Audit dependency incidents | Codex use cases

Codex use cases

Codex

Codex use case

Audit dependency incidents

Turn a public package advisory into a safe repo-audit plan.

Difficulty Advanced

Time horizon 1h

Use Codex to turn a public package or supply chain advisory into a read-only audit, then inspect manifests, lock files, CI workflows, and scripts without running untrusted code.

Best for

Engineering and security teams responding to public package or supply chain advisories.
Maintainers who need to check lock files, scripts, CI permissions, and caches before changing dependencies.
Incident reviews where Codex should gather evidence without installing packages or running untrusted code.

← All use cases

Copy page Export as PDF

Use Codex to turn a public package or supply chain advisory into a read-only audit, then inspect manifests, lock files, CI workflows, and scripts without running untrusted code.

Advanced

Best for

Engineering and security teams responding to public package or supply chain advisories.
Maintainers who need to check lock files, scripts, CI permissions, and caches before changing dependencies.
Incident reviews where Codex should gather evidence without installing packages or running untrusted code.

Skills & Plugins

GitHub

Inspect repository files, pull requests, workflows, and security-relevant history.

Skill	Why use it
GitHub	Inspect repository files, pull requests, workflows, and security-relevant history.

Starter prompt

Help me audit this repository for exposure to this public package advisory: [advisory URL]. Stay read-only unless I explicitly approve a remediation step. First, summarize:

affected packages and version ranges
authoritative sources versus broader reports
what evidence would prove exposure in this repo
what evidence would rule it out Then inspect:
package manifests and lock files
CI workflows and permissions
install, build, and postinstall scripts
vendored artifacts, containers, or generated bundles if relevant
cache or token exposure paths if the advisory involves CI or publishing Return:
evidence status: confirmed exposure, needs verification, or ruled out
severity and blast-radius notes
file references for every repo-specific claim
caveats and recommended next steps Do not install packages, run lifecycle scripts, build the project, execute untrusted code, rotate credentials, or clean up files unless I explicitly approve that step.

Open in the Codex app

Help me audit this repository for exposure to this public package advisory: [advisory URL]. Stay read-only unless I explicitly approve a remediation step. First, summarize:

affected packages and version ranges
authoritative sources versus broader reports
what evidence would prove exposure in this repo
what evidence would rule it out Then inspect:
package manifests and lock files
CI workflows and permissions
install, build, and postinstall scripts
vendored artifacts, containers, or generated bundles if relevant
cache or token exposure paths if the advisory involves CI or publishing Return:
evidence status: confirmed exposure, needs verification, or ruled out
severity and blast-radius notes
file references for every repo-specific claim
caveats and recommended next steps Do not install packages, run lifecycle scripts, build the project, execute untrusted code, rotate credentials, or clean up files unless I explicitly approve that step.

Start with a safe audit plan

When a dependency or supply chain incident moves quickly, the first useful output isn’t a rushed patch. It’s a clear audit plan: what changed, which packages or workflows might be affected, and what evidence would prove exposure in your repo.

Use Codex to turn the advisory into a conservative, read-only checklist before installing, building, testing, or running anything.

Keep the first pass read-only

Give Codex the public advisory, incident report, or affected package list.
Ask it to separate authoritative sources from broader commentary.
Have it define evidence that would prove or rule out exposure.
Let it inspect manifests, lock files, CI workflows, scripts, and relevant repo files.
Ask for findings grouped by evidence status, severity, and recommended next step.

For package incidents, avoid running install, build, test, import, or lifecycle commands until you know what the advisory affects. Codex can search lock files and workflows without executing untrusted code.

Report evidence status separately from severity

A useful audit result should show both how bad a finding would be and how strong the evidence is:

Codex

Confirmed exposure: the lockfile contains an affected package version in a production dependency path.

Needs verification: one CI job has publish permissions, but the workflow does not appear to install the affected package directly.

Ruled out: the package name appears in docs only and is not present in manifests or lock files.

Next step: review the proposed dependency update and token rotation plan before any destructive action.

Once the read-only pass is complete, you can ask Codex to prepare a remediation PR, update CI permissions, or write a follow-up incident note. Keep those actions separate from the initial audit.

Turn the confirmed findings from this audit into a remediation plan. For each finding, include:

proposed change
files or settings to update
test or verification step
rollback plan
whether I need to rotate a credential or review an external system Do not make changes yet. Keep any command that could execute untrusted code out of the plan unless you explain why it is safe.

[

Add evals to your AI application

Ask Codex to inspect your AI application, identify the behavior you want to evaluate, and...

