HOW TO SECURE SOURCEGRAPH CODY - SECURITY GUIDE | VIBEEVAL

Sourcegraph Cody Security Context

Cody is Sourcegraph’s AI coding assistant. The defining feature is code-graph context — Cody has structural knowledge of your repo (definitions, references, callers) and can pull from any indexed codebase, not just open files. Two consequences for security: (1) Cody can include code from any repo it indexes in any answer, so the access boundary is the indexed-repo set, not the open-file set; (2) Cody can be self-hosted, which is the cleanest answer to “where does my code go” for compliance-sensitive teams.

Security Checklist

1. Decide on hosting model

For data-sensitive code, deploy Sourcegraph Self-Hosted in your own VPC. Code stays on your infrastructure; LLM calls go to a provider you choose (Anthropic / OpenAI / your own gateway). For lower-sensitivity code, Sourcegraph Cloud is faster to set up and offers SOC 2; review the data-handling addendum before connecting any private repo.

2. Audit indexed repository access

In Sourcegraph admin → Repositories: review which repos are indexed and which users have access. Cody’s answers can include code from any repo a user has access to in the index — a developer with read access to the security-internal repo can ask Cody questions that surface code from there. Apply Sourcegraph’s repo-level permissions to match your code-host’s permissions exactly.

3. Configure access controls per team

Site admin → Users & Auth: configure SSO (Okta, Google Workspace, GitHub Enterprise). Map Sourcegraph permissions to your existing IDP groups so Cody access automatically reflects org-chart changes.

4. Set up code exclusions

Cody supports per-repo exclusions via Sourcegraph’s siteConfig’s cody.contextFilters. Exclude paths matching .env, secrets/, *.pem, internal docs that should not surface in completions. The denylist applies at query time, not just at index time.

5. Review enterprise security features

Cody Enterprise adds: BAA / SOC 2 reports for procurement, customer-managed encryption keys, audit log export, and the ability to bring your own LLM gateway (so prompts never leave your infrastructure). For teams with regulated data, these are the relevant controls.

6. Configure access controls for sensitive repos

Some repos shouldn’t be indexed at all (security incident response, compromised-credential review docs). Mark these as “no Cody” in the per-repo settings. The repo can still be searchable in Sourcegraph’s regular search; Cody just won’t pull from it.

7. Enable audit logging

Site admin → Updates and observability → Audit logs: enable. Audit logs track who asked Cody what — useful for incident response if a credential leak traces back to a Cody answer that surfaced it.

8. Validate suggested dependencies

When Cody suggests a package, run the same validation as for any code-gen tool: confirm it exists, check the version against npm audit or the equivalent, scan for the AI-specific phantom-package risk via the Package Hallucination Scanner.

9. Validate generated code patterns

Cody’s structural knowledge of your codebase helps it match local conventions, but doesn’t make the code secure. Apply the same review checklist as for any AI assistant: parameterized queries, validated inputs, auth on new routes, no secrets inline.

10. Configure VS Code / JetBrains extension settings

In Cody settings → Privacy: confirm “telemetry events include selected code” matches your sensitivity expectations (turn off for highly sensitive work). The default ships some surrounding code with feedback events.

11. Test generated authentication

If Cody scaffolds auth (less common than with full-stack tools, but happens for chat-driven feature requests): test sign-up → verify → log in → log out → reset → log in. See auth flows for the recurring shapes.

12. Review API integration suggestions

Cody-suggested API calls run with whatever credentials the calling code provides. Confirm: HTTPS-only, secrets in env vars not URLs, response validation before use, timeouts on every external call.

13. Require 2FA for Sourcegraph access

Site admin → Authentication providers: require 2FA via your SSO. Cody is one credential away from authoring suggestions in your repos and surfacing internal code in chat answers — 2FA is the cheapest control.

14. Review network security between Cody and LLM provider

For self-hosted deployments using a third-party LLM: the egress traffic goes from your VPC to the provider’s API. Confirm: TLS, no proxy logging the request bodies, IP allowlists if your provider supports them.

15. Configure data retention

For Cody Cloud: review the data retention defaults (typically 30 days for telemetry). For Cody Enterprise: configure to your compliance requirement (often 90 days for audit but 0-day for code snippets in telemetry).

16. Run a security scan on the deployment

After Cody-assisted code reaches production, the Vibe Code Scanner covers deploy-side patterns; the full VibeEval scan adds BOLA and webhook trust.

Related Resources

Free Self-Audit Suite

Five free scanners.

Vibe Coding Security Risk Guide

Full risk catalogue.

Automate Your Security Checks

VibeEval scans applications shipped via Cody-assisted code — every category above plus the long tail.