▓▒░ USE-CASES / CODEX
Codex runs your code in OpenAI's cloud.
Your secrets don't stay behind.
The Codex app spawns cloud sandbox agents that clone repos, run tests, and process your codebase on OpenAI's infrastructure. The Codex CLI runs locally but still sends context to the model. Either way - your code leaves your control.
cloud sandbox agents · repo cloning · local CLI mode · model context · OpenAI infrastructure
Everything Codex touches. In someone else's cloud.
Codex isn't running on your machine. It's an autonomous agent operating in OpenAI's infrastructure - with full access to your repos, secrets, and build environment.
Repository Access
Clones private repos to cloud sandbox
Build Environment
Runs npm/pip/cargo, installs dependencies
API Keys & Secrets
Reads .env files, environment variables
Network Access
Can make HTTP calls from sandbox
OpenAI Infrastructure
Code processed on OpenAI servers
Data Retention
Code processed under OpenAI's data policies
Your code leaves the building. So do your secrets.
Cloud sandboxes create a false sense of security. The real risk is what happens inside them.
Private repository processed on external infrastructure
Codex clones your private repos into OpenAI's cloud sandbox. Every file, every secret in your repo history, is now processing on infrastructure you don't control. Your IP, API keys in old commits, and proprietary algorithms are in OpenAI's environment.
Opaque data handling in cloud execution
When Codex processes your code in OpenAI's cloud sandbox, you have limited visibility into how data is handled, cached, or retained between sessions. Your proprietary code patterns, architectural decisions, and business logic are processed on infrastructure outside your control - with retention and usage policies governed by OpenAI's terms, not yours.
CI/CD pipeline injection from cloud
Codex modifies build configurations and CI/CD files as part of its coding tasks. A manipulated response from the model could alter deployment pipelines, add malicious build steps, or modify infrastructure-as-code - all pushed from a cloud environment you don't audit.
Cloud sandbox? Cloud oversight.
Three capabilities purpose-built for cloud-based AI coding agents.
Track every Codex session across your organization
How many developers are using Codex? Which repos are being sent to OpenAI's sandbox? What data is being processed? Rogue answers questions your security team didn't know to ask.
Enforce boundaries on cloud sandbox operations
Define what Codex can and can't do in the cloud. Block secrets access, restrict network calls, prevent CI/CD modifications - all enforced before operations run in the sandbox.
Detect data leakage from cloud operations
Monitor what data flows to OpenAI's infrastructure and flag anomalous egress patterns. Know what's leaving your organization and stop it before it's too late.
Monitors cloud operations. Prevents data leakage.
Developer tasks Codex
Repos cloned to sandbox, code processed in cloud
Rogue monitors sandbox operations
Every clone, file read, and network call observed
Data egress and policy violations blocked
Secrets stay on your side of the boundary
Developer tasks Codex
Repos cloned to sandbox, code processed in cloud
Rogue monitors sandbox operations
Every clone, file read, and network call observed
Data egress and policy violations blocked
Secrets stay on your side of the boundary
Monitors cloud operations. Prevents data leakage. Your secrets stay on your side. Learn more →
Your code in their cloud. Your rules.
See what Codex sends to OpenAI's infrastructure - and what it shouldn't.