Two local isolation approaches
Claude Code offers two isolation mechanisms for autonomous execution. The native sandbox is built into the CLI and relies on OS primitives. Docker Sandboxes (Docker Desktop 4.58+) use microVM isolation via hypervisor — more robust but heavier.
Comparison table
| Aspect | Native sandbox | Docker Sandboxes | None |
|---|---|---|---|
| Isolation | Process (Seatbelt/bubblewrap) | microVM (hypervisor) | None |
| Kernel | Shared with host | Separate kernel per sandbox | Shared |
| Setup | 0 dependencies (macOS), 2 packages (Linux) | Docker Desktop 4.58+ | None |
| Overhead | ~1-3% CPU | ~5-10% CPU, +200MB RAM | Zero |
| Docker-in-Docker | Not supported | Private Docker daemon included | No |
| Platform | macOS, Linux, WSL2 | macOS, Windows | All |
Native sandbox: the everyday choice
The native sandbox suits the vast majority of development sessions with trusted code. It starts instantly, requires no Docker Desktop, and its overhead is negligible. The main limitation is the shared kernel: a kernel exploit could theoretically break out of the sandbox, which does not apply to microVMs.
Activate:
/sandbox # interactive menu in Claude Code
# Linux/WSL2: prerequisitessudo apt-get install bubblewrap socatDocker Sandboxes: maximum isolation
Docker Sandboxes run Claude Code inside a microVM with a private Docker daemon. Each sandbox is ephemeral and does not appear in docker ps. Changes inside the sandbox propagate to the host, but network and system access remain confined.
# Start a sandboxed sessiondocker sandbox run claude ~/my-project
# With autonomous mode (safe inside a microVM)docker sandbox run claude ~/my-project -- --dangerously-skip-permissionsDecision tree
Team code, trusted environment → Native sandbox (lightweight, zero config)
Untrusted code or AI-generated scripts → Docker Sandboxes (kernel isolation)
Need Docker inside the sandbox → Docker Sandboxes (only option)
CI/CD with sensitive workloads → Docker Sandboxes or cloud sandboxes
Parallel multi-agent, cloud → Fly.io Sprites, E2B, Vercel SandboxesKnown limitations
Native sandbox: kernel shared with host (exposure to kernel exploits), domain fronting risk via CDNs, Unix sockets potentially dangerous if misconfigured.
Docker Sandboxes: requires Docker Desktop (not Docker Engine alone), no GPU passthrough, unidirectional workspace sync (sandbox to host). Available on macOS and Windows; Linux uses an older container-based isolation.
Platform: native sandbox does not run on native Windows for now. WSL2 is supported, WSL1 is not.
Open-source runtime
Anthropic’s sandbox runtime is published as open-source and can sandbox any command, not just Claude Code.
npx @anthropic-ai/sandbox-runtime node mcp-server.jsEnter your email to read the full card and get the complete PDF bundle.
All content is free and open-source. We just ask for your email.