A way to exclude sensitive files issue still open for OpenAI Codex
pikseladam
192 points
124 comments
June 28, 2026
Related Discussions
Found 5 related stories in 965.8ms across 14,015 title embeddings via pgvector HNSW
- Codex for Open Source EvgeniyZh · 28 pts · June 11, 2026 · 57% similar
- Codex logging bug may write TBs to local SSDs vantareed · 480 pts · June 22, 2026 · 56% similar
- Codex Plugins epaga · 13 pts · March 27, 2026 · 55% similar
- Codex for almost everything mikeevans · 786 pts · April 16, 2026 · 55% similar
- Codex starts encrypting sub-agent prompts embedding-shape · 413 pts · July 14, 2026 · 54% similar
Discussion Highlights (20 comments)
pikseladam
it has been a year and still it is not resolved
pohl
This should be an open standard like AGENTS.md or skills. What do other harnesses do?
TheDong
You can do this now: change the file permissions such that the user you run codex as can't read them, or run codex in a container without those files mounted. If you don't do that, the agent will be able to incidentally upload them. What if the model runs "rg foo", and one of those files contains the string "foo"? It uploads the tool output, which includes the file contents. And so, the only solution is to make it so the codex process is unable to access those files, hence using a container, or unix permissions, or deleting the files. Which you can already do. I imagine this isn't resolved primarily because people expect it to apply to bash tool use, not just the "read" and "edit" tools, and people also expect those files to still be accessible i.e. if the agent invokes "make", which makes it impossible to solve perfectly.
planb
Sound like snake oil. How would this work? The app that the agent is developing needs access to the file, so access to it cannot be blocked. Just because read_file can not access it (I think current harnesses prevent reading .env files already), does not mean the contents will never be seen by the model.
petcat
Hopefully they never actually implement this pointless feature because it will only give people a false sense of security given the unpredictable nature of LLMs. How could something like this even be enforced? People just need to learn how to use the tools their system already provides them. i.e., chmod
kstenerud
.agentsignore is NOT a security tool. It's a good idea as a hint to agents about what files it should ignore (because they'd be of no value and only chew up tokens). However, using it to prevent exposure of secrets would be a BIG mistake. There's simply no way to guarantee that an agent will ignore things in the ignore file. And even a harness-enforced restriction would still be in-process, which a rogue agent could trivially compromise. For security, use a sandbox. Nothing else will do. I do AI sandboxes (FOSS, free forever, no rug pull): https://github.com/kstenerud/yoloai
agentdev001
Sounds like user error to me. Codex gives an llm a tool to allow it to use shell in the context of the host and user in which it is running. If a resource is sensitive, and accessible in that context, then the user is doing something wrong. Would you change your practices if you treated your coding agent as an untrusted human ssh'd under the identity you use for it? In any case. There are solutions in the comments on the issue, as well as this hn thread.
cowpig
I don't think we should ask the agent runtime to police itself. I contributed to a tool for this problem that is lower-friction than traditional sandboxing: greywall.io But you should use something to contain an agent runtime. The idea that people run things like codex on their machines with regular user permissions is baffling to me.
ZiiS
However clever/stupid you believe LLMs are they are extremely capable of working around these sorts of restrictions. The ask is for .env files for whatever code you are writing so if the code it writes dosn't have access (i.e. filesystem/container) what is the point, if the code under development reads the env how dose codex debug it without accedentally reading the values from memory? Adding a security setting that dosn't work is much worse then not having one.
bob1029
The only thing close to a guarantee is to give the agent exclusive access to a clean VM with precisely the information and permissions you want it to have. I've been looking into a "workspace" concept that involves an entire cloud VM being spun up as part of an agent conversation such that code changes can be iterated without touching the user's local machine or other trusted contexts. All the agent's tools only have effect when supplied with a specific workspace guid. CLI tools like git are not authorized to talk to the remotes in this arrangement. The machine is initialized with a clone and no way to talk to origin. There are dedicated methods in the harness that can reach into the VM and pull out a change set for deterministic PR generation in the secure contexts (e.g. when the agent calls "ReadyForReview" or similar).
hoppp
Do not store secrets in the repository in files, but inject them during runtime. Then the agents have no way to access them.
Lucasoato
There should be a standard around .agentignore file similarly to what happens with .gitignore file. Of course this could still be workarounded by agent bash command tools, but at least basic operations like reading and so on should be checked and prevented.
mbid
I recently got the tool I use to orchestrate agents in (remote/secure) devcontainers open-sourced at work to solve this properly: https://github.com/nvidia/rumpelpod As others here have pointed out, it's exceedingly unlikely that a blocklist like proposed in the issue would ever be complete. You shouldn't allow agents direct yolo-access to your machine if it has sensitive data. Codex works particularly well as a remote agent harness because of its client-server architecture: The server component runs in the container, which might be remote, while the client runs locally. So, in contrast to e.g. the claude cli where the frontend also runs remotely, there's no lag when you write/edit prompts.
mixedbit
I work on a Linux sandbox that makes it easy to hide sensitive files from AI agents while keeping the files they need accessible. Check it out: https://github.com/wrr/drop
edg5000
Bind mounts can work fine. Setting them up does require root though. Easiest would be if the harness offered to enable containment. Awkwardly, it would require root.
nikhilsimha
Files that codex and any other coding agent has access to, should be opt-in NOT opt-out. I think codex is not the right layer to solve this if you want a sane(one-click) UX. We built our own internal sandboxing-terminal around claude and codex. Where a user-configured base-folder with low-risk code and creds is COPIED into the sandbox BEFORE new session creation. There were many other UX related reasons to build our own terminal. Can share more if anyone is interested.
kardos
A solution to this is apptainer: you configure it to not see any of the host files by default, and mount the repo you want to work on at runtime.
TZubiri
Out of scope, learn cybersecurity. A simple concept such as users and permissions solves this problem. Regardless of what technique you use, you need a deputy, you wouldn't ask an employee not to go into the vault, right? You would lock the vault. Well you can ask the employee not to go into the vault, and you can also ask codex not to use certain files, but if you need more certainty, you need to it outside. The issue seems to be that people want to ask their agent to do everything, they want the agent to lock themselves out of some system, they want the agent to install itself, they want the agent to write their prompts so they don't have to write them. At some point there's some things YOU have to do, and you have to DO them.
eduction
Great example of why operating systems should be stealing more ideas from Qubes, the OS where everything runs in a vm. Qubes is not practical for mobile laptop use and non expert users. BUT it would be very practical for other OSes to offer the option of VM-style isolated containers as first class objects that are easy to make and configure boundaries on, and for which first class interop facilities are provided (eg “send this file to this container” “send the clipboard to this container’s clipboard).
SubiculumCode
So how might I restrict the read paths if I am running codex as a plugin in vscode?