Overview
Execution policies let you define rules that control which shell commands Codex can execute. This provides an additional security layer on top of sandboxing, allowing you to:- Allowlist safe commands that can run without approval
- Blocklist dangerous commands that should never execute
- Require prompts for commands that need human review
Execution policies are evaluated before sandboxing and work alongside approval modes to provide defense-in-depth security.
Policy Language
Policies are written in Starlark (a Python-like syntax) using theprefix_rule() function:
Pattern Matching
Ordered list of tokens to match. Each element can be:
- A string: exact token match (e.g.,
"git") - A list of strings: match any alternative (e.g.,
["commit", "push"])
What action to take when the pattern matches:
allow: Execute without promptingprompt: Ask user for approvalforbidden: Block execution entirely
Explanation shown to users. For
forbidden rules, include a recommended alternative:Example commands that should match this rule (unit tests).
Example commands that should NOT match this rule (unit tests).
Policy Examples
Safe Read-Only Commands
Commands Requiring Approval
Forbidden Commands
Host Executable Resolution
You can restrict which absolute paths are allowed for specific commands:Matching Semantics
Exact Match First
Codex always tries exact first-token matches first.Example:
/usr/bin/git status only matches if a rule starts with /usr/bin/gitUsing Policies
Command-Line Interface
Check if a command is allowed:Response Format
The output is JSON:Decision Priority
When multiple rules match, the strictest decision wins:Configuration
Policy files can be stored in:- Global policies:
~/.codex/execpolicy.rules - Project policies:
.codex/execpolicy.rulesin your repo - Custom location: Specify with
--rulesflag
Advanced Examples
Development Workflow
CI/CD Integration
Database Access
Testing Policies
Inline Tests
Usematch and not_match to validate rules:
Validation on Load
Policies are validated when loaded. Invalid rules cause an error:Best Practices
Start Permissive
Begin with
allow for most commands, add restrictions as neededDocument Rationale
Always include clear
justification textTest Thoroughly
Use
match and not_match to prevent regressionsLayer Security
Combine policies with sandboxing for defense-in-depth
Common Patterns
Allow safe subcommands only
Allow safe subcommands only
Allowlist approach (deny by default)
Allowlist approach (deny by default)
Blocklist approach (allow by default)
Blocklist approach (allow by default)
Troubleshooting
Rule not matching expected command
Rule not matching expected command
- Check token boundaries:
"git push"is TWO tokens (["git", "push"]) - Use the
checkcommand to test:codex execpolicy check --rules policy.rules git push - Add
matchexamples to validate behavior
Command blocked unexpectedly
Command blocked unexpectedly
- Use
--prettyfor readable output:codex execpolicy check --rules policy.rules --pretty command - Check if multiple rules match (strictest wins)
- Verify
justificationtext for the reason
Absolute paths not working
Absolute paths not working
- Enable host executable resolution:
--resolve-host-executables - Define
host_executable()entries for the command - Check that the absolute path is in the allowed list
See Also
Sandbox Configuration
Configure OS-level sandboxing
Approval Modes
Control when Codex asks for permission
Exec Mode
Run Codex non-interactively
Security Best Practices
Comprehensive security guidance