Cody

Cody Security Best Practices

Use Cody AI assistant safely with these essential security practices. From context management to enterprise security.

Get Starter Scan

Verify your app follows these best practices automatically.

Cody provides AI-powered code intelligence backed by Sourcegraph's code search. These practices help you use Cody securely while benefiting from AI assistance.

Quick Wins

Create .cody/ignore for sensitive files
Remove any credentials from indexed code
Review recently accepted AI suggestions
Check repository indexing configuration
Verify team member access permissions

Security Best Practices

#1Control Context Scope

critical

Cody uses repository context for answers. Be aware of what code is being indexed and sent for AI processing.

Implementation

Configure which repositories are indexed, use .cody/ignore for sensitive files

#2Never Include Credentials in Code

critical

Cody indexes your code. Never have real credentials in code that Cody can see.

Implementation

Use environment variables, add credential patterns to .cody/ignore

#3Review AI-Generated Code

critical

Cody suggestions may contain security vulnerabilities. Review all code before accepting.

Implementation

Carefully review suggestions for auth, database, and input handling

#4Use Enterprise for Sensitive Projects

high

Cody Enterprise offers enhanced security features including self-hosted options.

Implementation

Consider Cody Enterprise for proprietary or regulated codebases

#5Configure Repository Permissions

high

Ensure Cody only accesses repositories team members should see.

Implementation

Review Sourcegraph permissions, limit repository access appropriately

#6Monitor Usage and Queries

medium

Keep track of what queries are being made and what context is being used.

Implementation

Review Cody usage logs, audit sensitive code access

Common Mistakes to Avoid

Indexing repositories with embedded secrets

Why it's dangerous:

Secrets become part of Cody's context and may appear in suggestions

How to fix:

Clean secrets from code, use .cody/ignore for sensitive patterns

Trusting all AI suggestions

Why it's dangerous:

Cody optimizes for helpfulness, not security

How to fix:

Review all suggestions, especially security-critical code

Overly broad repository access

Why it's dangerous:

Cody can reference any indexed code in responses

How to fix:

Configure appropriate access controls per team/project

Verify Your Sourcegraph Cody App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

Is Cody safe for enterprise use?

Cody Enterprise is designed for enterprise security needs with features like self-hosted deployment, SSO, and audit logging. The free tier may have different data handling policies.

What code does Cody access?

Cody can access any code indexed by your Sourcegraph instance. This includes the current file and referenced repositories. Configure indexing and use .cody/ignore to control access.

Can I use Cody with private repositories?

Yes, Cody works with private repositories. For maximum security with proprietary code, consider Cody Enterprise with self-hosted deployment.

Related Sourcegraph Cody Security Resources

Sourcegraph Cody Security OverviewSourcegraph Cody Security IssuesSourcegraph Cody Security RisksIs Sourcegraph Cody Safe?

Similar Platforms

GitHub Copilot Best PracticesCursor Best PracticesClaude Code Best Practices

Last updated: January 2026