Why Run Claude Code in Docker?
| Benefit | Description |
|---|---|
| Reproducible environments | Every team member gets the same Node.js version, tools, and Claude Code configuration |
| Sandboxed file access | Claude can only read/write files you mount into the container |
| Network isolation | Control which external services Claude can reach |
| Clean environments | No pollution of your host system; easily reset to clean state |
| CI/CD integration | Run Claude Code in GitHub Actions, GitLab CI, or any container-based pipeline |
| Resource limits | Cap CPU and memory usage for Claude Code processes |
Basic Dockerfile
The simplest way to containerize Claude Code:
$ docker build -t claude-code .
# Run Claude Code with your project mounted
$ docker run -it --rm \
-v $(pwd):/workspace \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
claude-code
Extended Dockerfile with Common Tools
For most projects, you'll want git, language runtimes, and other tools:
Put the npm install -g @anthropic-ai/claude-code line early in your Dockerfile. This layer gets cached and won't re-run unless you change it, making subsequent builds fast.
VS Code Dev Containers
Dev containers give you a full VS Code environment inside Docker. Claude Code works seamlessly in the integrated terminal.
Basic devcontainer.json
With this config, opening your project in VS Code will:
- Build a container with Node.js 22 and TypeScript
- Install the GitHub CLI
- Install Claude Code globally
- Forward your local
ANTHROPIC_API_KEYinto the container - Install the Claude Code VS Code extension
Custom Dockerfile Dev Container
For more control, use a custom Dockerfile:
The mounts config above shares your Claude Code authentication and settings between host and container. This means you only need to authenticate once.
Docker Compose Setup
For projects with services (databases, caches, APIs), use Docker Compose to give Claude Code access to the full stack:
$ docker compose run --rm app
# Or start services in background, then attach Claude
$ docker compose up -d db cache
$ docker compose run --rm app claude
Now Claude Code can interact with your database and cache just like it would in production.
Sandboxed Execution
Docker provides natural sandboxing for Claude Code. Here's how to lock it down for automated or untrusted workloads:
Read-Only Source Code
$ docker run -it --rm \
-v $(pwd):/workspace:ro \
-v $(pwd)/output:/output \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
claude-code "review the code and write your findings to /output/review.md"
Network Restrictions
$ docker run -it --rm \
--network=none \
-v $(pwd):/workspace \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
claude-code
Using --network=none blocks ALL network access including the Anthropic API. For true isolation, create a custom network that only allows traffic to api.anthropic.com.
Resource Limits
$ docker run -it --rm \
--cpus=2 \
--memory=4g \
-v $(pwd):/workspace \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
claude-code
CI/CD with Docker
Use your Claude Code Docker image in CI pipelines for consistent automated reviews and fixes:
Best Practices
Image Optimization
- Use
node:22-sliminstead ofnode:22(300MB vs 1GB) - Use multi-stage builds if you need build tools only during setup
- Pin the Claude Code version:
npm install -g @anthropic-ai/claude-code@1.x.x - Clean up apt caches:
&& rm -rf /var/lib/apt/lists/*
Security
- Never bake API keys into images — always pass via environment variables or secrets
- Run as non-root user when possible (
USER node) - Use
.dockerignoreto exclude.env,node_modules, and.git - Mount source code as read-only for review-only workflows
- Set
--memoryand--cpuslimits to prevent runaway processes
Performance
- Mount
~/.claudeto persist authentication and settings across container restarts - Use Docker volumes for
node_modulesto avoid slow bind mounts on macOS - Pre-install project dependencies in the image for faster startup
Troubleshooting
Authentication Issues
If Claude Code can't authenticate inside Docker:
- Verify
ANTHROPIC_API_KEYis set:docker run --rm -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY claude-code claude --version - For browser auth, mount
~/.claudefrom your host to share the auth token - Check the API key hasn't expired or been revoked
File Permission Issues
If Claude can't write to mounted directories:
- The container user must match the file owner. Use
--user $(id -u):$(id -g) - Or use
remoteUser: "node"in devcontainer.json and ensure the mount has correct permissions
Slow Performance on macOS
Docker file mounts on macOS are slower than native. Mitigate with:
- Use
consistency=cachedorconsistency=delegatedmount options - Put
node_modulesin a Docker volume instead of a bind mount - Consider using OrbStack instead of Docker Desktop for better macOS performance
Frequently Asked Questions
Can I use browser login inside Docker?
Not directly, since Docker doesn't have a browser. Use ANTHROPIC_API_KEY for container authentication. Alternatively, authenticate on your host machine first, then mount ~/.claude into the container to share the session.
Does Claude Code work with Podman?
Yes. Claude Code works with any OCI-compatible container runtime including Podman, containerd, and nerdctl. Replace docker with podman in all commands.
Can I use Claude Code in Kubernetes?
Yes. Deploy Claude Code as a Job or CronJob in Kubernetes. Pass ANTHROPIC_API_KEY via a Kubernetes Secret and mount your code as a volume or use git-sync init container.
How do I keep Claude Code updated in containers?
Pin to a specific version in your Dockerfile and update it periodically. For always-latest behavior, use npx @anthropic-ai/claude-code as the entrypoint, but this adds startup latency.