p.enthalabs

A way to exclude sensitive files

Skip to content

Navigation Menu

Toggle navigation

[](https://github.com/)

Sign in

Appearance settings

* Platform

* AI CODE CREATION

- GitHub Copilot Write better code with AI

- GitHub Copilot app Direct agents from issue to merge

- MCP Registry New Integrate external tools

* DEVELOPER WORKFLOWS

- Actions Automate any workflow

- Codespaces Instant dev environments

- Issues Plan and track work

- Code Review Manage code changes

* APPLICATION SECURITY

- GitHub Advanced Security Find and fix vulnerabilities

- Code security Secure your code as you build

- Secret protection Stop leaks before they start

* EXPLORE

- Why GitHub

- Documentation

- Blog

- Changelog

- Marketplace

View all features

* Solutions

* BY COMPANY SIZE

- Enterprises

- Small and medium teams

- Startups

- Nonprofits

* BY USE CASE

- App Modernization

- DevSecOps

- DevOps

- CI/CD

- View all use cases

* BY INDUSTRY

- Healthcare

- Financial services

- Manufacturing

- Government

- View all industries

View all solutions

* Resources

* EXPLORE BY TOPIC

- AI

- Software Development

- DevOps

- Security

- View all topics

* EXPLORE BY TYPE

- Customer stories

- Events & webinars

- Ebooks & reports

- Business insights

- GitHub Skills

* SUPPORT & SERVICES

- Documentation

- Customer support

- Community forum

- Trust center

- Partners

View all resources

* Open Source

* COMMUNITY

- GitHub Sponsors Fund open source developers

* PROGRAMS

- Security Lab

- Maintainer Community

- Accelerator

- GitHub Stars

- Archive Program

* REPOSITORIES

- Topics

- Trending

- Collections

* Enterprise

* ENTERPRISE SOLUTIONS

- Enterprise platform AI-powered developer platform

* AVAILABLE ADD-ONS

- GitHub Advanced Security Enterprise-grade security features

- Copilot for Business Enterprise-grade AI features

- Premium Support Enterprise-grade 24/7 support

- Pricing

Search or jump to...

Search code, repositories, users, issues, pull requests...

Search

Clear

Search syntax tips

Provide feedback

We read every piece of feedback, and take your input very seriously.

- [x] Include my email address so I can be contacted

Cancel Submit feedback

Saved searches

Use saved searches to filter your results more quickly

Name

Query

To see all available qualifiers, see our documentation.

Cancel Create saved search

Sign in

Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert

{{ message }}

Uh oh!

There was an error while loading. Please reload this page.

openai/**codex**Public

- NotificationsYou must be signed in to change notification settings

- Fork 14.1k

- Star 94.9k

- Code

- Issues 5k+

- Pull requests 366

- Discussions

- Actions

- Security and quality 1

- Insights

Additional navigation options

- Code

- Issues

- Pull requests

- Discussions

- Actions

- Security and quality

- Insights

A way to exclude sensitive files#2847

New issue

Copy link

New issue

Copy link

Closed

Closed

A way to exclude sensitive files#2847

Copy link

Labels

enhancement New feature or requestNew feature or requestsandbox Issues related to permissions or sandboxingIssues related to permissions or sandboxing

Description

![Image 1: @mkusaka](https://github.com/mkusaka)

mkusaka

opened on Aug 28, 2025

Contributor

Issue body actions

What feature would you like to see?

- A mechanism to explicitly mark files/paths that the agent must not read or send to the model, at both repository and global levels (e.g., a repo-local .codexignore plus a global ignore file).

- Example: keep node_modules/ searchable for implementation checks, but never read or send .env, .env.*, _.pem, id\__, .aws/**, .ssh/**.

- The configuration should be deterministic and shareable across the team/repo, and also support user defaults, rather than relying on project documentation or conventions.

Are you interested in implementing this feature?

- Yes — I can contribute and tests.

