[{"data":1,"prerenderedAt":518},["ShallowReactive",2],{"blog-is-safe/openai-codex":3},{"id":4,"title":5,"body":6,"category":485,"date":486,"dateModified":486,"description":487,"draft":488,"extension":489,"faq":490,"featured":488,"headerVariant":502,"image":503,"keywords":504,"meta":505,"navigation":506,"ogDescription":507,"ogTitle":503,"path":508,"readTime":509,"schemaOrg":510,"schemaType":511,"seo":512,"sitemap":513,"stem":514,"tags":515,"twitterCard":516,"__hash__":517},"blog/blog/is-safe/openai-codex.md","Is OpenAI Codex Safe? Security Review of the Cloud Coding Agent (2026)",{"type":7,"value":8,"toc":470},"minimark",[9,13,16,22,29,34,37,44,50,56,62,68,71,75,78,123,133,138,141,162,165,169,172,220,227,233,237,245,248,252,255,291,294,298,370,373,377,405,439,458],[10,11,12],"p",{},"OpenAI launched the cloud Codex agent on May 16, 2025 (not to be confused with the original Codex model from 2021 that powered GitHub Copilot's early releases). The new Codex is a full autonomous coding agent: connect a GitHub repository, describe a task, and it writes code, runs tests, and opens a pull request in an ephemeral cloud sandbox without any input from you during the session.",[10,14,15],{},"That architecture has a different security profile than any IDE plugin. Here is what actually matters.",[17,18,19],"tldr",{},[10,20,21],{},"OpenAI Codex runs tasks in isolated, internet-blocked sandboxes using the codex-1 model (fine-tuned on o3). Code does not persist between sessions. The main risks are broad GitHub OAuth scope, ChatGPT training defaults that include your code unless opted out, and the inherent danger of any autonomous agent running shell commands on your codebase. Mitigations: use a fine-grained PAT scoped to one repo, opt out of training data use, review every PR Codex opens, and run it on feature branches only.",[23,24,26],"verdict-badge",{"verdict":25},"caution",[10,27,28],{},"Codex is safer than most autonomous agents by architecture, but GitHub scope and training defaults require active configuration to get there.",[30,31,33],"h2",{"id":32},"what-openai-codex-actually-does","What OpenAI Codex Actually Does",[10,35,36],{},"When you assign a task, Codex:",[38,39,41],"step",{"number":40},"1",[10,42,43],{},"Clones your repository into a fresh, isolated container.",[38,45,47],{"number":46},"2",[10,48,49],{},"Reads the codebase and plans an approach.",[38,51,53],{"number":52},"3",[10,54,55],{},"Runs shell commands: install dependencies, run tests, lint.",[38,57,59],{"number":58},"4",[10,60,61],{},"Writes code changes across multiple files.",[38,63,65],{"number":64},"5",[10,66,67],{},"Opens a pull request back to your repository, then terminates the container. Nothing persists.",[10,69,70],{},"The sandbox has no outbound internet access by default. Codex cannot call external APIs, exfiltrate data over the network, or download packages from arbitrary sources unless network access is explicitly enabled for a task.",[30,72,74],{"id":73},"the-github-access-question","The GitHub Access Question",[10,76,77],{},"This is the most important configuration decision. Codex offers two connection methods:",[79,80,81,97],"table",{},[82,83,84],"thead",{},[85,86,87,91,94],"tr",{},[88,89,90],"th",{},"Method",[88,92,93],{},"Scope",[88,95,96],{},"Risk",[98,99,100,112],"tbody",{},[85,101,102,106,109],{},[103,104,105],"td",{},"GitHub OAuth",[103,107,108],{},"All repositories in your account or org",[103,110,111],{},"High: compromise exposes every repo",[85,113,114,117,120],{},[103,115,116],{},"Fine-grained PAT",[103,118,119],{},"Specific repos, specific permissions",[103,121,122],{},"Low: scoped to exactly what Codex needs",[124,125,126],"warning-box",{},[10,127,128,132],{},[129,130,131],"strong",{},"Use a fine-grained PAT."," The OAuth flow is convenient but requests access to all your repositories. A fine-grained PAT lets you grant read/write on Contents and Pull Requests for a single repo, which is all Codex needs for most tasks. Rotate it after a project ends.",[134,135,137],"h3",{"id":136},"minimum-viable-pat-permissions","Minimum Viable PAT Permissions",[10,139,140],{},"For a typical Codex task (read code, write changes, open PR):",[142,143,144,151,156],"ul",{},[145,146,147,150],"li",{},[129,148,149],{},"Contents:"," Read and write",[145,152,153,150],{},[129,154,155],{},"Pull requests:",[145,157,158,161],{},[129,159,160],{},"Metadata:"," Read (required)",[10,163,164],{},"Do not grant: Actions, Secrets, Environments, Admin access, or org-level permissions.",[30,166,168],{"id":167},"data-handling-and-training","Data Handling and Training",[10,170,171],{},"OpenAI's training policy differs based on how you access Codex:",[79,173,174,187],{},[82,175,176],{},[85,177,178,181,184],{},[88,179,180],{},"Access Method",[88,182,183],{},"Code Used for Training?",[88,185,186],{},"Data Retention",[98,188,189,200,211],{},[85,190,191,194,197],{},[103,192,193],{},"ChatGPT (free/Plus)",[103,195,196],{},"Yes, by default",[103,198,199],{},"Standard OpenAI policy",[85,201,202,205,208],{},[103,203,204],{},"ChatGPT Enterprise",[103,206,207],{},"No (ZDR by default)",[103,209,210],{},"0 days",[85,212,213,216,218],{},[103,214,215],{},"API (codex-1 model)",[103,217,207],{},[103,219,210],{},[10,221,222,223,226],{},"If you are using Codex through ChatGPT on a free or Plus plan, go to ",[129,224,225],{},"Settings > Data Controls > Improve the model for everyone"," and toggle it off. This opts your conversations, including code, out of training data.",[228,229,230],"tip-box",{},[10,231,232],{},"Enterprise ChatGPT customers and direct API users get Zero Data Retention automatically. Code is processed in memory and not stored on OpenAI's servers after the session ends.",[30,234,236],{"id":235},"the-codex-1-model","The Codex-1 Model",[10,238,239,240,244],{},"The cloud Codex agent runs on ",[241,242,243],"code",{},"codex-1",", a model fine-tuned from o3 specifically for coding tasks. OpenAI published SWE-bench Verified scores showing codex-1 resolving 72.1% of real GitHub issues in automated testing, the highest published score at launch in May 2025.",[10,246,247],{},"That capability cuts both ways. A more capable agent can resolve harder bugs, but it can also make broader changes across your codebase in ways that are harder to review. Every Codex PR should get the same scrutiny as a junior contractor's work: read the diff, not just the summary.",[30,249,251],{"id":250},"what-checkyourvibe-finds-in-ai-assisted-codebases","What CheckYourVibe Finds in AI-Assisted Codebases",[10,253,254],{},"Codex-generated code shares the same vulnerability patterns we see across AI coding tools. The most common issues in repositories that use autonomous agents:",[256,257,259,273,279,285],"finding-box",{"title":258},"Most Common Codex-Era Findings",[10,260,261,264,265,268,269,272],{},[129,262,263],{},"Secrets in environment files committed to the repo."," Codex pulls env vars it finds in ",[241,266,267],{},".env.example"," into actual ",[241,270,271],{},".env"," files during setup tasks.",[10,274,275,278],{},[129,276,277],{},"Missing authentication checks on new API routes."," Codex adds routes that match existing patterns but sometimes omits middleware.",[10,280,281,284],{},[129,282,283],{},"Over-permissive CORS."," Default headers added during scaffolding can allow any origin.",[10,286,287,290],{},[129,288,289],{},"Hard-coded URLs and credentials in test fixtures"," that make it to production branches.",[10,292,293],{},"Run a scan before merging any Codex PR that touches configuration, environment setup, or API route definitions.",[30,295,297],{"id":296},"codex-vs-devin-vs-cursor-security-comparison","Codex vs Devin vs Cursor: Security Comparison",[79,299,300,318],{},[82,301,302],{},[85,303,304,307,310,313,316],{},[88,305,306],{},"Tool",[88,308,309],{},"Execution",[88,311,312],{},"GitHub Access",[88,314,315],{},"Network in Sandbox",[88,317,186],{},[98,319,320,337,353],{},[85,321,322,325,328,331,334],{},[103,323,324],{},"OpenAI Codex",[103,326,327],{},"Cloud agent",[103,329,330],{},"PAT or OAuth",[103,332,333],{},"Blocked by default",[103,335,336],{},"ZDR on API/Enterprise",[85,338,339,342,344,347,350],{},[103,340,341],{},"Devin (Cognition)",[103,343,327],{},[103,345,346],{},"Machine account recommended",[103,348,349],{},"Browser access included",[103,351,352],{},"SOC 2 Type II",[85,354,355,358,361,364,367],{},[103,356,357],{},"Cursor",[103,359,360],{},"Local IDE plugin",[103,362,363],{},"Read suggestions only",[103,365,366],{},"None (local only)",[103,368,369],{},"No code storage",[10,371,372],{},"Codex and Devin are both cloud agents that execute code autonomously. Codex has a narrower default network surface (internet blocked) compared to Devin, which includes a browser component that can reach external URLs during sessions.",[30,374,376],{"id":375},"security-checklist-before-connecting-codex-to-your-repo","Security Checklist Before Connecting Codex to Your Repo",[378,379,380,385,389,393,397,401],"checklist-section",{},[381,382],"checklist-item",{"description":383,"label":384},"Scope it to one repo with Contents + Pull Requests read/write only","Use a fine-grained PAT",[381,386],{"description":387,"label":388},"Settings > Data Controls, toggle off Improve the model for everyone","Opt out of training data (ChatGPT Plus/free)",[381,390],{"description":391,"label":392},"Never connect it to your main or production branch directly","Run Codex on feature branches only",[381,394],{"description":395,"label":396},"Read the full diff, not just the AI-written description","Review every PR Codex opens",[381,398],{"description":399,"label":400},"Codex adds routes that match existing patterns but may miss auth guards","Check new API routes for auth middleware",[381,402],{"description":403,"label":404},"Run a CheckYourVibe scan on any Codex PR that touches config or API files","Scan before merging",[406,407,408,415,421,427,433],"faq-section",{},[409,410,412],"faq-item",{"question":411},"Is OpenAI Codex safe to use on private repositories?",[10,413,414],{},"Yes, with caveats. Codex runs in an isolated sandbox with no internet access by default and does not persist code between sessions. The main risk is the GitHub OAuth scope. Using a fine-grained PAT limited to specific repos is safer than the broad OAuth grant. Enterprise ChatGPT customers get Zero Data Retention, so code is not stored by OpenAI.",[409,416,418],{"question":417},"Does OpenAI Codex train on my code?",[10,419,420],{},"ChatGPT free and Plus users: your conversations, including code, are used for training by default unless you opt out in Settings > Data Controls. API customers using the codex-1 model and Enterprise ChatGPT accounts have Zero Data Retention by default, so code is not stored or used for training.",[409,422,424],{"question":423},"What GitHub permissions does Codex need?",[10,425,426],{},"Codex can connect via OAuth (broad access to all repos) or a fine-grained PAT (scoped to specific repos). Always use a fine-grained PAT with read/write on Contents and Pull Requests for just the repository you want Codex to work on.",[409,428,430],{"question":429},"How is OpenAI Codex different from GitHub Copilot?",[10,431,432],{},"Copilot is an IDE assistant: it suggests code inline but you review and accept each suggestion. Codex is an autonomous agent: assign a task and it reads, codes, runs tests, and opens a PR without per-step input from you. The attack surface is substantially larger.",[409,434,436],{"question":435},"Is there a local version of Codex?",[10,437,438],{},"Codex CLI is an open-source command-line tool you run locally using your own OpenAI API key. It processes code on your machine before sending