Step 1: Isolated container
Each task runs in a fresh, disposable container. No shared state with your machine or other tasks.
Step 2: Network disabled
No internet access during execution. Prevents data exfiltration, supply chain attacks, and unauthorized connections.
Step 3: Code changes only
Codex can only modify code within the cloned repository. No filesystem access outside the project.
Step 4: Pull request review
All changes are submitted as a pull request. Your team reviews and approves before anything reaches the main branch.
Step 5: Container destroyed
After the task completes, the container is destroyed. No persistent state, no leftover artifacts.
Why network restrictions matter
When AI writes code, there is always a risk that it could introduce a dependency on a malicious package or inadvertently send data to an external server. Codex's network restrictions eliminate these risks entirely. No outbound connections means no data can leave the container, no packages can be downloaded during execution, and no external services can be contacted. All dependencies must be installed during the setup phase, which runs before the network is disabled.
| Security Layer | What it prevents | |
|---|---|---|
| Container isolation | Container isolation | Damage to your local machine, cross-task contamination |
| Network restrictions | Network restrictions | Data exfiltration, supply chain attacks, unauthorized API calls |
| Pull request workflow | Pull request workflow | Unreviewed code reaching your main branch |
| No local credentials | No local credentials | Accidental exposure of API keys, tokens, and secrets |
| Disposable containers | Disposable containers | Persistent state from affecting future tasks |
Maximizing security with Codex
For the strongest security posture, combine Codex with your existing CI/CD pipeline. Configure required CI checks on your repository so that Codex's pull requests must pass automated tests, linting, and security scanning before they can be merged. This creates a double layer of verification: Codex runs its own tests in the sandbox, then your CI pipeline runs independent checks on the proposed changes.