YouTip LogoYouTip

Codex Security

Codex Security and Enterprise Management

\\n\\n

Codex provides multi-layered security mechanisms and enterprise management features to ensure data security and support team collaboration.

\\n\\n
\\n\\n

Security Mechanisms Overview

\\n\\n

Codex security design is divided into multiple layers:

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
LayerMechanismFunction
Sandbox IsolationSandbox ModeRestricts file and command access scope
Approval PolicyApproval PolicyControls confirmation before operation execution
Rules EngineRulesDefines command execution permissions
Network ControlNetwork Access SettingsRestricts external network access
Data ProtectionEnterprise FeaturesAudit logging, data residency
\\n\\n
\\n\\n

Sandbox Mode

\\n\\n

Sandbox is Codex’s core security mechanism, limiting the Agent’s operational scope.

\\n\\n

Three Sandbox Modes

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
ModeFile ModificationCommand ExecutionNetwork AccessApplicable Scenarios
read-onlyProhibitedProhibitedProhibitedCode review, analysis
workspace-writeWorkspace onlyAllowedProhibitedDaily development (Recommended)
danger-full-accessAllowedAllowedAllowedSpecial scenarios (use with caution)
\\n\\n

Setting the Sandbox Mode

\\n\\n

Sandbox Configuration

\\n\\n
# CLI Specified in\\n\\ncodex --sandbox read-only\\n\\ncodex --sandbox workspace-write\\n\\ncodex --sandbox danger-full-access\\n\\n# Configuration file\\n\\n\\n\\n# ~/.codex/config.toml\\n\\n sandbox = "workspace-write"\\n\\n \\n
\\n\\n

Sandbox Boundaries

\\n\\n
    \\n
  • Workspace boundary: workspace-write mode only allows modifying files within the project directory
  • \\n
  • Command boundary: read-only prohibits all command execution
  • \\n
  • Network boundary: network access during the Agent phase is disabled by default
  • \\n
\\n\\n
\\n

Recommend using workspace-write mode by default, and only use danger-full-access when necessary.

\\n
\\n\\n
\\n\\n

Approval Policy

\\n\\n

Approval policy controls Codex’s confirmation behavior before executing operations.

\\n\\n

Four Approval Modes

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
ModeBehaviorRisk Level
suggestProvides suggestions only; performs no operationsLowest
interactiveAsks for confirmation before sensitive operationsLow
auto-editAutomatically edits files; commands require confirmationMedium
full-autoAutomatically executes all operationsHigh
\\n\\n

Setting the Approval Policy

\\n\\n

Approval Configuration

\\n\\n
# CLI Specify\\n\\ncodex --approval-mode interactive\\n\\n# Switch during session\\n\\n/approval suggest\\n\\n/approval auto-edit\\n\\n# Configuration file\\n\\n\\n\\n approval_policy = "interactive"\\n\\n \\n
\\n\\n
\\n\\n

Rules Engine

\\n\\n

Rules use the Starlark language to define command execution policies.

\\n\\n

Rule Types

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
RuleDescription
prefix_ruleMatches command prefixes
glob_ruleMatches file path patterns
\\n\\n

Decision Types

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
DecisionBehavior
allowAutomatically approves execution
promptAsks user for confirmation
forbiddenProhibits execution
\\n\\n

Rule Examples

\\n\\n

Rule Definition

\\n\\n
# ~/.codex/rules/default.rules\\n\\n# Allow Git Commands\\n\\n prefix_rule(\\n\\n pattern =,\\n\\n decision ="allow",\\n\\n justification ="Git commands are safe for version control"\\n\\n)\\n\\n# Allow npm install\\n\\n prefix_rule(\\n\\n pattern =["npm","install"],\\n\\n decision ="allow",\\n\\n justification ="Package installation is expected"\\n\\n)\\n\\n# Prohibit deletion of root directory\\n\\n prefix_rule(\\n\\n pattern =["rm","-rf","/"],\\n\\n decision ="forbidden",\\n\\n justification ="Prevent system damage"\\n\\n)\\n\\n# Prompt for sudo commands\\n\\n prefix_rule(\\n\\n pattern =,\\n\\n decision ="prompt",\\n\\n justification ="Elevated privileges need review"\\n\\n)\\n
\\n\\n
\\n\\n

Network Access Control

\\n\\n

Controls Codex’s network access capability to prevent data leakage.

\\n\\n

Cloud Network Control

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
PhaseDefault AccessDescription
Setup ScriptAllowedRequired for downloading dependencies
Agent ExecutionProhibitedDisabled by default; can be enabled
\\n\\n

Domain Allowlist

\\n\\n

Network Configuration

\\n\\n
# Default Whitelist\\n\\n domain_allowlist = "common-dependencies"\\n\\n # Includes: github.com, npmjs.com, pypi.org\\n\\n# Custom domain\\n\\n domain_allowlist = [\\n\\n "github.com",\\n\\n "api.mycompany.com"\\n\\n ]\\n\\n# Restrict HTTP methods\\n\\n allowed_methods = ["GET", "HEAD", "OPTIONS"]\\n
\\n\\n

Security Risks

\\n\\n

Risks introduced by enabling Agent network access:

\\n\\n
    \\n
  • Prompt injection: receiving instructions from malicious web pages
  • \\n
  • Data leakage: sending code or secrets externally
  • \\n
  • Malicious dependencies: downloading packages containing malicious code
  • \\n
\\n\\n
\\n

Enable Agent network access only when necessary, and restrict it using a domain whitelist.

