Code Guide
NEW 11 Ebooks — 472 pages, FR + EN, PDF + EPUB → 57 Recap Cards → RSS feed →
M20 Advanced Methodology

CI/CD & Production Security

Using Claude Code in production with the right security guarantees

PDF
← All cards

The --dangerously-skip-permissions flag

This flag disables Claude Code’s interactive confirmations, which is essential for non-interactive CI/CD pipelines. But it also removes the last line of defense against destructive actions. Its use is only acceptable inside an isolated ephemeral container, never on a shared persistent machine.

Terminal window
# Acceptable in CI (ephemeral container)
claude --dangerously-skip-permissions \
  -p "Run tests and fix failing ones"


# Unacceptable (shared machine, open network access)
claude --dangerously-skip-permissions  # ❌

The rule: the flag widens the trust granted to Claude, so the container perimeter must compensate by reducing what Claude can reach.

A disposable Docker container created at job start and destroyed at the end. The repository is mounted as a volume, dependencies installed inside, and no sensitive files from the host machine are accessible.

jobs:
  agent-task:
    runs-on: ubuntu-latest
    container:
      image: node:22-alpine
    steps:
      - uses: actions/checkout@v4
      - name: Run Claude
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          claude --dangerously-skip-permissions \
            -p "Run tests, fix failures, open PR"

For maximum isolation, cloud solutions (E2B, Vercel Sandboxes) offer microVMs with a separate kernel, eliminating the container escape risk.

Strict tool whitelist

Even in bypass mode, it is possible to limit available tools. A review agent only needs Read, Glob, Grep. An implementation agent can have Edit on targeted paths, but rarely Bash without constraints.

Agent roleAllowed tools
Code reviewRead, Glob, Grep
Test fixingRead, Edit, Bash(test runner)
Security analysisRead, Glob, Grep
ImplementationRead, Edit, Write, Bash

The whitelist is configured via --allowedTools in CLI or allowed_tools in the GitHub action.

Secrets in CI

API keys and tokens must never appear in the workflow YAML file. Use GitHub secrets (Settings → Secrets and variables → Actions) and inject them as environment variables.

env:
  ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
  # Never:
  # ANTHROPIC_API_KEY: sk-ant-xxxxx  ❌

Recommended rotation: change keys every 90 days and audit access via GitHub logs.

Network: restricted access

Never run Claude in bypass mode with unrestricted network access. Configure an explicit network allowlist for legitimate domains:

api.anthropic.com   # Model
*.npmjs.org         # Packages
github.com          # Git operations

Everything else deny by default. This blocks data exfiltration to external endpoints if the agent is compromised or misconfigured.

Safe autonomy pattern

The safest pattern for production: Claude proposes, a human approves. The agent opens a PR with its changes, the test pipeline validates, and a human reviewer approves before the merge.

Agent → branch → PR → CI tests → human review → merge

Do not automate the final merge, even if all tests pass. Keep a human in the loop for changes to main.

Anti-patterns to avoid

Anti-patternRisk
Skip permissions on host machineUnbounded filesystem/network access
Mounting /home in the containerExposure of SSH keys, credentials
Network allowlist *Possible exfiltration
Automatic merge without reviewUndetected regression

Enter your email to read the full card and get the complete PDF bundle.

All content is free and open-source. We just ask for your email.

PDF: