What permissions does Claude Code have?

By default, Claude Code asks for permission before executing bash commands, editing files, and accessing external services. You can pre-approve specific tools in .claude/settings.json using allow lists, or block dangerous commands with deny lists. Reading files and searching code are always allowed without prompting.

How do I run Claude Code in sandbox mode?

Claude Code runs with built-in sandboxing that restricts file access to your project directory. For stronger isolation, run Claude Code inside a Docker container with mounted volumes, or use the --sandbox flag for stricter OS-level sandboxing. On macOS, Claude Code uses the App Sandbox by default.

Is Claude Code safe to use with sensitive code?

Claude Code sends your code to Anthropic's API for processing. Anthropic does not use API inputs for model training, and code is not retained after processing. For additional security, use the deny list to prevent access to sensitive files, run in Docker for file isolation, and use enterprise plans for contractual data handling guarantees.

How do I prevent Claude Code from running dangerous commands?

Add dangerous commands to the deny list in .claude/settings.json. For example, deny 'Bash(rm -rf *)', 'Bash(git push --force*)', and 'Bash(curl *)'. Claude Code also has built-in safety rules that prevent force-pushing to main, running destructive git commands without asking, and skipping pre-commit hooks.

What is the difference between settings.json and settings.local.json?

settings.json is committed to git and shared with your team - use it for project-wide security policies. settings.local.json is gitignored and personal - use it for individual permission overrides that shouldn't affect teammates. Both files live in the .claude/ directory.

Claude Code Permissions, Sandbox & Security: Complete Guide (2026)

How Permissions Work

Claude Code uses a permission system that controls which tools it can use without asking. Every action Claude takes — editing a file, running a command, accessing the network — goes through this system.

✅

Always Allowed

Read files, search code, list directories. These never require approval.

❓

Ask First (Default)

Edit files, run bash commands, write files. Claude asks before proceeding.

❌

Always Blocked

Commands in your deny list. Claude can never execute these, even if asked.

⚡

Pre-Approved

Commands in your allow list. Claude runs these without asking.

Default Permission Behavior

Out of the box, Claude Code has these default permissions:

Tool	Default	Description
Read	Auto-allowed	Read any file in the project
Glob	Auto-allowed	Search for files by pattern
Grep	Auto-allowed	Search file contents
Edit	Asks first	Modify existing files
Write	Asks first	Create new files
Bash	Asks first	Run shell commands
Task (subagents)	Asks first	Launch background agents
MCP tools	Asks first	Use MCP server tools

When Claude asks for permission, you can:

Allow once — approve this specific action
Allow always — add to your session allow list
Deny — block this specific action

Configuring settings.json

For persistent permission rules, create .claude/settings.json in your project:

.claude/settings.json

{ "permissions": { "allow": [ "Bash(npm run lint)", "Bash(npm run test*)", "Bash(npm run build)", "Bash(npx tsc --noEmit)", "Bash(git status)", "Bash(git diff*)", "Bash(git log*)" ], "deny": [ "Bash(rm -rf *)", "Bash(git push --force*)", "Bash(git reset --hard*)", "Bash(git clean -f*)", "Bash(curl *)", "Bash(wget *)", "Bash(npm publish*)" ] } }

File	Shared?	Use For
`.claude/settings.json`	Yes (git)	Team security policies, shared allow/deny rules
`.claude/settings.local.json`	No (gitignored)	Personal overrides, local tool permissions
`~/.claude/settings.json`	No (global)	Cross-project personal defaults

Allow & Deny Lists

Allow List Patterns

Allow list entries use glob-style patterns with the tool name prefix:

Allow list examples

// Exact command match "Bash(npm run lint)" // Wildcard - any npm run command "Bash(npm run *)" // Allow all git read-only commands "Bash(git status)" "Bash(git diff*)" "Bash(git log*)" "Bash(git branch*)" // Allow specific tools entirely "Edit" "Write" // Allow specific MCP tools "mcp__my-server__read_data"

Deny List Patterns

Deny list entries block matching tools completely. They override allow list entries when both match:

Deny list examples

// Block destructive file operations "Bash(rm -rf *)" "Bash(rm -r *)" // Block dangerous git operations "Bash(git push --force*)" "Bash(git reset --hard*)" "Bash(git clean -f*)" "Bash(git branch -D*)" // Block network access "Bash(curl *)" "Bash(wget *)" // Block package publishing "Bash(npm publish*)" "Bash(cargo publish*)" // Block specific MCP tools "mcp__slack__send_message"

Deny always wins

If a command matches both an allow and a deny pattern, the deny takes precedence. Use this to create broad allow rules with specific deny exceptions.

