The question: Can Claude Code run without a human — and what does that make possible for continuous network compliance?
Headless mode
The -p flag runs Claude Code non-interactively. No terminal UI. No permission prompts. It reads a prompt, executes, and returns structured output.
claude -p "Read configs/core-nyc-01.cfg and list all BGP neighbors \
with remote AS, state, and prefixes received" \
--allowedTools "Read,Grep,Glob" \
--output-format jsonOutput is structured JSON parseable by downstream tools. In a pipeline, Claude Code becomes an analysis component — not an interactive assistant.
Network compliance pipeline
# .github/workflows/config-compliance.yml
name: Network Config Compliance
on:
push:
paths: ['configs/**']
schedule:
- cron: '0 6 * * 1' # Every Monday 06:00 UTC
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Audit security baseline
uses: anthropics/claude-code-action@v1
with:
prompt: |
Audit all files in configs/ against this security baseline:
1. No plaintext passwords
2. NTP authentication enabled
3. SNMP community strings not default ("public"/"private")
4. SSH v2 enforced
5. Management ACLs on VTY lines
6. Syslog server configured
7. DHCP snooping on access VLANs
8. No interfaces in VLAN 1 with an IP address
9. Exec-timeout on console and VTY ≤ 10 minutes
10. Banner login present
Output JSON array: [{device, finding, severity, line, remediation}]
allowed-tools: Read,Glob,Grep
output-format: json
id: audit
- name: Post critical findings to Slack
if: contains(steps.audit.outputs.result, '"severity":"Critical"')
run: |
curl -X POST ${{ secrets.SLACK_WEBHOOK }} \
-H 'Content-Type: application/json' \
-d '{"text":"⚠️ Critical config compliance findings detected. See: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}'
- name: Create JIRA tickets for high-severity findings
if: contains(steps.audit.outputs.result, '"severity":"High"')
run: |
echo '${{ steps.audit.outputs.result }}' | \
jq '.[] | select(.severity == "High")' | \
while read finding; do
echo "Would create ticket: $finding"
doneEvery config push triggers an audit. Every Monday, the entire config repository is scanned. Critical findings go to Slack. High-severity findings create tickets. No human wrote the parsing logic. No human triggered the scan. The pipeline enforces compliance continuously.
Pre-merge config review
- name: Validate proposed config changes
uses: anthropics/claude-code-action@v1
with:
prompt: |
This PR modifies: ${{ steps.changed-files.outputs.files }}
For each changed config file:
1. Is the syntax valid for the target platform?
2. Do all referenced objects exist (ACLs, prefix-lists,
route-maps, interfaces, VLANs)?
3. Does the change remove management access from any device?
4. Could the change create a routing loop?
5. Is the change consistent with our CLAUDE.md conventions?
If any check fails, explain the issue and block the merge.
allowed-tools: Read,Glob,GrepThis is a config review bot that validates semantic consistency, not just syntax. Does the ACL referenced in the new route-map actually exist? Does the VLAN trunked on the new interface match the VTP domain? Does removing this static route create a blackhole for the management subnet? These are the checks humans miss during a 2 AM change window.
Headless safety
Critical rule: Headless mode should always restrict tools to read-only:
claude -p "..." --allowedTools "Read,Grep,Glob"In a pipeline, Claude should never have SSH access, write access to production configs, or the ability to execute arbitrary commands. Analysis and reporting only. The pipeline detects problems. Humans fix them.