

















When implementing anthropics/claude-code-action in GitHub Actions, understanding its security implications is crucial for enterprise deployments. In our first article, we explored the unique security considerations when running AI coding agents in CI/CD environments. The second article demonstrated how runtime monitoring enhances GitHub Copilot's built-in security features. Now, let's examine Claude Code - an agent that prioritizes flexibility and power over built-in restrictions - and show how Harden-Runner provides the essential security layer for production deployments.
Claude Code in GitHub Actions takes a fundamentally different approach to security compared to GitHub Copilot. While Copilot includes a network firewall by default, Claude Code operates without network restrictions, giving it unrestricted access to external resources. This design philosophy prioritizes developer flexibility and agent capability, but it also means that security becomes entirely the responsibility of the implementation team.
This lack of built-in network controls isn't a weakness - it's a design choice that enables Claude Code to:
However, this flexibility makes runtime security monitoring not just important, but essential. Without visibility into Claude's network activities, organizations operate blind to potential security risks.
Claude Code does provide configuration options through allowed_tools and disallowed_tools that help shape the agent's behavior:
allowed_tools: |
Bash(npm install)
Bash(npm test)These controls are valuable for defining what actions Claude can take, but they don't address the core security challenge: visibility into runtime behavior. You can restrict Claude to only use specific bash commands, but you still can't see:
.png)
Given Claude Code's unrestricted network access, implementing Harden-Runner becomes your primary security control. Here's how to secure anthropics/claude-code-action in your GitHub workflows::
name: Claude Code
on:
issue_comment:
types: [created]
pull_request_review_comment:
types: [created]
issues:
types: [opened, assigned]
pull_request_review:
types: [submitted]
jobs:
claude:
if: |
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
(github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
issues: read
id-token: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@v2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Run Claude Code
id: claude
uses: anthropics/claude-code-action@beta
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
allowed_tools: "Bash"Let's examine a real example where anthropics/claude-code-action was deployed in a production workflow. The Claude Code agent was tasked with creating a Python program for image generation and OCR capabilities. You can see this GitHub issue here.
When a user asked Claude Code to implement the issue, it triggered the GitHub Actions workflow run Claude Code #2. This workflow run was monitored by Harden-Runner due to the copilot-setup-steps.yml workflow file created previously. As this is a public repository, you can explore the Harden-Runner insights for this run here.
On this insights page, you can find detailed information about:
The network events tab reveals fascinating insights into Claude Code's execution pattern.

Here's what happened during the workflow run:
1. Initial Setup and Repository Operations
2. Claude Code Runtime Initialization
3. Core Claude Code Operations
4. Package Management and Dependencies
5. Python Environment Setup
6. Runtime Monitoring and Telemetry
7. Final Execution and Network Activity
From this network activity, we can observe several critical differences from GitHub Copilot:
This level of visibility would be impossible without runtime monitoring. Standard CI/CD logs show only high-level job status, while Harden-Runner reveals:
The unrestricted nature of Claude Code's network access makes this monitoring not just useful but essential for security teams to understand what's happening in their CI/CD pipelines. You can see end to end flow in the screen recording below:
The anthropics/claude-code-action Claude Code action represents a different philosophy in AI coding agents - one that prioritizes capability and flexibility over built-in restrictions. This approach enables powerful automation scenarios but requires thoughtful security implementation.
By pairing Claude Code with Harden-Runner, organizations get the best of both worlds: unrestricted AI capabilities with comprehensive security visibility. The network monitoring data we've examined shows that Claude Code's flexibility is both its greatest strength and its most significant security consideration.
.png)
The future of software development is AI-powered, and with tools like Harden-Runner, we can ensure that future is also secure.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。