Skip to main content

Overview

Execution policies let you define rules that control which shell commands Codex can execute. This provides an additional security layer on top of sandboxing, allowing you to:
  • Allowlist safe commands that can run without approval
  • Blocklist dangerous commands that should never execute
  • Require prompts for commands that need human review
Execution policies are evaluated before sandboxing and work alongside approval modes to provide defense-in-depth security.

Policy Language

Policies are written in Starlark (a Python-like syntax) using the prefix_rule() function:

Pattern Matching

pattern
array
required
Ordered list of tokens to match. Each element can be:
  • A string: exact token match (e.g., "git")
  • A list of strings: match any alternative (e.g., ["commit", "push"])
decision
string
default:"allow"
What action to take when the pattern matches:
  • allow: Execute without prompting
  • prompt: Ask user for approval
  • forbidden: Block execution entirely
justification
string
Explanation shown to users. For forbidden rules, include a recommended alternative:
match
array
Example commands that should match this rule (unit tests).
not_match
array
Example commands that should NOT match this rule (unit tests).

Policy Examples

Safe Read-Only Commands

Commands Requiring Approval

Forbidden Commands

Host Executable Resolution

You can restrict which absolute paths are allowed for specific commands:

Matching Semantics

1

Exact Match First

Codex always tries exact first-token matches first.Example: /usr/bin/git status only matches if a rule starts with /usr/bin/git
2

Basename Fallback

If no exact match exists and --resolve-host-executables is enabled:
  • /usr/bin/git falls back to basename rules for git
  • Only allowed if the path is in the host_executable() list
  • If no host_executable() exists, basename fallback is allowed for any path

Using Policies

Command-Line Interface

Check if a command is allowed:
With hostname resolution:
Merge multiple policy files:

Response Format

The output is JSON:

Decision Priority

When multiple rules match, the strictest decision wins:
If any matching rule is forbidden, the command is blocked regardless of other rules.

Configuration

Policy files can be stored in:
  1. Global policies: ~/.codex/execpolicy.rules
  2. Project policies: .codex/execpolicy.rules in your repo
  3. Custom location: Specify with --rules flag
Commit project-specific policies to version control so all team members share the same rules.

Advanced Examples

Development Workflow

CI/CD Integration

Database Access

Testing Policies

Inline Tests

Use match and not_match to validate rules:

Validation on Load

Policies are validated when loaded. Invalid rules cause an error:

Best Practices

Start Permissive

Begin with allow for most commands, add restrictions as needed

Document Rationale

Always include clear justification text

Test Thoroughly

Use match and not_match to prevent regressions

Layer Security

Combine policies with sandboxing for defense-in-depth

Common Patterns

Troubleshooting

  • Check token boundaries: "git push" is TWO tokens (["git", "push"])
  • Use the check command to test: codex execpolicy check --rules policy.rules git push
  • Add match examples to validate behavior
  • Use --pretty for readable output: codex execpolicy check --rules policy.rules --pretty command
  • Check if multiple rules match (strictest wins)
  • Verify justification text for the reason
  • Enable host executable resolution: --resolve-host-executables
  • Define host_executable() entries for the command
  • Check that the absolute path is in the allowed list

See Also

Sandbox Configuration

Configure OS-level sandboxing

Approval Modes

Control when Codex asks for permission

Exec Mode

Run Codex non-interactively

Security Best Practices

Comprehensive security guidance