Additional information

Related: #205. That issue surfaced two primary use cases: preventing sensitive data from being sent to the model and excluding large/irrelevant files. The issue was closed in favor of a Rust (codex-rs) implementation, but as of 2025-08-28 a comparable feature does not appear to exist in codex-rs. I’d like to restart the discussion and converge on a design.

👍React with 👍456 vacavaca, gluix20, chaudepark, TDogVoid, DebugDruid510 and 451 more

Activity

Next

![Image 2mkusaka](https://github.com/mkusaka)

added

enhancement New feature or requestNew feature or request

on Aug 28, 2025

![Image 3mkusaka](https://github.com/mkusaka)

mentioned this on Aug 29, 2025

- Include dotfiles in @-file search suggestions #2846

torson commented on Aug 30, 2025

![Image 4: @torson](https://github.com/torson)

torson

on Aug 30, 2025

More actions

`.agentignore` would be better - more tool agnostic, now that `AGENTS.md` has been adopted by multiple tools including Codex. Cline uses `.clineignore`, Cursor uses `.cursorignore` and `.cursorban` . There's a similar feature request for Cline : cline/cline#5887 .

👍React with 👍71 mkusaka, yusufrahadika, AntonioMeireles, chaudepark, paulschwenn and 66 more

tcgumus commented on Sep 1, 2025

![Image 5: @tcgumus](https://github.com/tcgumus)

tcgumus

on Sep 1, 2025

More actions

so there isn't anyway to prevent sensitive data to reach codex right now?

👍React with 👍14 codeblooded, iliyian, tjbortz1s, adama357, 3f6a and 9 more

vacavaca commented on Sep 2, 2025

![Image 6: @vacavaca](https://github.com/vacavaca)

vacavaca

on Sep 2, 2025

More actions

Based on my tests, there seems to be no way to prevent Codex from uploading all files into OpenAI, regardless of `.gitignore` or `AGENTS.md`. If Codex decides to use `rg` or `grep` and finds some relevant content in a file, it will be uploaded.

+1 for adding this feature, it is important not only for protecting confidential data, but also for preventing Codex from uploading tons of irrelevant stuff, such as caches, node_modules, types, etc.

👍React with 👍41 mrmallam, mkusaka, jdustinlewis, tycomo, nils-hoglund and 36 more

dunkel000 commented on Sep 3, 2025

![Image 7: @dunkel000](https://github.com/dunkel000)

dunkel000

on Sep 3, 2025

More actions

+1. It is very important for some corporations and projects to ensure that agents do not indiscriminately ingest everything, including sensitive data or keys.

👍React with 👍24 nils-hoglund, ferrouswheel, pelegm, chan-jui-huang, mrasyadc and 19 more

booyoi commented on Sep 22, 2025

![Image 8: @booyoi](https://github.com/booyoi)

booyoi

on Sep 22, 2025

More actions

need it too

👍React with 👍8 nils-hoglund, pelegm, mrasyadc, prettymuchbryce, codeblooded and 3 more

numlock1052 commented on Sep 24, 2025

![Image 9: @numlock1052](https://github.com/numlock1052)

numlock1052

on Sep 24, 2025

More actions

Hello, I suggest using the same approach as Google to exclude certain folders from the context **.aiexclude**. So, if we switch from gemini-cli to codex or another CLI AI, it will simplify the developer's life.

https://cloud.google.com/gemini/docs/codeassist/create-aiexclude-file

👍React with 👍24 petyniak, sealad886, ferrouswheel, nils-hoglund, Vistyy and 19 more

chan-jui-huang commented on Sep 30, 2025

![Image 10: @chan-jui-huang](https://github.com/chan-jui-huang)

chan-jui-huang

on Sep 30, 2025

More actions

Please implement it! It is very important for security!

👍React with 👍29 shybyte, EvanOman, thebodevelopment, kostya-fr, Vistyy and 24 more

![Image 11github-actions](https://github.com/apps/github-actions)

mentioned this on Oct 5, 2025

- Global agents rules #4765

prettymuchbryce commented on Oct 8, 2025

![Image 12: @prettymuchbryce](https://github.com/prettymuchbryce)

prettymuchbryce

on Oct 8, 2025

More actions

This feels like table stakes for any security-minded organization that doesn't want Codex to indiscriminately upload keys, secrets, environment variables, passwords, etc to OpenAI servers where they are potentially stored permanently. Claude code makes this trivial via `settings.local.json` with `"deny": [ "Read(.secret-dir)" ]`.

