as a protection for the rest of your system. Even if you trust Claude fully, isolating it in Docker reduces risk from compromised dependencies or supply-chain attacks. It's a belt-and-suspenders approach where we assume things could go wrong and want to contain the fallout.