YouTip LogoYouTip

Codex Sandbox

Codex CLI Sandbox and Security | Rookie Tutorial Codex CLI has a built-in sandbox mechanism and security policy to ensure system and data security while helping you program. This section details these security mechanisms and how to configure them. * * * ## Sandbox Mechanism Codex executes commands and operates files in an isolated sandbox environment. This design ensures: * Modifications to your project files are controllable * Potentially dangerous commands require your confirmation * Sensitive data is not accidentally leaked > The sandbox is the first line of defense in Codex's security strategy, ensuring that AI operations do not exceed your expected scope. * * * ## Execution Policy Codex uses an Execution Policy to control the behavior of different types of operations: ### Policy Types | Policy | Behavior | Applicable Scenario | | --- | --- | --- | | `ask` | Ask for confirmation before each execution | Daily development (default) | | `approve` | Automatically approve execution | Fully trusted environment | | `deny` | Reject all operations that may have side effects | Read-only mode | ### Operations Requiring Confirmation The following types of operations will trigger confirmation requests: * Executing shell commands (especially `rm`, `kill`, etc.) * Modifying or deleting files * Creating new files * Accessing sensitive directories (such as `~/.ssh/`, `/etc/`) * Network requests (in specific cases) ### Configuring Execution Policy ## Setting Execution Policy in Configuration default_policy = "ask" > For security reasons, it is not recommended to set the default policy to `approve` unless you fully understand the potential risks. * * * ## Confirmation Dialog When Codex needs to perform a sensitive operation, it will display a confirmation dialog: ══════════════════════════════════════════════════════ Confirm Execution══════════════════════════════════════════════════════ Codex plans to execute the following operation: Command: rm -rf node_modules/ Directory: /path/to/project This will permanently delete the directory and all its contents Confirm execution Cancel Always allow this type of operation══════════════════════════════════════════════════════ ### Option Descriptions | Option | Description | | --- | --- | | `Y` | Execute only this time | | `N` | Cancel operation | | `A` | Add rule, automatically approve in the future | > Be careful when selecting "Always allow", ensure that the operation is indeed safe. * * * ## File Access Control ### Protected Directories Certain system directories are protected by default, and Codex will require additional confirmation when accessing these directories: | Directory | Description | | --- | --- | | `~/.ssh/` | SSH keys and configuration | | `~/.aws/` | AWS credentials | | `/etc/` | System configuration | | `~/.git-credentials` | Git credential storage | ### Custom Protection Rules You can add custom protection rules in the configuration: ## Configuring File Access Rules # Allowed directories allowed_paths = [ "~/projects/*", "/workspace/*" ] # Protected directories (require additional confirmation) protected_paths = [ "~/.ssh/*", "~/secrets/*" ] * * * ## Network Access Control Codex can restrict the scope of network requests: ## Configuring Network Access # Allowed domains allowed_domains = [ "github.com", "api.openai.com" ] # Whether to allow localhost access allow_localhost = false # Whether to allow private network allow_private_network = false > Restricting network access can prevent Codex from accidentally connecting to untrusted services. * * * ## Working Directory Restriction You can restrict Codex to operate only in specific directories: ## Restricting Working Directories # Codex can only operate in these directories working_directories = [ "~/projects/*", "/workspace/*" ] # Behavior when out of bounds: warn (warning) or deny (reject) out_of_bounds = "deny" * * * ## Command Whitelist/Blacklist ### Whitelist Mode (Recommended) Only allow execution of explicitly listed commands: ## Command Whitelist # Whitelist mode whitelist_enabled = true allowed_commands = [ "git", "npm", "node", "python", "cargo" ] ### Blacklist Mode Prohibit execution of specific commands: ## Command Blacklist # Blacklist mode blacklist_enabled = true blocked_commands = [ "rm -rf /", "dd", "mkfs" ] > Whitelist mode is more secure and is recommended for production environments or when handling sensitive projects. * * * ## Sensitive Data Handling ### Automatic Masking Codex automatically detects and masks sensitive information: * API keys and passwords * Tokens and authentication information * Personally identifiable information (PII) ### Environment Variable Protection Certain environment variables are automatically hidden: AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY OPENAI_API_KEY DATABASE_URL ### Manually Specifying Sensitive Data You can manually mark content that needs protection in the configuration: ## Custom Sensitive Data Patterns # Regex patterns to mask patterns = [ "password\\s*=\\s*[^\\s]+", "api_key\\s*=\\s*[^\\s]+", "secret\\s*=\\s*[^\\s]+" ] * * * ## Audit Logs Codex can record audit logs of all operations: ## Enabling Audit Logs enabled = true log_file = "~/.codex/log/audit.log" ### Log Content Audit logs record the following information: * Timestamp * Operation type * Involved files or commands * Operation result (success/failure) * User confirmation status ## Viewing Audit Logs # View recent audit logs tail-f ~/.codex/log/audit.log > Audit logs are very important for security auditing and troubleshooting, especially in team environments. * * * ## Security Best Practices ### Development Environment * Use the default execution policy (ask) * Enable audit logs * Configure command whitelist ### Production Environment * Restrict working directories * Use whitelist mode * Disable unnecessary network access * Enable complete audit logs ### Sensitive Projects * Use the strictest protection rules * Carefully review every confirmation request * Regularly check audit logs * * * ## FAQ ### Q: Where is the execution policy configured? The execution policy is mainly configured through the `~/.codex/config.toml` configuration file. Some settings can also be configured through environment variables. ### Q: What if I accidentally clicked "Always allow"? Delete the relevant rules in the configuration file, or delete the entire configuration file and restart Codex, the rules will be reset. ### Q: Can Codex access my GitHub token? Codex will request the necessary permissions to access GitHub to perform operations. You can revoke these permissions at any time in your GitHub settings. ### Q: How to completely disable file modifications? Set the execution policy to `deny`, which will prohibit Codex from performing any operations that may modify the file system.
← Codex Cli PromptingCodex Config β†’