👍React with 👍30 will-path, chan-jui-huang, jgador, AppleNectar, NdQuan127 and 25 more

ilmeskio commented on Oct 23, 2025

![Image 13: @ilmeskio](https://github.com/ilmeskio)

ilmeskio

on Oct 23, 2025

More actions

I totally agree with this issue. Right now, even if gitignored files cannot be referenced with `@`, the agent can still read sensitive files both through the Read tool and via shell commands (`rg`, `cat`, etc.).

This means that the only way to achieve a proper level of security is to enable protection at the sandbox level, completely removing those files from the Codex execution context.

On macOS, I tested a solution leveraging `sandbox-exec` (which Codex internally uses). I’ve expanded on this in a discussion: [GitHub Discussion #5523](#5523).

undefinedscheme (version 1) (allow default) (deny file-read* (regex "\.env$")) (deny file-write* (regex "\.env$")) undefined

This works correctly — running `sandbox-exec -f deny-env.sb codex` prevents Codex from reading the contents of `.env` files. However, it’s a somewhat hacky solution and should ideally be handled natively within Codex itself.

After discussing with ChatGPT (somewhat meta 😄), it suggested an alternative using **Landlock** on Linux, based on an allowlist model. I need to investigate it further, but Landlock seems the right long-term mechanism, as it is already used internally by Codex.

Implementing such protections is crucial to ensure a safe development environment.

Another issue also discusses this problem and contains additional proposals: [GitHub Issue #1397](#1397).

👍React with 👍19 prettymuchbryce, codeblooded, andreiblt, spenweb, phpws and 14 more

![Image 14ilmeskio](https://github.com/ilmeskio)

mentioned this on Oct 23, 2025

- Configurable file exclusion patterns for sensitive files #1397

codeblooded commented on Oct 27, 2025

![Image 15: @codeblooded](https://github.com/codeblooded)

codeblooded

on Oct 27, 2025

Last edited by codeblooded

More actions

Considering Claude Code has a 5 seat minimum for teams, which my company doesn't meet yet... we'd move to Codex for Teams in a heartbeat with **this feature** for the business license. We're holding back (and considering Gemini code assist), because Codex lacks a deterministic permissions system.

👍React with 👍3 spenweb, Keramis and Grawave

jbalonso commented on Oct 29, 2025

![Image 16: @jbalonso](https://github.com/jbalonso)

jbalonso

on Oct 29, 2025

More actions

Does this issue qualify as a security concern (my opinion: it should) for the purposes of welcoming a contribution as per the contributor guidelines?

👍React with 👍13 steveepreston, silver-ben, Keramis, jabrown93, HuzaifaTP and 8 more👀React with 👀3 ilmeskio, silver-ben and LockedThread

122 remaining items

Load more

![Image 17itoe558](https://github.com/itoe558)

mentioned this on Jun 29, 2026

- 🤖 AI 资讯日报 - 2026-06-29 itoe558/daily-ai-news#30

![Image 18github-actions](https://github.com/apps/github-actions)

mentioned this on Jun 29, 2026

- 📊 AI CLI 工具社区动态日报 2026-06-29 zx0828/big_model_radar#193

![Image 19jacky1234](https://github.com/jacky1234)

mentioned this on Jun 29, 2026

- HackerNews Top 10 @2026-06-29 jacky1234/blogPages#1087

![Image 20github-actions](https://github.com/apps/github-actions)

mentioned this on Jun 29, 2026

- 📰 Hacker News AI 社区动态日报 2026-06-29 96loveslife/big_model_radar#77

nothingnesses commented on Jun 29, 2026

![Image 21: @nothingnesses](https://github.com/nothingnesses)

nothingnesses

on Jun 29, 2026

Last edited by nothingnesses

More actions

I've contributed to agent-box which allows you to bind-mount git repositories into containers that agents operate in, preventing the agents from accessing files that aren't bind-mounted. Your usual .gitignore can then be used to also ignore files within the repo to be bind-mounted, which prevents agents from accessing them at all, essentially working as a sandbox.

