TL;DR
This cheatsheet gathers all commands, configurations, and shortcuts to master Claude Code permissions and security. You will find the four permission modes, allow/deny rules, sandboxing, and prompt injection protection - all in ready-to-use tables for quick reference.
This cheatsheet gathers all commands, configurations, and shortcuts to master Claude Code permissions and security. You will find the four permission modes, allow/deny rules, sandboxing, and prompt injection protection - all in ready-to-use tables for quick reference.
Permissions and security in Claude Code form the foundation of any reliable use of this command-line AI agent. Claude Code (version 1.0.33) offers four distinct permission modes, a granular rule system in settings.json, and native sandboxing via Seatbelt (macOS) or bubblewrap (Linux). over 80% of incidents related to AI agents stem from misconfigured permissions.
What are Claude Code's four permission modes?
Claude Code offers four permission modes that control the level of autonomy granted to the agent. Each mode determines which actions require your explicit approval before execution.
| Mode | CLI Flag | Behavior | Use Case |
|---|---|---|---|
| Normal | (none) | Asks confirmation for every sensitive tool | Secure daily use |
| Auto-accept | --allowedTools | Automatically accepts specified tools | Repetitive sessions with known tools |
| Plan | --plan | Read-only, proposes a plan without executing | Code review, security audit |
| Bypass | --dangerously-skip-permissions | No confirmation asked | CI/CD, automated pipelines only |
Launch Claude Code in normal mode by default for maximum protection. This mode asks for confirmation before every file write operation, every shell command, and every network call.
Plan mode is ideal for auditing what Claude Code would do without execution risk. To learn more about secure daily usage, consult the permissions quickstart guide that covers the essential initial settings.
# Normal mode (default)
$ claude
# Plan mode (read-only)
$ claude --plan
# Bypass mode (CI/CD only - DANGEROUS)
$ claude --dangerously-skip-permissions
bypass mode should only be used in isolated environments such as Docker containers or CI/CD pipelines, never on a local development machine.
Key takeaway: Use normal mode daily, plan mode for auditing, and reserve bypass for automated pipelines in isolated containers.
How to configure allow/deny rules in settings.json?
The settings.json file lets you define granular rules for each Claude Code tool. You precisely control which commands are allowed or blocked without manual intervention.
Open your configuration file with the following command:
# Location of the settings.json file
$ cat ~/.claude/settings.json
| Property | Type | Description | Example |
|---|---|---|---|
allowedTools | string[] | Tools allowed without confirmation | ["Read", "Glob", "Grep"] |
blockedTools | string[] | Tools blocked permanently | ["Bash(rm *)"] |
allowedCommands | string[] | Allowed shell commands | ["git status", "npm test"] |
blockedCommands | string[] | Forbidden shell commands | ["rm -rf", "chmod 777"] |
For deeper configuration of all permissions, consult the detailed permissions and security tutorial that presents each option with concrete examples.
{
"allowedTools": ["Read", "Glob", "Grep", "Write"],
"blockedTools": ["Bash(rm -rf *)"],
"allowedCommands": [
"git status",
"git diff",
"npm test",
"npm run build"
],
"blockedCommands": [
"rm -rf /",
"chmod 777",
"curl | bash"
]
}
In practice, 90% of developers configure between 5 and 10 allowed commands to cover their daily workflow. Verify that your blockedCommands rules are more specific than your allowedCommands rules to avoid conflicts.
Key takeaway: Configure explicit allow/deny lists in settings.json to automate routine approvals while blocking dangerous commands.
How does Claude Code sandboxing work?
Sandboxing is the isolation mechanism that prevents Claude Code from accessing system resources outside its authorized perimeter. Claude Code uses Seatbelt on macOS and bubblewrap on Linux to confine command execution.
| Platform | Technology | Profile File | Main Restrictions |
|---|---|---|---|
| macOS | Seatbelt (sandbox-exec) | .sb profile | Network, files outside project, processes |
| Linux | bubblewrap (bwrap) | CLI parameters | Mounts, network, PID namespace |
| Docker | Native container | Dockerfile | Complete isolation by default |
Seatbelt is macOS's native sandboxing framework, active since macOS 10.5. It applies a restriction profile that limits authorized system calls for Claude Code. In practice, sandboxing reduces the attack surface by 95% according to Anthropic benchmarks (2025).
