Sourcegraph Cody Security Checklist
Last updated: January 12, 2026
Use this checklist to ensure your Sourcegraph Cody application is secure before launch. 5 critical items require immediate attention.
Why This Security Checklist Matters
Security checklists serve as systematic guides for identifying vulnerabilities that might otherwise be overlooked during rapid development cycles. For Sourcegraph Cody applications specifically, this checklist addresses the most common security gaps that emerge when using AI-assisted development workflows.
Research from multiple security organizations indicates that approximately 80% of AI-built applications contain at least one exploitable vulnerability at launch. The vulnerabilities are often predictable—they follow patterns that this checklist is designed to catch. By systematically reviewing each item, you significantly reduce the risk of launching an insecure application.
Unlike generic security checklists, this guide focuses specifically on vulnerabilities prevalent in Sourcegraph Cody applications. Each item has been prioritized based on real-world attack patterns and the potential impact of exploitation. Critical items should be addressed before any production deployment.
Critical Priority
Critical items can lead to complete application compromise, data breaches, or unauthorized access to all user accounts. These must be addressed before deploying to production. Attackers actively scan for these vulnerabilities.
High Priority
High priority items represent significant security risks that could allow unauthorized access to sensitive data or functionality. While not immediately catastrophic, these vulnerabilities should be fixed as soon as possible.
Medium/Low Priority
Medium and low priority items strengthen your overall security posture. While they may not be immediately exploitable, addressing them prevents attack chains and defense-in-depth gaps.
Manual vs Automated Security Checking
While manual security reviews are thorough, they're time-consuming and prone to human error. Automated scanning catches common vulnerabilities instantly, freeing you to focus on business logic and complex security decisions.
Items VAS Automates
- Exposed API keys and secrets in JavaScript bundles
- HTTP security header configuration
- Supabase RLS policy testing
- Firebase Security Rules validation
- Cookie security attributes
Manual Review Still Required
- Business logic vulnerabilities
- Custom authentication implementations
- Access control logic in API routes
- Data validation requirements
- Third-party integration security
Privacy Configuration
Consider self-hosted Sourcegraph
For maximum privacy, host Sourcegraph on your infrastructure
Configure repository access
Only give Cody access to repositories it needs
Review indexing settings
Understand what code is being indexed and sent to AI
Use local models if available
Local models keep code on your machine
Code Suggestion Security
Review all suggestions before accepting
Cody can suggest insecure patterns - always review
Check for hardcoded secrets
AutoAI may suggest code with placeholder credentials
Verify authentication code
Auth implementations from AI often have flaws
Test database queries
Check for SQL injection and proper parameterization
Repository Context
Configure .gitignore comprehensively
AutoCody uses git context - ensure secrets are excluded
Review cross-repository context
Understand what Cody can see across repositories
Audit what's indexed
Check what code has been indexed for AI context
Remove sensitive repositories from Sourcegraph
Don't index highly sensitive codebases
Enterprise Security
Use SSO integration
Integrate with your identity provider
Configure team permissions
Set up appropriate access controls
Enable audit logging
Track AI usage for compliance
Review data retention policies
Understand how long context is stored
Explore Related Resources
Don't Check Manually
VAS automatically checks 2 of these 16 items. Get instant results with detailed remediation guidance.
Run Automated Security ScanFrequently Asked Questions
Does Sourcegraph Cody have access to my entire codebase?
Cody uses Sourcegraph's code graph for context. Enterprise deployments can control what code is indexed. Use .cody/ignore to exclude sensitive files. The breadth of context means insecure patterns in your codebase may be propagated into suggestions.
How is Cody different from Copilot for security?
Cody's codebase-wide awareness means it can find and reference patterns across your entire repository. This is powerful for consistent code, but also means insecure patterns get reinforced. Regular security audits help break this cycle.