Cody
Security Guide

How to Secure Your Sourcegraph Cody App

Last updated: January 12, 2026

Sourcegraph Cody provides AI coding assistance with codebase awareness. This guide covers securing applications built with Cody's help.

Get Starter ScanSourcegraph Cody Security Overview

Why Security Matters for Sourcegraph Cody

Key Security Concerns

Cloud tier sends code context to Sourcegraph's servers for AI processing
Deep codebase indexing means Sourcegraph needs broad repository access
AI suggestions are only as secure as the underlying LLM you choose
Context window may include sensitive code patterns inadvertently
Generated code needs security review like any AI tool

Security Strengths

Self-hosted deployment: keep all code and AI on your own infrastructure
Sourcegraph's code graph provides context without sending raw code to LLMs
Enterprise SSO with SAML/SCIM and role-based access controls
Audit logs for all Cody interactions on enterprise tier
Choose your own LLM provider (Claude, GPT-4, Gemini, or local models)

Step-by-Step Security Guide

1. Configure Context Exclusions

Exclude sensitive files from Cody's context using .cody/ignore or repository settings.

# .cody/ignore
.env*
secrets/
credentials.json

2. Review AI-Generated Code

Cody generates code based on your codebase patterns. If existing code has issues, suggestions may inherit them.

3. Validate Security Suggestions

When Cody suggests security-related code, verify it follows current best practices.

4. Audit Dependencies

Check any packages Cody suggests for known vulnerabilities before adding them.

5. Use for Code Review

Ask Cody to review code for security issues. Its codebase awareness can help find patterns.

6. Scan Deployed Applications

Run VAS to verify your deployed application is secure.

Common Security Mistakes

Avoid these common Sourcegraph Cody security pitfalls:

Sensitive files in Cody's context
Inheriting insecure patterns from codebase
Auto-accepting security-critical suggestions
Adding vulnerable dependencies
Not reviewing AI suggestions for auth code

Recommended Security Tools

Use these tools to maintain security throughout development:

VAS Security Scanner
npm audit / yarn audit
Git-secrets
Snyk

Ready to Secure Your App?

Security is an ongoing process, not a one-time checklist. After implementing these steps, use VAS to verify your Sourcegraph Cody app is secure before launch, and consider regular scans as you add new features.

Start Security Scan

Frequently Asked Questions

Does Cody store my code?

Cody sends code context to generate suggestions. Review Sourcegraph's privacy policy for data handling. Enterprise deployments offer more control over data processing.

Can Cody help find security issues?

Yes, you can ask Cody to review code for security issues. Its codebase understanding helps identify patterns. However, use dedicated security scanning for comprehensive coverage.

Explore Related Resources

Related Security Resources

Sourcegraph Cody SecurityIs Sourcegraph Cody Safe?Sourcegraph Cody Security Checklist

Similar Platforms

How to Secure GitHub CopilotHow to Secure CursorHow to Secure Claude Code