Skip to content
Dev Container

Security

Background

Section titled “Background”

In February 2025, LayerX Security Research disclosed a critical zero-click remote code execution vulnerability in Anthropic’s Claude Desktop Extensions (DXT) framework. Extensions run unsandboxed with full system privileges, acting as execution bridges between the language model and the local operating system.

Many corporate security teams now require that AI coding tools run only inside dedicated virtual machines, containers, or disposable environments — not directly on corporate endpoints.

This devcontainer satisfies that requirement.

Isolation Model

Section titled “Isolation Model”
+------------------------------------------------+
|  Host Machine (corporate endpoint)             |
|                                                |
|  - No AI tool binaries installed               |
|  - No AI tool extensions or plugins            |
|  - Only Docker is required                     |
|                                                |
|  +------------------------------------------+  |
|  |  Docker Container (isolated)             |  |
|  |                                          |  |
|  |  AI tools run here:                      |  |
|  |  - Claude Code CLI                       |  |
|  |  - OpenCode                              |  |
|  |  - Codex                                 |  |
|  |                                          |  |
|  |  No access to:                           |  |
|  |  x Host filesystem                       |  |
|  |  x Host keychain / credential store      |  |
|  |  x Host clipboard                        |  |
|  |  x Host network interfaces               |  |
|  |  x Other host applications               |  |
|  +------------------------------------------+  |
+------------------------------------------------+

Security Controls

Section titled “Security Controls”

No Host Volume Mounts

Section titled “No Host Volume Mounts”

All data lives in Docker named volumes — not bind-mounted host directories. A compromise inside the container cannot access files on your host machine. See Configuration — Data Persistence for volume details.

No Shared Credential Stores

Section titled “No Shared Credential Stores”

The container has no access to macOS Keychain, Windows Credential Manager, browser profiles, or the host SSH agent. SSH keys are injected at startup via a base64-encoded environment variable and exist only inside the container.

No Clipboard Sync

Section titled “No Clipboard Sync”

Docker containers do not share clipboard state with the host. Data cannot leak through copy/paste.

Network Isolation

Section titled “Network Isolation”

The container communicates with the outside world in one of two supported authentication modes:

  • LiteLLM proxy mode — outbound HTTPS to your LiteLLM proxy through Docker’s NAT.
  • OAuth mode — outbound HTTPS directly to Anthropic through Docker’s NAT.

The container has no access to VPN tunnels, corporate network interfaces, or other services on the host.

Ephemeral by Design

Section titled “Ephemeral by Design”

The entire environment can be destroyed and recreated in seconds. Treat the container as disposable.

Terminal window
docker compose down -v
docker compose pull && docker compose up -d

CLI-Only Tools

Section titled “CLI-Only Tools”

This environment runs AI tools as command-line interfaces only. No desktop applications, no browser extensions, no DXT frameworks. The vulnerability that prompted this isolation model does not apply to CLI usage inside a container.

Container Hardening

Section titled “Container Hardening”

The docker-compose.yml applies several defense-in-depth measures:

  • Capability dropping — All Linux capabilities are dropped (cap_drop: ALL), then only the minimum set is re-added: CHOWN, DAC_OVERRIDE, FOWNER (for volume permission fixes in the entrypoint), SETUID/SETGID (for sudo), NET_RAW (for ping/tcpdump), and NET_ADMIN (for packet capture tools like Wireshark and bettercap).
  • Resource limits — CPU (4 cores), memory (8 GB), and PID count (4096) are capped via mem_limit, cpus, and pids_limit to prevent resource exhaustion attacks.
  • tmpfs for /tmp — The /tmp directory is mounted as a 256 MB tmpfs, keeping temporary files in memory and preventing them from persisting to the container’s writable layer.
  • TLS validation on by defaultNODE_TLS_REJECT_UNAUTHORIZED is not set, so Node.js validates TLS certificates by default. Users who need to accept self-signed certificates (e.g. for an internal proxy) can opt in by adding NODE_TLS_REJECT_UNAUTHORIZED=0 to their .env file.
  • SSH key umask — SSH private keys are written under umask 077, so the file is never world-readable — even briefly — between creation and the chmod call.

Security and Penetration Testing Tools

Section titled “Security and Penetration Testing Tools”

The container includes approximately 80 pre-installed security and penetration testing tools for authorized testing scenarios. Tools are organized by category:

CategoryTools (examples)
Network analysistshark, wireshark, masscan, hping3, bettercap (amd64), netdiscover
Web scannersnikto, sqlmap, dirb, whatweb, sslscan, OWASP ZAP, dalfox, feroxbuster
Password and authenticationhydra, john, hashcat, medusa, ncrack
Reverse engineeringradare2, Ghidra, gdb, binwalk, strace, ltrace
Reconnaissancesubfinder, amass, httpx, nuclei, gau, waybackurls, recon-ng, spiderfoot
Fuzzing and enumerationffuf, gobuster, SecLists
Supply chain and secretstrufflehog, grype, syft, gitleaks
Exploitation frameworksMetasploit (amd64), searchsploit (ExploitDB)

Some tools (bettercap, Metasploit) are only available on amd64 due to upstream packaging constraints. Packet capture tools (tshark, bettercap) require the NET_ADMIN capability, which is included in the default docker-compose.yml.

For the complete list, run claude-self-test inside the container (section 7 checks all security tools).

Compliance Checklist

Section titled “Compliance Checklist”
RequirementStatus
AI tools not installed on host endpointYes
Runs in isolated VM or containerYes
No access to host file sharesYes
No clipboard syncYes
No shared credential storesYes
No VPN split tunneling into prod networksYes
Environment is disposableYes
No desktop extensions or pluginsYes
Linux capabilities dropped (least-privilege)Yes
Resource limits enforced (CPU/memory/PIDs)Yes
TLS certificate validation enabled by defaultYes
Internal services bound to localhost onlyYes

Best Practices

Section titled “Best Practices”
  1. Do not install AI coding tools on your host machine. Use this container instead.
  2. Do not add bind mounts to docker-compose.yml. The named-volume configuration is intentional.
  3. Rotate SSH keys used inside the container periodically.
  4. Review .env before sharing. It contains API keys and may contain SSH private keys.
  5. Update periodically to pick up security patches:
Terminal window
docker compose pull && docker compose up -d

References

Section titled “References”