Codex Sandbox
Codex CLI Sandbox and Security | Rookie Tutorial
Codex CLI has a built-in sandbox mechanism and security policy to ensure system and data security while helping you program. This section details these security mechanisms and how to configure them.
* * *
## Sandbox Mechanism
Codex executes commands and operates files in an isolated sandbox environment. This design ensures:
* Modifications to your project files are controllable
* Potentially dangerous commands require your confirmation
* Sensitive data is not accidentally leaked
> The sandbox is the first line of defense in Codex's security strategy, ensuring that AI operations do not exceed your expected scope.
* * *
## Execution Policy
Codex uses an Execution Policy to control the behavior of different types of operations:
### Policy Types
| Policy | Behavior | Applicable Scenario |
| --- | --- | --- |
| `ask` | Ask for confirmation before each execution | Daily development (default) |
| `approve` | Automatically approve execution | Fully trusted environment |
| `deny` | Reject all operations that may have side effects | Read-only mode |
### Operations Requiring Confirmation
The following types of operations will trigger confirmation requests:
* Executing shell commands (especially `rm`, `kill`, etc.)
* Modifying or deleting files
* Creating new files
* Accessing sensitive directories (such as `~/.ssh/`, `/etc/`)
* Network requests (in specific cases)
### Configuring Execution Policy
## Setting Execution Policy in Configuration
default_policy = "ask"
> For security reasons, it is not recommended to set the default policy to `approve` unless you fully understand the potential risks.
* * *
## Confirmation Dialog
When Codex needs to perform a sensitive operation, it will display a confirmation dialog:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ Confirm Executionββββββββββββββββββββββββββββββββββββββββββββββββββββββ Codex plans to execute the following operation: Command: rm -rf node_modules/ Directory: /path/to/project This will permanently delete the directory and all its contents Confirm execution Cancel Always allow this type of operationββββββββββββββββββββββββββββββββββββββββββββββββββββββ
### Option Descriptions
| Option | Description |
| --- | --- |
| `Y` | Execute only this time |
| `N` | Cancel operation |
| `A` | Add rule, automatically approve in the future |
> Be careful when selecting "Always allow", ensure that the operation is indeed safe.
* * *
## File Access Control
### Protected Directories
Certain system directories are protected by default, and Codex will require additional confirmation when accessing these directories:
| Directory | Description |
| --- | --- |
| `~/.ssh/` | SSH keys and configuration |
| `~/.aws/` | AWS credentials |
| `/etc/` | System configuration |
| `~/.git-credentials` | Git credential storage |
### Custom Protection Rules
You can add custom protection rules in the configuration:
## Configuring File Access Rules
# Allowed directories
allowed_paths = [
"~/projects/*",
"/workspace/*"
]
# Protected directories (require additional confirmation)
protected_paths = [
"~/.ssh/*",
"~/secrets/*"
]
* * *
## Network Access Control
Codex can restrict the scope of network requests:
## Configuring Network Access
# Allowed domains
allowed_domains = [
"github.com",
"api.openai.com"
]
# Whether to allow localhost access
allow_localhost = false
# Whether to allow private network
allow_private_network = false
> Restricting network access can prevent Codex from accidentally connecting to untrusted services.
* * *
## Working Directory Restriction
You can restrict Codex to operate only in specific directories:
## Restricting Working Directories
# Codex can only operate in these directories
working_directories = [
"~/projects/*",
"/workspace/*"
]
# Behavior when out of bounds: warn (warning) or deny (reject)
out_of_bounds = "deny"
* * *
## Command Whitelist/Blacklist
### Whitelist Mode (Recommended)
Only allow execution of explicitly listed commands:
## Command Whitelist
# Whitelist mode
whitelist_enabled = true
allowed_commands = [
"git",
"npm",
"node",
"python",
"cargo"
]
### Blacklist Mode
Prohibit execution of specific commands:
## Command Blacklist
# Blacklist mode
blacklist_enabled = true
blocked_commands = [
"rm -rf /",
"dd",
"mkfs"
]
> Whitelist mode is more secure and is recommended for production environments or when handling sensitive projects.
* * *
## Sensitive Data Handling
### Automatic Masking
Codex automatically detects and masks sensitive information:
* API keys and passwords
* Tokens and authentication information
* Personally identifiable information (PII)
### Environment Variable Protection
Certain environment variables are automatically hidden:
AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY OPENAI_API_KEY DATABASE_URL
### Manually Specifying Sensitive Data
You can manually mark content that needs protection in the configuration:
## Custom Sensitive Data Patterns
# Regex patterns to mask
patterns = [
"password\\s*=\\s*[^\\s]+",
"api_key\\s*=\\s*[^\\s]+",
"secret\\s*=\\s*[^\\s]+"
]
* * *
## Audit Logs
Codex can record audit logs of all operations:
## Enabling Audit Logs
enabled = true
log_file = "~/.codex/log/audit.log"
### Log Content
Audit logs record the following information:
* Timestamp
* Operation type
* Involved files or commands
* Operation result (success/failure)
* User confirmation status
## Viewing Audit Logs
# View recent audit logs
tail-f ~/.codex/log/audit.log
> Audit logs are very important for security auditing and troubleshooting, especially in team environments.
* * *
## Security Best Practices
### Development Environment
* Use the default execution policy (ask)
* Enable audit logs
* Configure command whitelist
### Production Environment
* Restrict working directories
* Use whitelist mode
* Disable unnecessary network access
* Enable complete audit logs
### Sensitive Projects
* Use the strictest protection rules
* Carefully review every confirmation request
* Regularly check audit logs
* * *
## FAQ
### Q: Where is the execution policy configured?
The execution policy is mainly configured through the `~/.codex/config.toml` configuration file. Some settings can also be configured through environment variables.
### Q: What if I accidentally clicked "Always allow"?
Delete the relevant rules in the configuration file, or delete the entire configuration file and restart Codex, the rules will be reset.
### Q: Can Codex access my GitHub token?
Codex will request the necessary permissions to access GitHub to perform operations. You can revoke these permissions at any time in your GitHub settings.
### Q: How to completely disable file modifications?
Set the execution policy to `deny`, which will prohibit Codex from performing any operations that may modify the file system.
YouTip