A way to exclude sensitive files issue still open for OpenAI Codex

	A way to exclude sensitive files issue still open for OpenAI Codex(github.com)
	217 points by pikseladam 1 day ago \| 135 comments
	tl;dr: A GitHub issue requests that OpenAI Codex add a `.codexignore` mechanism (both repo-level and global) to explicitly prevent the agent from reading or transmitting sensitive files like `.env`, `.pem`, or SSH keys to the model. The requester notes this was previously raised in issue #205, which was closed in favor of a Rust implementation (codex-rs), but no equivalent feature appears to exist there as of August 2025.
	HN Discussion: ↓A .codexignore feature is pointless and provides false security; use OS permissions or containers instead ↓Sensitive files shouldn't be stored in repo folders or plaintext on disk in the first place ↓Sandboxing via containers/bind-mounts is the proper solution, not a blocklist in Codex ~Agent file access should be opt-in rather than opt-out, but handled at a different layer •We need better secret-handling infrastructure (proxies, agent-vaults) rather than relying on .env files