IMPORTED / SAFETY

IS SOURCEGRAPH CODY SAFE? SECURITY REVIEW 2026 | VIBEEVAL

Is Sourcegraph Cody safe? The short answer

Yes — Cody is one of the most enterprise-ready AI coding assistants on the market. The combination of SOC 2 Type II, optional self-hosting, granular permissions tied to existing repository access controls, and BYO model endpoints on Enterprise tier means Cody can be deployed in postures most other AI tools cannot match. The platform-layer risk is small. The risk that remains is the same risk every AI codegen tool carries — suggestions still ship with insecure patterns, and developers still have to review.

Enterprise security options

Cody offers self-hosted deployment for maximum privacy. Enterprise features include SSO, audit logs, granular access controls, and BYO model keys. This makes it suitable for organizations with strict security requirements that other AI assistants cannot meet:

  • Self-hosted Sourcegraph — the embeddings index, prompt traffic, and (with BYO endpoints) the model itself all stay inside your perimeter.
  • SAML SSO and SCIM — provisioning tied to your existing identity provider.
  • Audit logs — Cody events flow into the same audit log as the rest of Sourcegraph, so you have a single trail across code search, code intelligence, and AI usage.
  • Repository permissions — Cody can only read what the user can read in Sourcegraph. The permissions layer is shared, not bolted on.
  • BYO model endpoints — point Cody at a private Claude/GPT-4 deployment in your own VPC, or at an open-weights model running on internal hardware.

Security considerations

Codebase indexing

Cody indexes your codebase for context. The index makes Cody substantially more useful than a context-free completer — suggestions reference your actual functions, types, and conventions instead of generic patterns. The trade-off is data exposure: the index, by default, includes everything in the repository.

Fix. For sensitive projects, either self-host Sourcegraph so the index stays inside your perimeter, or configure cody.excludeFiles and repo-level exclusion rules so secrets, infrastructure code, and customer data fixtures never enter the index.

// .sourcegraph/cody.json or workspace settings
{
  "cody.excludeFiles": [
    "**/.env*",
    "**/secrets/**",
    "**/*.pem",
    "**/*.key",
    "infra/**",
    "fixtures/customer-data/**"
  ]
}

AI-generated vulnerabilities

Suggestions may contain security flaws. The codebase context improves quality but does not eliminate risks — Cody is still a language model trained on public code, and public code contains every common vulnerability. Patterns we see in Cody-authored diffs:

  • String-concatenated SQL queries when the file’s existing patterns are not detected (mixed ORM and raw SQL repos)
  • Missing auth checks on new routes added to a file with existing auth-protected routes
  • Permissive CORS in middleware additions
  • Hardcoded credentials in test files where Cody pulls in .env.example as context

The codebase-aware context cuts the rate of these mistakes substantially compared to context-free tools, but does not zero it out.

Access control

Configure team access appropriately. Cody can access any code the user has permissions for in Sourcegraph. This is the right behavior — it preserves least privilege — but it means that a user with broad read access has Cody with broad read access, including for prompts that pull context from sensitive repos.

Fix. Apply principle of least privilege at the Sourcegraph permissions layer. If a developer doesn’t need read access to the payments service, they should not have it, and neither should their Cody.

Credential patterns

AI may suggest insecure credential handling. Cody is no different from Copilot or Cursor here — if you ask for a Stripe integration, you may get a const STRIPE_KEY = "sk_test_..." suggestion. Always use proper secrets management (environment variables, AWS Secrets Manager, HashiCorp Vault) and add gitleaks to pre-commit so accepted credentials never reach the remote.

What we see in audits

Patterns specific to Cody-heavy repos:

  • Excluded .env files that still leak via context. A developer pastes a .env value into a chat to debug, and the value ends up in chat history.
  • Self-hosted Sourcegraph with default model routing. The org self-hosted to keep code in-perimeter, then forgot to switch the model from the default cloud endpoint. Code goes back out.
  • Permissions drift. Users get added to repos for a one-off task and never removed. A year later their Cody has full read access to systems they never work on.
  • Indexed test fixtures with real PII. A test suite with snapshot fixtures of real user data ends up in the embeddings index and shows up in suggestions for unrelated files.

Cody vs Copilot vs Tabnine

Three IDE-completion tools with overlapping use cases.

  • Cody — Best-in-class for enterprise compliance and data residency. Self-hosted plus BYO model endpoints lets you keep everything in-perimeter. Codebase-aware suggestions via Sourcegraph indexing.
  • Copilot — Largest model, broadest IDE coverage, deepest GitHub integration. Cloud-only inference. Best fit when you are already on GitHub Enterprise and the cloud-routing constraint is acceptable.
  • Tabnine — Local-only models for fully air-gapped environments. Lower completion quality than Cody or Copilot but the only option when no code can leave the machine. Permissively-licensed training data reduces IP risk.

For regulated industries, Cody self-hosted with BYO endpoints is usually the right answer.

