| Security Layer | Where it applies | What it prevents | |
|---|---|---|---|
| OS native sandbox | OS native sandbox | CLI, Desktop App | Unauthorized file access and network calls at the OS level |
| Cloud isolation | Cloud isolation | Codex Cloud | Damage to your local machine, cross-task contamination |
| Approval policies | Approval policies | All surfaces | Unintended command execution outside sandbox boundaries |
| Pull request workflow | Pull request workflow | Cloud tasks | Unreviewed code reaching your main branch |
| Protected paths | Protected paths | CLI, Desktop App | Modification of .git and .codex directories even in workspace-write mode |
| HIPAA compliance | HIPAA compliance | Enterprise (local environments) | Regulatory violations in healthcare contexts |
OS native sandboxing vs. permission prompts
Most AI coding tools protect your system through permission prompts: the agent asks before doing something potentially dangerous. Codex adds a second, independent layer at the operating system level. Even if a permission check is missed, the OS blocks the attempt. Think of it as the difference between a security guard who asks visitors to identify themselves and a locked door that physically prevents entry. Codex has both.
Maximizing security with Codex
For the strongest security posture, combine Codex's sandboxing with your existing CI/CD pipeline. Configure required CI checks on your repository so that Codex's pull requests must pass automated tests, linting, and security scanning before they can be merged. Use the read-only sandbox mode in CI with the official GitHub Action. For local work, the default workspace-write mode with on-request approval provides a good balance of safety and productivity.