I also maintain agent-images which allows you to use Nix to reproducibly spin up OCI containers containing agents and any other tools you need and use these with agent-box.

I use both at the moment to work on some personal projects with agents, where I set up multiple separate git worktrees for the agents to work in, preventing them from accessing anything outside of the worktrees and from trampling over each other's work.

👀React with 👀1 DLakomy

![Image 22github-actions](https://github.com/apps/github-actions)

mentioned this in 4 issues on Jun 29, 2026

- 🤖 AI 日报 · 2026-06-29 worldguigui/github-claw#64

- 📰 AI 科技日报 — 2026-06-29 liyupi/github-claw#119

- 📰 AI 科技日报 — 2026-06-29 Wndall/VibeCodingProgram#43

- 📰 AI 科技日报 — 2026-06-29 feIce/my-github-claw#40

![Image 23kronprinzmagma](https://github.com/kronprinzmagma)

mentioned this on Jun 29, 2026

- KI Daily – 2026-06-29 kronprinzmagma/ki-news-aggregator#98

bolinfest commented on Jun 29, 2026

![Image 24: @bolinfest](https://github.com/bolinfest)

bolinfest

on Jun 29, 2026

Collaborator

More actions

Sorry, I didn't realize this issue was open or I would have commented sooner, but we have had a solution for a number of months now, though we have been tweaking the config language here and there, which is why it is still tagged as "Beta" in the docs:

https://developers.openai.com/codex/permissions

You can use `/permissions` in the CLI to change the permission profile at runtime. We're still working to ensure things work equally smoothly in Codex App (which has more places where an agent loop gets created than the CLI, so the change is a bit more complex).

❤️React with ❤️6 garogarabed12, mkusaka, Frulfump, marcom, johan456789 and 1 more

silver-ben commented on Jun 29, 2026

![Image 25: @silver-ben](https://github.com/silver-ben)

silver-ben

on Jun 29, 2026

Last edited by silver-ben

More actions

Okay i've done it like so:

added: repo-root/.codex/config.toml

``` default_permissions = "xxx-workspace"

[permissions.xxx-workspace.filesystem.":workspace_roots"] "." = "write" "out of context file here..." = "deny" ```

etraut-openai commented on Jun 29, 2026

![Image 26: @etraut-openai](https://github.com/etraut-openai)

etraut-openai

on Jun 29, 2026

Collaborator

More actions

I'm going to close out this feature request. As @bolinfestmentioned above, we have a new feature in beta that implements this functionality. If you have follow-on bug reports or enhancement requests, please open a new issue.

![Image 27etraut-openai](https://github.com/etraut-openai)

closed this as completedon Jun 29, 2026

![Image 28beijaflor](https://github.com/beijaflor)

mentioned this on Jun 30, 2026

- Journal Workflow - Week of 2026-07-04 beijaflor/gen-ai-journal#153

Sign up for free**to join this conversation on GitHub.** Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

Labels

enhancement New feature or requestNew feature or requestsandbox Issues related to permissions or sandboxingIssues related to permissions or sandboxing

Type

No type

Fields

Give feedback

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Participants

![Image 29: @fullofcaffeine](https://github.com/fullofcaffeine)![Image 30: @collimarco](https://github.com/collimarco)![Image 31: @fortinmike](https://github.com/fortinmike)![Image 32: @jbalonso](https://github.com/jbalonso)![Image 33: @EdwardBlair](https://github.com/EdwardBlair)

+61

Issue actions

Footer

[](https://github.com/) © 2026 GitHub,Inc.

Footer navigation

- Terms

- Privacy

- Security

- Status

- Community

- Docs

- Contact

- Manage cookies

- Do not share my personal information

You can’t perform that action at this time.