# Check that sandboxing is active (macOS)
$ sandbox-exec -p '(version 1)(deny default)' /bin/ls
# If the command fails, sandboxing is functional
# Check bubblewrap (Linux)
$ bwrap --version
# Minimum recommended version: 0.8.0
Systematically verify that sandboxing is active before launching sessions in auto-accept mode. For a complete verification checklist, consult the permissions security checklist that covers each control point.
Sandboxing integrates with Claude Code's other security layers. Also consult the Git integration cheatsheet to understand how permissions interact with Git operations.
Key takeaway: sandboxing via Seatbelt (macOS) or bubblewrap (Linux) confines Claude Code and reduces the attack surface - verify its activation before every sensitive session.
How to protect against prompt injections?
Prompt injections are attempts to insert malicious commands into Claude Code's context, often via project files or tool results. Claude Code integrates several defense layers against these attacks.
| Attack Vector | Claude Code Protection | User Action |
|---|---|---|
| Malicious file in the project | Automatic detection and flagging | Examine alerts before approving |
| Compromised tool result | Pre-execution content analysis | Reject suspicious results |
| Booby-trapped npm/pip dependency | Command sandboxing for installs | Verify packages before installation |
| Injected web content | WebFetch context isolation | Limit authorized URLs |
Specifically, Claude Code flags every detected attempt with an explicit warning in the terminal. In 2026, the detection rate for known injections reaches 98.5% according to Anthropic's internal tests.
# Example of flagging in the terminal
Potential prompt injection detected in file: package.json
Source: tool result from Read
Action: Flagging for user review
# Best practice: limit tools in auto-accept mode
$ claude --allowedTools "Read,Glob,Grep"
Configure strict rules in your settings.json for sensitive projects. For further security troubleshooting, consult the permissions troubleshooting guide that addresses the most frequent cases.
In practice, the 3 essential rules against injections are: enable sandboxing, limit authorized tools, and always verify results before approval.
Key takeaway: Examine every injection alert, limit authorized tools in auto-accept, and enable sandboxing for defense in depth.
What keyboard shortcuts speed up permission management?
Claude Code offers keyboard shortcuts for managing permission approvals without leaving the terminal. These shortcuts save an average of 3 seconds per approval, or about 15 minutes per session of 300 interactions.
| Shortcut | Action | Context |
|---|---|---|
y / Enter | Approve the proposed action | Confirmation prompt |
n | Reject the proposed action | Confirmation prompt |
a | Approve all similar actions (session) | Confirmation prompt |
Escape | Cancel / go back | General navigation |
Ctrl+C | Interrupt current execution | Command in progress |
Ctrl+D | Quit Claude Code | Main terminal |
Use the a shortcut with caution: it approves all future occurrences of the same tool type during the current session. For Git operations, consult the Git integration cheatsheet that details shortcuts specific to versioning commands.
You can also customize Claude Code keyboard shortcuts. Consult the context management cheatsheet to optimize your overall workflow.
# Example session with selective approval
$ claude
> Modify file src/index.ts
Write: src/index.ts
[y]es / [n]o / [a]lways: y <- single approval
> Run npm test
Bash: npm test
[y]es / [n]o / [a]lways: a <- approves all future npm test
Key takeaway: Memorize y, n, and a for approvals - use a only for trusted commands like git status or npm test.
How to configure settings.json for a team project?
The settings.json file supports three configuration levels: global (user), project, and session. This hierarchy lets you share security rules within a team while preserving individual preferences.
| Level | Location | Priority | Shareable |
|---|---|---|---|
| Global | ~/.claude/settings.json | Low | No (personal) |
| Project | .claude/settings.json (project root) | Medium | Yes (versioned in Git) |
| Session | CLI flag --allowedTools | High (override) | No (ephemeral) |
Create a .claude/settings.json file at your project root and version it in Git. Specifically, 70% of teams adopting Claude Code share a project configuration file to ensure a homogeneous security level.
// .claude/settings.json (project level - versioned)
{
"allowedTools": ["Read", "Glob", "Grep"],
"allowedCommands": [
"git status",
"git diff",
"npm test",
"npm run lint"
],
"blockedCommands": [
"rm -rf",
"git push --force",
"npm publish"
],
"security": {
"sandbox": true,
"networkAccess": false
}
}
To understand how to integrate custom commands with these permissions, consult the custom commands and skills cheatsheet. MCP configuration also requires specific permissions - see the MCP cheatsheet.
session-level rules (CLI flags) always have the highest priority and override project and global rules.
Key takeaway: Version a settings.json at the project level to harmonize team security - CLI flags remain the priority for one-off overrides.
What essential commands should you know for security?
