Skip to main content
Cody CLI Docs

Sandboxing

Cody CLI can run tool calls (bash commands, file writes) in a sandboxed environment to limit the blast radius of unintended actions.

Enabling Sandboxing

Set in settings.json:

{
  "sandboxing": {
    "enabled": true,
    "allowedPaths": ["./src", "./tests"],
    "allowNetwork": false
  }
}

Sandbox Modes

  • Path restrictions — Limit file read/write to specific directories.
  • Network isolation — Block outbound network calls from bash tools.
  • Read-only mode — Allow reads but block all writes.

Per-Tool Configuration

You can configure sandbox rules per tool type:

{
  "sandboxing": {
    "tools": {
      "Bash": { "allowNetwork": false },
      "FileWrite": { "allowedPaths": ["./src"] }
    }
  }
}

Warnings

Sandboxing is a best-effort safety layer, not a security boundary. For untrusted code execution, use a proper container or VM.