2026-01-26 · Authensor

How to Gate docker run Commands in AI Agents

SafeClaw by Authensor blocks docker run and related container execution commands by default, preventing AI agents from spinning up arbitrary containers on your infrastructure. Install SafeClaw with npx @authensor/safeclaw and every container launch attempt is denied and recorded in a hash-chained audit log.

Why docker run Is Dangerous When AI Agents Do It

docker run gives an AI agent the ability to execute any image from any registry with any set of mounted volumes, network configurations, and privilege escalations. An agent that runs docker run --privileged gains root-level access to the host kernel. Mounting the Docker socket (-v /var/run/docker.sock) allows container escape. Even without explicit privilege flags, an agent can pull and execute images containing cryptominers, reverse shells, or data exfiltration tools. The combination of network access (to pull images) and execution capability makes docker run one of the highest-risk commands an AI agent can invoke.

The Exact SafeClaw Policy to Gate docker run

Add these rules to .safeclaw/policy.yaml:

rules:
  - id: deny-docker-run-privileged
    action: shell.exec
    match:
      command: "docker run--privileged"
    effect: deny
    audit: true
    message: "Privileged container execution is permanently denied."


- id: deny-docker-run-socket-mount
    action: shell.exec
    match:
      command: "docker rundocker.sock"
    effect: deny
    audit: true
    message: "Docker socket mounting is permanently denied."



- id: deny-docker-run
    action: shell.exec
    match:
      command: "docker run*"
    effect: deny
    audit: true
    message: "docker run requires explicit policy approval."



- id: deny-docker-exec
    action: shell.exec
    match:
      command: "docker exec*"
    effect: deny
    audit: true
    message: "docker exec is blocked for AI agents."

The rule ordering matters. The privileged and socket-mount rules are placed first as hard denials — they should never be overridden by a more permissive rule below. The general docker run deny catches all other container executions. The docker exec rule prevents agents from attaching to already-running containers.

What Happens When the Agent Tries

When a Claude or OpenAI agent attempts docker run -d --name myapp nginx:latest:

  1. SafeClaw intercepts the shell.exec action request.
  2. Rules are evaluated in order. The privileged and socket rules do not match. The general deny-docker-run rule matches docker run*.
  3. Execution is blocked. No image pull occurs. No container starts.
  4. Audit entry recorded:
{
  "timestamp": "2026-02-13T13:08:55Z",
  "action": "shell.exec",
  "command": "docker run -d --name myapp nginx:latest",
  "effect": "deny",
  "rule": "deny-docker-run",
  "agent": "devops-agent-01",
  "hash": "e5a2c8...chain"
}

If the agent tries docker run --privileged alpine sh, the more specific privileged-deny rule matches first, and the audit entry reflects that rule with its permanent denial message.

How to Allow docker run with Approval

For CI/CD workflows where agents need to run containers from trusted registries:

rules:
  - id: deny-docker-run-privileged
    action: shell.exec
    match:
      command: "docker run--privileged"
    effect: deny
    audit: true
    message: "Privileged containers are permanently denied."


- id: deny-docker-run-socket-mount
    action: shell.exec
    match:
      command: "docker rundocker.sock"
    effect: deny
    audit: true
    message: "Socket mounting is permanently denied."



- id: allow-docker-run-internal-registry
    action: shell.exec
    match:
      command: "docker runregistry.internal.com/"
    effect: approval
    audit: true
    approvers:
      - role: devops-engineer
    timeout: 180
    message: "Internal registry container run requires DevOps approval."



- id: deny-docker-run-all
    action: shell.exec
    match:
      command: "docker run*"
    effect: deny
    audit: true
    message: "Only internal registry images may be run, with approval."

This layered approach hard-denies the most dangerous patterns, routes internal registry images through approval, and blocks everything else. The DevOps engineer sees the full command including image name, tags, volume mounts, and port mappings before approving.

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'docker run --privileged alpine'

Expected: deny, rule: deny-docker-run-privileged



npx @authensor/safeclaw simulate --action 'shell.exec' --command 'docker run nginx:latest'
Expected: deny, rule: deny-docker-run

Related Pages

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw