What it is: A devcontainer is a sandboxed development environment — typically a Docker container with explicit egress controls — that AI coding agents run inside for safety. Anthropic ships a reference devcontainer specifically designed for unattended Claude Code operation.
Who it is for: Developers running AI coding agents unattended, on untrusted code, or in any context where blast-radius limits matter.
Best if: You want a short reference on what devcontainers are in the AI-agent context and why they’re the right place to run –dangerously-skip-permissions.
Skip if: You only run AI agents interactively, watching every step. Want one practical AI workflow every morning? Subscribe to our free daily newsletter.
What is Devcontainer (for AI agents)?
A devcontainer is a sandboxed development environment — almost always a Docker container — with explicit filesystem boundaries, network egress controls, and a known initial state. AI coding agents run inside the container; the host machine is protected from anything the agent does. The pattern originated in VS Code’s Dev Containers feature but has been adopted broadly for any “run AI inside a sandbox” workflow. Anthropic ships a reference devcontainer for Claude Code with an egress firewall and persistent volumes, specifically designed for safe unattended operation.
Why does Devcontainer (for AI agents) matter?
Devcontainers are where you can safely use --dangerously-skip-permissions. Anthropic’s own engineers don’t run that flag on bare metal — they run it inside a devcontainer. The container is what makes long unattended sessions safe: even if the agent decides to run rm -rf or push to the wrong branch, the blast radius is contained. Without a devcontainer, the only safety mechanism between an agent’s mistake and your real filesystem is the per-step permission prompt.
How does Devcontainer (for AI agents) work?
A devcontainer is defined by a devcontainer.json file at the repo root. It specifies the base image, the tools to install, environment variables, the user, and any networking restrictions. When the agent runs inside the container, it has access only to the files and tools you’ve granted; the host filesystem and other applications are isolated.
Anthropic’s reference setup adds two specific features: an egress firewall that limits which external hosts the agent can call, and persistent volumes for state that should survive container restarts (caches, login tokens, configuration). With both in place, you can safely run --dangerously-skip-permissions for true unattended operation.
Related terms
Learn more on Beginners in AI
Sources and further reading
- Anthropic — Claude Code devcontainer docs
- Anthropic — Claude Code best practices
- Dev Containers specification
Last reviewed: May 2026. AI terminology evolves quickly — verify specifics on the official source pages above.
Get Smarter About AI Every Morning
Free daily newsletter — one term, one tool, one tip. Plain English.
Free forever. Unsubscribe anytime.
You may also like
- Claude Code Best Practices
- Harness Engineering for Beginners
- Long-Running Claude Code Tasks
- Claude
- AI agent
- Harness engineering
- AI Glossary
Two ways to go further
The AI Prompt Library
1,000+ ready-to-use prompts for Claude, ChatGPT, and Gemini. Stop staring at a blank box.
Get it for $39 →2-Hour Live AI Crash Course
A private, beginner-friendly session across Claude, ChatGPT, Gemini, and the wider landscape.
Book for $125 →