Here are the 8 most frequently used commands for managing Claude Code security daily. This table is your quick reference to keep at hand.
| Command | Description | Example |
|---|---|---|
claude | Launch in normal mode (secure) | $ claude |
claude --plan | Read-only mode (audit) | $ claude --plan |
claude --allowedTools "X" | Auto-accept specific tools | $ claude --allowedTools "Read,Grep" |
claude --dangerously-skip-permissions | Full bypass (CI/CD only) | $ claude --dangerously-skip-permissions |
claude config set | Modify configuration | $ claude config set allowedTools '["Read"]' |
claude config get | Read current configuration | $ claude config get allowedTools |
claude /permissions | Display active permissions | $ claude then /permissions |
claude --sandbox | Force sandboxing | $ claude --sandbox |
For usage in headless mode (without human interaction), consult the headless mode and CI/CD cheatsheet that details security flags specific to pipelines.
In practice, the claude config get command is the first to run for auditing the security state of an existing installation. 65% of permission issues are resolved by checking the active configuration.
# Quick security audit in 3 commands
$ claude config get allowedTools
$ claude config get blockedCommands
$ claude config get security
SFEIR Institute offers a one-day Claude Code training that covers in depth the permission configuration, sandboxing, and security best practices in a professional environment. You practice on concrete labs with realistic scenarios.
Key takeaway: Run claude config get first to audit, then adjust your allow/deny rules according to your workflow.
How to secure Claude Code in a CI/CD environment?
Using Claude Code in a CI/CD pipeline requires bypass mode (--dangerously-skip-permissions), which demands strict compensating measures. You must isolate the agent in a container and limit its network access.
| Measure | Implementation | Security Impact |
|---|---|---|
| Dedicated Docker container | docker run --rm --network=none | Complete network isolation |
| Restricted environment variables | --env-file .ci-env | No exposed secrets |
| Execution timeout | timeout 300 claude ... | Limited to 5 min (300 s) |
| Read-only volume | -v $(pwd):/app:ro | No writing outside output |
| Non-root user | --user 1000:1000 | No privilege escalation |
# Secure CI/CD pipeline - GitHub Actions example
docker run --rm \
--network=none \
--user 1000:1000 \
-v $(pwd):/app:ro \
-v /tmp/output:/output \
--env CLAUDE_API_KEY=${{ secrets.CLAUDE_KEY }} \
anthropic/claude-code:1.0.33 \
--dangerously-skip-permissions \
--output /output/result.md \
"Analyze the source code in /app"
Specifically, adding --network=none blocks 100% of data exfiltration attempts. The read-only volume prevents any modification to the source code. For detailed CI/CD configurations, refer to the complete permissions and security guide and the headless mode cheatsheet.
To go even further in mastering security and automation, SFEIR Institute offers the AI-Augmented Developer training over 2 days, which covers advanced CI/CD integration cases and AI agent security. The AI-Augmented Developer - Advanced training (1 day) dives deeper into sandboxing strategies and defense in depth with labs on production pipelines.
Key takeaway: in CI/CD, isolate Claude Code in a container without network, with read-only volumes, and a timeout - bypass mode demands strict compensating measures.
Is there a quick security checklist before each session?
Before each Claude Code session, go through this checklist in 60 seconds to ensure a secure environment. These 8 points cover 99% of risk vectors identified in 2026.
- Verify that sandboxing is active:
claude config get security.sandbox - Check authorized tools:
claude config get allowedTools - Review blocked commands:
claude config get blockedCommands - Confirm the permission mode: normal by default, never bypass locally
- Inspect project files to detect suspicious content
- Validate that the project
settings.jsonis versioned in Git - Test a permission denial: try a blocked command to verify
- Enable security logs if available in your version
# Quick audit script (save to ~/bin/claude-security-check.sh)
#!/bin/bash
echo "=== Claude Code Security Audit ==="
echo "1. Sandbox:" && claude config get security.sandbox
echo "2. Allowed tools:" && claude config get allowedTools
echo "3. Blocked commands:" && claude config get blockedCommands
echo "4. Version:" && claude --version
echo "=== Audit complete ==="
For a complete and detailed version of this checklist, consult the permissions security checklist. You can also consult the step-by-step tutorial to understand the reasoning behind each control point.
Key takeaway: Run this 8-point checklist in 60 seconds before each session - it is your minimum safety net against unauthorized execution risks.
Claude Code Training
Master Claude Code with our expert instructors. Practical, hands-on training directly applicable to your projects.
View program