[DOCS] Logic conflict between `excludedCommands` and `allowUnsandboxedCommands: false` regarding Docker usage

Resolved 💬 3 comments Opened Jan 19, 2026 by coygeek Closed Feb 27, 2026

Documentation Type

Missing documentation (feature not documented)

Documentation Location

Section/Topic

  • sandboxing.md: "Configure sandboxing" section (Tip regarding Docker compatibility) - settings.md: "Sandbox settings" table (allowUnsandboxedCommands description)

Current Documentation

From https://code.claude.com/docs/en/sandboxing:

"docker is incompatible with running in the sandbox. Consider specifying docker in excludedCommands to force it to run outside of the sandbox."

From https://code.claude.com/docs/en/settings:

"allowUnsandboxedCommands: When set to false... all commands must run sandboxed (or be in excludedCommands)."

What's Wrong or Missing?

There is a logic/workflow collision that isn't explicitly addressed for enterprise or high-security users. If a user follows the security recommendation to set allowUnsandboxedCommands: false, Claude loses the ability to use the "escape hatch" (the dangerouslyDisableSandbox parameter) to run Docker.

While the documentation notes that Docker is incompatible with the sandbox, it phrases the use of excludedCommands as a suggestion ("Consider specifying..."). For users with strict policies (allowUnsandboxedCommands: false), using excludedCommands is the only way to allow Docker to function. Without a clear link between these two settings, a user might experience a hard block on Docker usage without understanding why the agent cannot "propose" an unsandboxed run.

Suggested Improvement

Update the Tip in the "Configure sandboxing" section of https://code.claude.com/docs/en/sandboxing to explicitly mention the strict policy conflict.

Suggested Text:

"Note: docker is incompatible with running in the sandbox. You must specify docker in the excludedCommands array in your settings.json to allow it to run. This is especially critical if you have set allowUnsandboxedCommands: false, as this prevents Claude from requesting one-off unsandboxed execution for Docker commands."

Additionally, add a troubleshooting entry:

Docker commands failing in strict sandbox mode? If you are using strict enterprise sandboxing (allowUnsandboxedCommands: false) and Docker commands fail, ensure docker is explicitly added to the excludedCommands array in settings.json. In this mode, the agent cannot manually request to bypass the sandbox for incompatible tools.

Impact

High - Prevents users from using a feature

Additional Context

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