A way to exclude sensitive files issue still open for OpenAI Codex

Posted by pikseladam 7 hours ago

A way to exclude sensitive files issue still open for OpenAI Codex(github.com)

137 points | 94 commentspage 2

kstenerud 6 hours ago|

.agentsignore is NOT a security tool.

It's a good idea as a hint to agents about what files it should ignore (because they'd be of no value and only chew up tokens).

However, using it to prevent exposure of secrets would be a BIG mistake. There's simply no way to guarantee that an agent will ignore things in the ignore file. And even a harness-enforced restriction would still be in-process, which a rogue agent could trivially compromise. For security, use a sandbox. Nothing else will do.

I do AI sandboxes (FOSS, free forever, no rug pull): https://github.com/kstenerud/yoloai

ZiiS 6 hours ago||

However clever/stupid you believe LLMs are they are extremely capable of working around these sorts of restrictions. The ask is for .env files for whatever code you are writing so if the code it writes dosn't have access (i.e. filesystem/container) what is the point, if the code under development reads the env how dose codex debug it without accedentally reading the values from memory? Adding a security setting that dosn't work is much worse then not having one.

mixedbit 5 hours ago||

I work on a Linux sandbox that makes it easy to hide sensitive files from AI agents while keeping the files they need accessible. Check it out: https://github.com/wrr/drop

pohl 6 hours ago||

This should be an open standard like AGENTS.md or skills. What do other harnesses do?

ampersandwhich 6 hours ago|

I believe JetBrains products like Junie use the neutral term .aiignore for this funtionality.

hoppp 5 hours ago||

Do not store secrets in the repository in files, but inject them during runtime. Then the agents have no way to access them.

tiew9Vii 5 hours ago|

A lot of people have secrets/config files in the projects working directory but ignored by git i.e. `.env.local`

So they're following best practice, not committing secrets but agents running locally can still see them even if sandboxing to the working directory.

I've taken to storing configs using XDG_CONFIG_HOME and have the app auto resolve them by convention or take a cli arg to specify the config path. All secrets are in files, not env vars.

That way when using sandboxing the agent can never see the configs or secrets as outside the working directory.

hoppp 5 hours ago||

Sounds like a good way to do it.

Makes me think of docker secret where the secrets are exposed as files and accessable only from inside the container.

If the development environment uses docker then thats a solution too I guess

SoftTalker 4 hours ago||

If you let your agent use docker you've basically given it root on your machine.

hoppp 3 hours ago||

I use podman btw

Its aliased to docker

Building a project as a container and giving an agent access to running docker commands are different things.

kardos 4 hours ago||

A solution to this is apptainer: you configure it to not see any of the host files by default, and mount the repo you want to work on at runtime.

TZubiri 3 hours ago|

Question, out of curiosity, do you know how User and Permissions work?

TZubiri 4 hours ago||

Out of scope, learn cybersecurity. A simple concept such as users and permissions solves this problem.

Regardless of what technique you use, you need a deputy, you wouldn't ask an employee not to go into the vault, right? You would lock the vault. Well you can ask the employee not to go into the vault, and you can also ask codex not to use certain files, but if you need more certainty, you need to it outside.

The issue seems to be that people want to ask their agent to do everything, they want the agent to lock themselves out of some system, they want the agent to install itself, they want the agent to write their prompts so they don't have to write them. At some point there's some things YOU have to do, and you have to DO them.

Lucasoato 5 hours ago||

There should be a standard around .agentignore file similarly to what happens with .gitignore file. Of course this could still be workarounded by agent bash command tools, but at least basic operations like reading and so on should be checked and prevented.

SubiculumCode 3 hours ago|

So how might I restrict the read paths if I am running codex as a plugin in vscode?

More comments...