\\n
\\n\\n
\\n\\n

Enterprise Management Features

\\n\\n

The Enterprise plan provides enterprise-grade security and management features.

\\n\\n

Enterprise Features Overview

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
FeatureDescription
SCIMAutomatic user provisioning
SAML SSOSingle sign-on integration
MFAMulti-factor authentication
EKMEnterprise key management
RBACRole-based access control
Audit LoggingComplete operation records
Data ResidencySpecify data storage regions
\\n\\n
\\n\\n

Managed Configuration

\\n\\n

Enterprise administrators can deploy unified configurations.

\\n\\n

Managed Configuration Priority

\\n\\n

Configuration merge order:

\\n\\n
    \\n
  1. Managed configuration (enterprise-deployed) β€” highest priority
  2. \\n
  3. Project configuration (.codex/config.toml)
  4. \\n
  5. User configuration (~/.codex/config.toml) β€” lowest priority
  6. \\n
\\n\\n

Managed Configuration Example

\\n\\n

Enterprise Managed Configuration

\\n\\n
# Enterprise-pushed managed configuration\\n\\n# Enforced Sandbox Mode\\n\\n sandbox = "workspace-write"\\n\\n# Enforced approval policy\\n\\n approval_policy = "interactive"\\n\\n# Disabled Models\\n\\n disabled_models = ["gpt-5.4-mini"]\\n\\n# Network Whitelist\\n\\n domain_allowlist = ["github.com", "internal-api.company.com"]\\n\\n# Audit Configuration\\n\\n audit_logging = true\\n
\\n\\n
\\n\\n

Audit Logging

\\n\\n

The Enterprise plan provides comprehensive audit logging functionality.

\\n\\n

Log Contents

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
Record TypeDescription
Session RecordsCreation, modification, and deletion of each session
Tool CallsDetails of file read/write and command execution
Model CallsAPI calls and token usage
User OperationsUser authentication and permission changes
\\n\\n

Log Access

\\n\\n

Audit Logging

\\n\\n
# Access audit logs via the enterprise management console\\n\\n# Exportable as:\\n\\n - JSON Format\\n\\n - CSV Format\\n\\n - SIEM System Integration Format\\n
\\n\\n
\\n\\n

Data Residency

\\n\\n

Enterprise users can specify data storage regions.

\\n\\n

Residency Options

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
RegionDescription
United StatesDefault region
EuropeGDPR-compliant
Other RegionsConfigurable based on enterprise needs
\\n\\n
\\n

Data residency settings require contacting the sales team for configuration.

\\n
\\n\\n
\\n\\n

Team Management

\\n\\n

User Provisioning

\\n\\n

SCIM Configuration

\\n\\n
# Automatically manage users via IdP (such as Okta, Azure AD)\\n\\n# Supported operations:\\n\\n - Auto-create Users\\n\\n - Automatically update user attributes\\n\\n - Auto-disable / Delete user\\n
\\n\\n

Role Permissions

\\n\\n\\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n \\n
RolePermissions
AdminFull management permissions
MemberStandard usage permissions
ViewerRead-only permissions
\\n\\n
\\n\\n

Security Best Practices

\\n\\n

Daily Usage

\\n\\n
    \\n
  • Default to workspace-write sandbox mode
  • \\n
  • Use interactive approval mode for sensitive operations
  • \\n
  • Regularly review Rules configuration
  • \\n
  • API Key Stored as Secrets
  • \\n
\\n\\n

Enterprise Deployment

\\n\\n
    \\n
  • Enable SAML SSO and MFA
  • \\n
  • Configure unified policies for managed configuration
  • \\n
  • Enable audit logging
  • \\n
  • Configure data residency according to compliance requirements
  • \\n
  • Restrict network access using domain whitelisting
  • \\n
\\n\\n
\\n\\n

Frequently Asked Questions

\\n\\n

Q: such asHow to prevent Codex from deleting important files?

\\n\\n

Use read-only or workspace-write sandbox mode, and add Rules to prohibit delete commands.

\\n\\n

Q: How do enterprises uniformly configure it?

\\n\\n

Use the managed configuration feature so enterprise admins can push unified configurations that override user settings.

\\n\\n

Q: What information does the audit log contain?

\\n\\n

Contains complete records of all sessions, tool calls, model calls, and user operations.

\\n\\n

Q: such asHow to handle sensitive data?

\\n\\n

Store sensitive information using Secrets; available only in setup scripts and automatically removed during the Agent phase.

← Codex ConfigCodex Workflows β†’