Security assessment

Strengths

  • Enterprise-focused with SOC 2 Type II compliance
  • Self-hosted option for sensitive codebases
  • Codebase-aware context improves suggestion accuracy and reduces vulnerable suggestions
  • No code deployment — suggestion tool only
  • Granular access controls for teams via shared Sourcegraph permissions
  • BYO model keys and BYO model endpoints on Enterprise tier
  • Exclusion rules at file, path, and repo level
  • Audit logs integrated with the rest of Sourcegraph

Concerns

  • Code context sent to AI for processing on cloud configurations
  • Suggestions still contain vulnerabilities, especially in mixed-pattern repos
  • Requires read access to codebase for context — broad access means broad Cody
  • Developer must review generated code
  • Self-hosted operational complexity (you run the cluster)

Cody for enterprise

The Enterprise tier is where Cody differentiates from Copilot and Tabnine. Configuration patterns we see in regulated industries:

  1. Self-hosted Sourcegraph in customer VPC. Index, prompts, and Cody traffic all stay inside the perimeter.
  2. BYO model endpoints. Point Cody at a private Claude/GPT-4 deployment via Bedrock/Azure OpenAI, or at a self-hosted open-weights model (Qwen, DeepSeek, Llama).
  3. Exclusion lists for PHI/PII fixtures and infrastructure code. Pre-commit checks ensure those paths never enter the index.
  4. SAML SSO with enforced MFA. Provisioning and de-provisioning via SCIM.
  5. Audit log shipped to SIEM. Cody events alongside Git events.

That posture is defensible under HIPAA, SOC 2, FedRAMP-equivalent controls, and similar frameworks.

The verdict

Sourcegraph Cody is safe for enterprise and professional use. Self-hosted options and SOC 2 Type II compliance address most security concerns that block other AI assistants in regulated industries. The codebase-aware context improves suggestion quality and reduces (but does not eliminate) vulnerable patterns. Review all generated code for security issues, configure exclusion rules, apply least-privilege access controls, and run an automated scan on the deployed app before promoting to production.

How to secure Sourcegraph Cody (5-minute checklist)

  1. Choose self-hosted if you have data-residency requirements.
  2. Configure cody.excludeFiles to block secrets, infrastructure code, and PII fixtures from the index.
  3. Audit Sourcegraph repo permissions — Cody inherits them, so least-privilege Cody starts with least-privilege Sourcegraph.
  4. Enable BYO model endpoints for the strictest privacy posture.
  5. Add gitleaks to pre-commit so accepted credentials never reach the remote.
  6. Run a deployed-app scan to catch vulnerable patterns Cody suggested and review missed.

How to secure Sourcegraph Cody

Step-by-step security guide for hardening a Cody deployment from cloud to self-hosted.

Sourcegraph Cody security checklist

Interactive security checklist covering Cody Cloud and self-hosted Sourcegraph.

Scan your application

Let VibeEval scan your deployed application for security vulnerabilities. Cody’s codebase-aware suggestions cut vulnerability rates relative to other tools, but they do not zero them out — the deployed app still needs an attack-driven scan.

/ FAQ

COMMON QUESTIONS

01
Is Sourcegraph Cody safe to use?
Yes. Cody is one of the most enterprise-ready AI coding assistants on the market — SOC 2 Type II, optional self-hosting, granular access controls, and SAML SSO on Enterprise. The platform-layer risk is small. The remaining risk is the same as every AI codegen tool: suggestions still contain insecure patterns, and the developer still has to review.
Q&A
02
Does Cody index my whole codebase?
Yes. Cody builds an embeddings index of your codebase to provide context-aware suggestions. On Sourcegraph Cloud, that index lives in Sourcegraph's infrastructure. On self-hosted Sourcegraph, the index stays inside your perimeter. Excluded paths (configured via `cody.excludeFiles` or repo settings) are not indexed.
Q&A
03
Should I self-host Cody for sensitive codebases?
Yes, if you have data-residency requirements (regulated industries, classified or export-controlled code, IP that cannot leave the perimeter). Self-hosted Sourcegraph keeps the index, the prompts, and the model traffic inside your infrastructure. The trade-off is operational — you run the cluster and manage the model integrations yourself.
Q&A
04
Does Cody send my code to LLM providers?
Yes, by default. Cody routes prompts to Anthropic, OpenAI, or Fireworks (depending on your configuration). The Enterprise tier supports BYO model keys and BYO model endpoints, including private deployments of Claude or GPT-4 inside your own VPC. Self-hosted with private model endpoints is the highest-privacy configuration.
Q&A
05
Cody vs Copilot vs Tabnine — which is safest?
All three are safe as products. Cody wins on enterprise compliance and data-residency flexibility — self-hosting plus BYO model keys lets you keep everything inside your perimeter. Copilot wins on suggestion quality and IDE integration. Tabnine wins on local-only inference for fully air-gapped environments. None of the three eliminate vulnerable suggestions; pick on data-residency requirements.
Q&A
06
Does Cody respect repository access controls?
Yes. Cody can only read code the user has permissions for in Sourcegraph. If a user has access to repo A but not repo B, Cody will not include repo B in their suggestions. This is enforced at the Sourcegraph permissions layer, not at the model layer.
Q&A
07
Is Cody safe for regulated industries (healthcare, finance, defense)?
With the right configuration, yes. The pattern is: self-hosted Sourcegraph inside your VPC, BYO model endpoints (private Claude/GPT-4 deployments or open-weights models), exclusion lists for PHI/PII fixtures and infrastructure code, and SAML SSO with enforced MFA. That gets Cody to a posture defensible under HIPAA, SOC 2, FedRAMP-equivalent controls, and similar frameworks.
Q&A
/ NEXT STEP

SCAN YOUR APP

14-day trial. No card. Results in under 60 seconds.

START FREE SCAN