SpyBara
Go Premium

security/setup.md 2026-05-18 22:01 UTC to 2026-05-19 18:43 UTC

16 added, 59 removed.

2026
Sat 30 07:08 Fri 29 18:58 Thu 28 18:58 Wed 27 00:57 Tue 26 18:54 Sat 23 00:54 Fri 22 18:42 Thu 21 18:44 Wed 20 00:58 Tue 19 18:43 Mon 18 22:01 Thu 14 21:00 Wed 13 00:57 Tue 12 01:59 Mon 11 18:00 Thu 7 20:02 Tue 5 23:00 Sat 2 06:45 Fri 1 18:29

Setup – Codex Security

This page walks you from initial access to reviewed findings and remediation pull requests in Codex Security.

Confirm you’ve set up Codex Cloud first. If not, see Codex Cloud to get started.

1. Access and environment

Codex Security scans GitHub repositories connected through Codex Cloud.

  • Confirm your workspace has access to Codex Security.
  • Confirm the repository you want to scan is available in Codex Cloud.

Go to Codex environments and check whether the repository already has an environment. If it doesn’t, create one there before continuing.

Open environments

Codex environments

2. New security scan

After the environment exists, go to Create a security scan and choose the repository you just connected.

Create a security scan

Codex Security scans repositories from newest commits backward first. It uses this to build and refresh scan context as new commits come in.

To configure a repository:

  1. Select the GitHub organization.
  2. Select the repository.
  3. Select the branch you want to scan.
  4. Select the environment.
  5. Choose a history window. Longer windows provide more context, but backfill takes longer.
  6. Click Create.

Create a security scan

3. Initial scans can take a while

When you create the scan, Codex Security first runs a commit-level security pass across the selected history window. The initial backfill can take a few hours, especially for larger repositories or longer windows. If findings aren’t visible right away, this is expected. Wait for the initial scan to finish before opening a ticket or troubleshooting.

Initial scan setup is automatic and thorough. This can take a few hours. Don’t be alarmed if the first set of findings is delayed.

4. Review scans and improve the threat model

Review scans

Threat model editor in Codex Security

When the initial scan finishes, open the scan and review the threat model that was generated. After initial findings appear, update the threat model so it matches your architecture, trust boundaries, and business context. This helps Codex Security rank issues for your team.

If you want scan results to change, you can edit the threat model with your updated scope, priorities, and assumptions.

After initial findings appear, revisit the model so scan guidance stays aligned with current priorities. Keeping it current helps Codex Security produce better suggestions.

For a deeper explanation of threat models and how they affect criticality and triage, see Improving the threat model.

5. Review findings and patch

After the initial backfill completes, review findings from the Findings view.

Open findings

You can use two views:

  • Recommended Findings: an evolving top 10 list of the most critical issues in the repo
  • All Findings: a sortable, filterable table of findings across the repository

Recommended findings view

Click a finding to open its detail page, which includes:

  • a concise description of the issue
  • key metadata such as commit details and file paths
  • contextual reasoning about impact
  • relevant code excerpts
  • call-path or data-flow context when available
  • validation steps and validation output

You can review each finding and create a PR directly from the finding detail page.

Review findings and create a PR