Evaluation Quality](https://developers.openai.com/codex/use-cases/ai-app-evals)[

Create a CLI Codex can use

Ask Codex to create a composable CLI it can run from any folder, combine with repo scripts...

Engineering Code](https://developers.openai.com/codex/use-cases/agent-friendly-clis)[

Follow a goal

Use /goal when a task needs Codex to keep working across turns toward a verifiable...

Engineering Automation](https://developers.openai.com/codex/use-cases/follow-goals)

use-cases/dependency-incident-audits.md +170 −0 created

1# Audit dependency incidents | Codex use cases

3Codex use cases

5![](/assets/OpenAI-black-wordmark.svg)

7![Codex](/assets/OAI_Codex-Lockup_Fallback_Black.svg)

9Codex use case

11# Audit dependency incidents

13Turn a public package advisory into a safe repo-audit plan.

15Difficulty **Advanced**

17Time horizon **1h**

19Use Codex to turn a public package or supply chain advisory into a read-only audit, then inspect manifests, lock files, CI workflows, and scripts without running untrusted code.

21## Best for

23- Engineering and security teams responding to public package or supply chain advisories.

24- Maintainers who need to check lock files, scripts, CI permissions, and caches before changing dependencies.

25- Incident reviews where Codex should gather evidence without installing packages or running untrusted code.

27# Contents

29[← All use cases](https://developers.openai.com/codex/use-cases)

31Copy page [Export as PDF](https://developers.openai.com/codex/use-cases/dependency-incident-audits/?export=pdf)

33Use Codex to turn a public package or supply chain advisory into a read-only audit, then inspect manifests, lock files, CI workflows, and scripts without running untrusted code.

35Advanced

371h

39Related links

41[Codex Security](https://developers.openai.com/codex/security) [Agent approvals and security](https://developers.openai.com/codex/agent-approvals-security) [Codex cyber safety](https://developers.openai.com/codex/concepts/cyber-safety)

43## Best for

45- Engineering and security teams responding to public package or supply chain advisories.

46- Maintainers who need to check lock files, scripts, CI permissions, and caches before changing dependencies.

47- Incident reviews where Codex should gather evidence without installing packages or running untrusted code.

49## Skills & Plugins

51- [GitHub](https://developers.openai.com/codex/integrations/github)

53 Inspect repository files, pull requests, workflows, and security-relevant history.

55| Skill | Why use it |

56| --- | --- |

57| [GitHub](https://developers.openai.com/codex/integrations/github) | Inspect repository files, pull requests, workflows, and security-relevant history. |

59## Starter prompt

61Help me audit this repository for exposure to this public package advisory: [advisory URL].

62Stay read-only unless I explicitly approve a remediation step.

63First, summarize:

64- affected packages and version ranges

65- authoritative sources versus broader reports

66- what evidence would prove exposure in this repo

67- what evidence would rule it out

68Then inspect:

69- package manifests and lock files

70- CI workflows and permissions

71- install, build, and postinstall scripts

72- vendored artifacts, containers, or generated bundles if relevant

73- cache or token exposure paths if the advisory involves CI or publishing

74Return:

75- evidence status: confirmed exposure, needs verification, or ruled out

76- severity and blast-radius notes

77- file references for every repo-specific claim

78- caveats and recommended next steps

79Do not install packages, run lifecycle scripts, build the project, execute untrusted code, rotate credentials, or clean up files unless I explicitly approve that step.

81[Open in the Codex app](codex://new?prompt=Help+me+audit+this+repository+for+exposure+to+this+public+package+advisory%3A+%5Badvisory+URL%5D.%0A%0AStay+read-only+unless+I+explicitly+approve+a+remediation+step.%0A%0AFirst%2C+summarize%3A%0A-+affected+packages+and+version+ranges%0A-+authoritative+sources+versus+broader+reports%0A-+what+evidence+would+prove+exposure+in+this+repo%0A-+what+evidence+would+rule+it+out%0A%0AThen+inspect%3A%0A-+package+manifests+and+lock+files%0A-+CI+workflows+and+permissions%0A-+install%2C+build%2C+and+postinstall+scripts%0A-+vendored+artifacts%2C+containers%2C+or+generated+bundles+if+relevant%0A-+cache+or+token+exposure+paths+if+the+advisory+involves+CI+or+publishing%0A%0AReturn%3A%0A-+evidence+status%3A+confirmed+exposure%2C+needs+verification%2C+or+ruled+out%0A-+severity+and+blast-radius+notes%0A-+file+references+for+every+repo-specific+claim%0A-+caveats+and+recommended+next+steps%0A%0ADo+not+install+packages%2C+run+lifecycle+scripts%2C+build+the+project%2C+execute+untrusted+code%2C+rotate+credentials%2C+or+clean+up+files+unless+I+explicitly+approve+that+step. "Open in the Codex app")

83Help me audit this repository for exposure to this public package advisory: [advisory URL].