Permission Modes

Claude Code has several permission modes for different workflows:

Mode	Flag	Behavior
Default	(none)	Asks for each tool that isn't in allow/deny list
Plan mode	`--plan`	Claude proposes changes; you approve before execution
Accept edits	`--accept-edits`	Auto-approve file edits, still ask for bash commands
Bypass all	`--dangerously-skip-permissions`	No permission checks. Use only in sandboxed environments.

# Plan mode: review before any changes happen
$ claude --plan

# Auto-approve edits (trust Claude with files)
$ claude --accept-edits

# Full auto-approval (ONLY in Docker/CI)
$ claude --dangerously-skip-permissions

Never use --dangerously-skip-permissions on your local machine

This flag disables ALL safety checks. Only use it inside Docker containers, CI/CD pipelines, or other sandboxed environments where Claude can't damage your real files or systems.

Sandbox & Isolation

Built-in Sandboxing

Claude Code includes built-in sandbox behavior:

Project scoping — Claude operates within your project directory by default
Permission prompts — destructive actions require explicit approval
Bash sandboxing — commands run in a restricted shell environment

Docker Sandboxing (Strongest)

For maximum isolation, run Claude Code in a Docker container:

# Read-only source + writable output directory
$ docker run -it --rm \
-v $(pwd):/workspace:ro \
-v $(pwd)/output:/output \
-e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
--cpus=2 --memory=4g \
claude-code --dangerously-skip-permissions

This gives you:

Read-only access to source code (can't modify your files)
Writable output directory for reports/reviews
CPU and memory limits
Network isolation (add --network=none for full isolation)

Built-in Safety Rules

Claude Code has hard-coded safety rules that cannot be overridden, even with --dangerously-skip-permissions:

Rule	Reason
Never force-push to main/master	Prevents overwriting shared branch history
Never skip pre-commit hooks	Respects your CI/linting pipeline
Create new commits, don't amend	Preserves git history
Stage files individually, not `git add -A`	Prevents committing secrets or large files
Ask before pushing to remote	Push affects shared state
Warn before destructive operations	`rm -rf`, `reset --hard`, `branch -D` need explicit approval

Team & Enterprise Security

Shared Security Policies

Use .claude/settings.json (committed to git) to enforce team-wide security:

.claude/settings.json (team policy)

{ "permissions": { "allow": [ "Bash(npm run *)", "Bash(git status)", "Bash(git diff*)", "Bash(git log*)" ], "deny": [ "Bash(rm -rf *)", "Bash(git push --force*)", "Bash(git reset --hard*)", "Bash(curl *)", "Bash(wget *)", "Bash(npm publish*)", "Bash(npx *deploy*)", "Bash(ssh *)", "Bash(scp *)" ] } }

Enterprise Features

SSO/SAML — centralized authentication through your identity provider
Admin controls — organization-wide permission policies
Audit logging — track all Claude Code actions across your organization
Data residency — control where your code is processed
Contractual guarantees — enterprise data handling agreements

Security Best Practices

For Individual Developers

Review permission prompts — don't blindly approve; read what Claude wants to do
Use plan mode for unfamiliar codebases — claude --plan lets you review before changes
Keep ANTHROPIC_API_KEY secure — never commit it, use environment variables
Add .env to deny list — prevent Claude from reading secret files
Check git diff before committing — verify Claude's changes look correct

For Teams

Commit .claude/settings.json — shared security policy for the whole team
Deny network commands — block curl, wget, ssh in the deny list
Deny deployment commands — prevent accidental deploys
Use Claude Team or Enterprise plans — includes admin controls and audit logs
Run CI reviews in Docker — sandboxed environment for automated reviews

For CI/CD

Always use Docker — never run Claude Code directly on CI runners
Mount source read-only — for review-only workflows
Set resource limits — --cpus=2 --memory=4g
Use Haiku for triage — cheaper model for high-volume automated reviews
Store API key as CI secret — never in code or environment files

Frequently Asked Questions

Can Claude Code access files outside my project?

By default, Claude Code operates within your current working directory and its subdirectories. It can read files at absolute paths if you reference them, but the built-in safety rules prevent arbitrary file system access. For strict isolation, use Docker containers.

Does Anthropic see my code?

Your code is sent to Anthropic's API for processing but is not retained after the session and is not used for model training. Enterprise plans offer additional contractual data handling guarantees. See Anthropic's privacy policy.

Can I disable specific tools entirely?

Yes. Add the tool name without any arguments to the deny list to block it completely: "Bash" blocks all bash commands, "Write" blocks all file creation. This is useful for review-only workflows where Claude should analyze but not modify code.

How do hooks interact with permissions?

Hooks run independently of the permission system. PreToolUse hooks can block tool calls regardless of allow list entries, giving you an additional layer of control. Use hooks for complex validation logic that can't be expressed as simple glob patterns.