OpenAI launched the cloud Codex agent on May 16, 2025 (not to be confused with the original Codex model from 2021 that powered GitHub Copilot's early releases). The new Codex is a full autonomous coding agent: connect a GitHub repository, describe a task, and it writes code, runs tests, and opens a pull request in an ephemeral cloud sandbox without any input from you during the session.
That architecture has a different security profile than any IDE plugin. Here is what actually matters.
TL;DR
OpenAI Codex runs tasks in isolated, internet-blocked sandboxes using the codex-1 model (fine-tuned on o3). Code does not persist between sessions. The main risks are broad GitHub OAuth scope, ChatGPT training defaults that include your code unless opted out, and the inherent danger of any autonomous agent running shell commands on your codebase. Mitigations: use a fine-grained PAT scoped to one repo, opt out of training data use, review every PR Codex opens, and run it on feature branches only.
What OpenAI Codex Actually Does
When you assign a task, Codex:
Clones your repository into a fresh, isolated container.
Reads the codebase and plans an approach.
Runs shell commands: install dependencies, run tests, lint.
Writes code changes across multiple files.
Opens a pull request back to your repository, then terminates the container. Nothing persists.
The sandbox has no outbound internet access by default. Codex cannot call external APIs, exfiltrate data over the network, or download packages from arbitrary sources unless network access is explicitly enabled for a task.
The GitHub Access Question
This is the most important configuration decision. Codex offers two connection methods:
| Method | Scope | Risk |
|---|---|---|
| GitHub OAuth | All repositories in your account or org | High: compromise exposes every repo |
| Fine-grained PAT | Specific repos, specific permissions | Low: scoped to exactly what Codex needs |
Use a fine-grained PAT. The OAuth flow is convenient but requests access to all your repositories. A fine-grained PAT lets you grant read/write on Contents and Pull Requests for a single repo, which is all Codex needs for most tasks. Rotate it after a project ends.
Minimum Viable PAT Permissions
For a typical Codex task (read code, write changes, open PR):
- Contents: Read and write
- Pull requests: Read and write
- Metadata: Read (required)
Do not grant: Actions, Secrets, Environments, Admin access, or org-level permissions.
Data Handling and Training
OpenAI's training policy differs based on how you access Codex:
| Access Method | Code Used for Training? | Data Retention |
|---|---|---|
| ChatGPT (free/Plus) | Yes, by default | Standard OpenAI policy |
| ChatGPT Enterprise | No (ZDR by default) | 0 days |
| API (codex-1 model) | No (ZDR by default) | 0 days |
If you are using Codex through ChatGPT on a free or Plus plan, go to Settings > Data Controls > Improve the model for everyone and toggle it off. This opts your conversations, including code, out of training data.
Enterprise ChatGPT customers and direct API users get Zero Data Retention automatically. Code is processed in memory and not stored on OpenAI's servers after the session ends.
The Codex-1 Model
The cloud Codex agent runs on codex-1, a model fine-tuned from o3 specifically for coding tasks. OpenAI published SWE-bench Verified scores showing codex-1 resolving 72.1% of real GitHub issues in automated testing, the highest published score at launch in May 2025.
That capability cuts both ways. A more capable agent can resolve harder bugs, but it can also make broader changes across your codebase in ways that are harder to review. Every Codex PR should get the same scrutiny as a junior contractor's work: read the diff, not just the summary.
What CheckYourVibe Finds in AI-Assisted Codebases
Codex-generated code shares the same vulnerability patterns we see across AI coding tools. The most common issues in repositories that use autonomous agents:
Secrets in environment files committed to the repo. Codex pulls env vars it finds in .env.example into actual .env files during setup tasks.
Missing authentication checks on new API routes. Codex adds routes that match existing patterns but sometimes omits middleware.
Over-permissive CORS. Default headers added during scaffolding can allow any origin.
Hard-coded URLs and credentials in test fixtures that make it to production branches.
Run a scan before merging any Codex PR that touches configuration, environment setup, or API route definitions.
Codex vs Devin vs Cursor: Security Comparison
| Tool | Execution | GitHub Access | Network in Sandbox | Data Retention |
|---|---|---|---|---|
| OpenAI Codex | Cloud agent | PAT or OAuth | Blocked by default | ZDR on API/Enterprise |
| Devin (Cognition) | Cloud agent | Machine account recommended | Browser access included | SOC 2 Type II |
| Cursor | Local IDE plugin | Read suggestions only | None (local only) | No code storage |
Codex and Devin are both cloud agents that execute code autonomously. Codex has a narrower default network surface (internet blocked) compared to Devin, which includes a browser component that can reach external URLs during sessions.
Security Checklist Before Connecting Codex to Your Repo
Is OpenAI Codex safe to use on private repositories?
Yes, with caveats. Codex runs in an isolated sandbox with no internet access by default and does not persist code between sessions. The main risk is the GitHub OAuth scope. Using a fine-grained PAT limited to specific repos is safer than the broad OAuth grant. Enterprise ChatGPT customers get Zero Data Retention, so code is not stored by OpenAI.
Does OpenAI Codex train on my code?
ChatGPT free and Plus users: your conversations, including code, are used for training by default unless you opt out in Settings > Data Controls. API customers using the codex-1 model and Enterprise ChatGPT accounts have Zero Data Retention by default, so code is not stored or used for training.
What GitHub permissions does Codex need?
Codex can connect via OAuth (broad access to all repos) or a fine-grained PAT (scoped to specific repos). Always use a fine-grained PAT with read/write on Contents and Pull Requests for just the repository you want Codex to work on.
How is OpenAI Codex different from GitHub Copilot?
Copilot is an IDE assistant: it suggests code inline but you review and accept each suggestion. Codex is an autonomous agent: assign a task and it reads, codes, runs tests, and opens a PR without per-step input from you. The attack surface is substantially larger.
Is there a local version of Codex?
Codex CLI is an open-source command-line tool you run locally using your own OpenAI API key. It processes code on your machine before sending prompts to OpenAI. The cloud Codex agent inside ChatGPT is fully cloud-hosted with no local option.
Using Codex on your codebase?
Scan for secrets, missing auth guards, and misconfigured permissions before merging.