prompts to OpenAI. The cloud Codex agent inside ChatGPT is fully cloud-hosted with no local option.",[440,441,442,448,453],"related-articles",{},[443,444],"related-card",{"description":445,"href":446,"title":447},"Security review of Cognition's autonomous engineer: shell access, GitHub permissions, and what to lock down","/blog/is-safe/devin","Is Devin AI Safe?",[443,449],{"description":450,"href":451,"title":452},"API key management, data handling, prompt injection risks, and usage limits for OpenAI's API","/blog/is-safe/openai-api","Is OpenAI API Safe?",[443,454],{"description":455,"href":456,"title":457},"How autonomous coding agents like Codex expand the attack surface compared to traditional AI assistants","/blog/vulnerabilities/agentic-ai-security-risks","Agentic AI Security Risks",[459,460,463,467],"cta-box",{"href":461,"label":462},"/","Start Free Scan",[30,464,466],{"id":465},"using-codex-on-your-codebase","Using Codex on your codebase?",[10,468,469],{},"Scan for secrets, missing auth guards, and misconfigured permissions before merging.",{"title":471,"searchDepth":472,"depth":472,"links":473},"",2,[474,475,479,480,481,482,483,484],{"id":32,"depth":472,"text":33},{"id":73,"depth":472,"text":74,"children":476},[477],{"id":136,"depth":478,"text":137},3,{"id":167,"depth":472,"text":168},{"id":235,"depth":472,"text":236},{"id":250,"depth":472,"text":251},{"id":296,"depth":472,"text":297},{"id":375,"depth":472,"text":376},{"id":465,"depth":472,"text":466},"is-safe","2026-05-15","Is OpenAI Codex safe to use on your codebase? Review of the cloud coding agent's sandboxed architecture, GitHub permissions, data handling, and what to lock down before you connect your repo.",false,"md",[491,493,495,497,499],{"question":411,"answer":492},"Yes, with caveats. Codex runs in an isolated sandbox with no internet access by default and does not persist code between sessions. The main risk is the GitHub OAuth scope. Using a fine-grained PAT limited to specific repos is safer than the broad OAuth grant. Enterprise ChatGPT customers can enable Zero Data Retention so code is not stored by OpenAI.",{"question":417,"answer":494},"ChatGPT users: your conversations (including code) are used for training by default unless you opt out in Settings > Data Controls > Improve the model for everyone. API customers using the Codex API have Zero Data Retention by default, meaning code is not stored or used for training. Enterprise ChatGPT plans also default to ZDR.",{"question":423,"answer":496},"Codex can connect via OAuth (broad access to all your repos) or a fine-grained personal access token (PAT) scoped to specific repos with read/write on Contents and Pull Requests. Always use a fine-grained PAT scoped to just the repository you want Codex to work on.",{"question":429,"answer":498},"Copilot is an IDE assistant: it suggests code, but you execute everything. Codex is an autonomous agent: you assign a task, and it reads your codebase, writes code, runs tests, and opens a PR without your input on each step. The attack surface is much larger.",{"question":500,"answer":501},"Is there a self-hosted or local version of Codex?","Codex CLI is an open-source command-line agent you run locally. It uses your own OpenAI API key and processes code on your machine before sending prompts to OpenAI. The cloud Codex agent (in ChatGPT) is fully cloud-hosted with no local option.","amber",null,"is openai codex safe, openai codex security, codex ai coding agent, codex github permissions, openai codex privacy, codex-1 model security",{},true,"OpenAI Codex runs in ephemeral sandboxes and needs GitHub access. Here is what that means for your code security.","/blog/is-safe/openai-codex","9 min read","[object Object]","Article",{"title":5,"description":487},{"loc":508},"blog/is-safe/openai-codex",[],"summary_large_image","_qQJ6hv_JueGcb_txTn9tbbGTZNYq4HoMuURKV6OO3g",1778856036364]