84Stay read-only unless I explicitly approve a remediation step.

85First, summarize:

86- affected packages and version ranges

87- authoritative sources versus broader reports

88- what evidence would prove exposure in this repo

89- what evidence would rule it out

90Then inspect:

91- package manifests and lock files

92- CI workflows and permissions

93- install, build, and postinstall scripts

94- vendored artifacts, containers, or generated bundles if relevant

95- cache or token exposure paths if the advisory involves CI or publishing

96Return:

97- evidence status: confirmed exposure, needs verification, or ruled out

98- severity and blast-radius notes

99- file references for every repo-specific claim

100- caveats and recommended next steps

101Do not install packages, run lifecycle scripts, build the project, execute untrusted code, rotate credentials, or clean up files unless I explicitly approve that step.

102

103## Start with a safe audit plan

104

105When a dependency or supply chain incident moves quickly, the first useful output isn’t a rushed patch. It’s a clear audit plan: what changed, which packages or workflows might be affected, and what evidence would prove exposure in your repo.

106

107Use Codex to turn the advisory into a conservative, read-only checklist before installing, building, testing, or running anything.

108

109## Keep the first pass read-only

110

1111. Give Codex the public advisory, incident report, or affected package list.

1122. Ask it to separate authoritative sources from broader commentary.

1133. Have it define evidence that would prove or rule out exposure.

1144. Let it inspect manifests, lock files, CI workflows, scripts, and relevant repo files.

1155. Ask for findings grouped by evidence status, severity, and recommended next step.

116

117For package incidents, avoid running install, build, test, import, or lifecycle commands until you know what the advisory affects. Codex can search lock files and workflows without executing untrusted code.

118

119## Report evidence status separately from severity

120

121A useful audit result should show both how bad a finding would be and how strong the evidence is:

122

123![](/assets/OAI_Codex-Blossom_Fallback_Black.svg)

124Codex

125

126**Confirmed exposure:** the lockfile contains an affected

127package version in a production dependency path.

128

129**Needs verification:** one CI job has publish permissions, but

130the workflow does not appear to install the affected package directly.

131

132**Ruled out:** the package name appears in docs only and is not

133present in manifests or lock files.

134

135**Next step:** review the proposed dependency update and token

136rotation plan before any destructive action.

137

138Once the read-only pass is complete, you can ask Codex to prepare a remediation PR, update CI permissions, or write a follow-up incident note. Keep those actions separate from the initial audit.

139

140Turn the confirmed findings from this audit into a remediation plan.

141For each finding, include:

142- proposed change

143- files or settings to update

144- test or verification step

145- rollback plan

146- whether I need to rotate a credential or review an external system

147Do not make changes yet. Keep any command that could execute untrusted code out of the plan unless you explain why it is safe.

148

149## Related use cases

150

151[![](https://developers.openai.com/codex/use-cases/ai-app-evals.webp)

152

153### Add evals to your AI application

154

155Ask Codex to inspect your AI application, identify the behavior you want to evaluate, and...

156

157Evaluation Quality](https://developers.openai.com/codex/use-cases/ai-app-evals)[![](https://developers.openai.com/codex/use-cases/agent-friendly-clis.webp)

158

159### Create a CLI Codex can use

160

161Ask Codex to create a composable CLI it can run from any folder, combine with repo scripts...

162

163Engineering Code](https://developers.openai.com/codex/use-cases/agent-friendly-clis)[![](https://developers.openai.com/codex/use-cases/follow-goals.webp)

164

165### Follow a goal

166

167Use `/goal` when a task needs Codex to keep working across turns toward a verifiable...

168

169Engineering Automation](https://developers.openai.com/codex/use-cases/follow-goals)

170

use-cases/dependency-incident-audits.md 2026-05-19 18:43 UTC to 2026-05-20 00:58 UTC

Audit dependency incidents | Codex use cases

Audit dependency incidents

Best for

Contents

Best for

Skills & Plugins

Starter prompt

Start with a safe audit plan

Keep the first pass read-only

Report evidence status separately from severity

Related use cases

Add evals to your AI application

Create a CLI Codex can use

Follow a goal