Run a deep security scan | Codex use cases
Codex use cases
Codex use case
Run a deep security scan
Search an authorized repository deeply for plausible vulnerabilities.
Difficulty Advanced
Time horizon Long-running
Use the Codex Security plugin to run a higher-recall, repository-wide audit that repeats discovery, validates candidates, and produces reviewable report artifacts.
Best for
- Application security reviews of a complete repository that you own or are authorized to assess.
- High-recall reviews where additional runtime and token use are appropriate for finding more candidate issues.
- Security teams that need traceable finding evidence before deciding what to remediate.
Contents
Copy page Export as PDF
Use the Codex Security plugin to run a higher-recall, repository-wide audit that repeats discovery, validates candidates, and produces reviewable report artifacts.
Advanced
Long-running
Related links
Codex Security plugin Agent approvals and security Codex cyber safety
Best for
- Application security reviews of a complete repository that you own or are authorized to assess.
- High-recall reviews where additional runtime and token use are appropriate for finding more candidate issues.
- Security teams that need traceable finding evidence before deciding what to remediate.
Skills & Plugins
-
Codex Security:deep Security Scan
Run repeated repository-wide security discovery passes, validate surviving findings, analyze attack paths, and create reviewable reports.
| Skill | Why use it |
|---|---|
| Codex Security:deep Security Scan | Run repeated repository-wide security discovery passes, validate surviving findings, analyze attack paths, and create reviewable reports. |
Starter prompt
/goal Run a deep security scan on this repository. Do not stop until all required steps are complete and the final report is ready. Scope and rules:
- I am authorized to assess this repository.
- Treat the entire repository as in scope.
- Use the Codex Security plugin's deep scan workflow; do not broaden this into a diff or scoped-path review.
- Keep the scan read-only; do not modify code, open pull requests, or test external targets. Return the final Markdown and HTML report paths and summarize the findings that require human review first.
/goal Run a deep security scan on this repository. Do not stop until all required steps are complete and the final report is ready. Scope and rules:
- I am authorized to assess this repository.
- Treat the entire repository as in scope.
- Use the Codex Security plugin's deep scan workflow; do not broaden this into a diff or scoped-path review.
- Keep the scan read-only; do not modify code, open pull requests, or test external targets. Return the final Markdown and HTML report paths and summarize the findings that require human review first.
Choose a deep repository review
Use a deep scan when you need high-recall vulnerability discovery across a complete repository and can budget for a longer run. The Codex Security plugin repeats discovery passes before validating and prioritizing findings, so this workflow takes more time and tokens than an ordinary scan.
A deep scan is for an entire repository. To review one package or directory,
use $codex-security:security-scan. To review a pull request, commit, branch
diff, or working-tree patch, use
$codex-security:security-diff-scan.
Prepare an authorized scan
- Open the repository in Codex and install the Codex Security plugin.
- Confirm that you own the repository or have authorization to assess it.
- Add repository-specific architecture, trust-boundary, build, test, and validation guidance in
AGENTS.mdwhen it will improve the review. - Run the starter prompt and let the scan complete its repeated discovery, validation, attack-path analysis, and final reporting stages.
- Review the final reports before asking Codex to change code or reproduce a finding further.
Review evidence before remediation
The final result should identify affected locations, why the behavior is reachable, what validation Codex performed, any remaining proof gaps, and a bounded remediation direction. Distinguish findings without validation evidence from validated findings.
Start remediation only for a finding you have selected and reviewed. Use Remediate a vulnerability backlog to fix findings one at a time with focused regression validation.
Related use cases
[
Scan code changes for security
Use the Codex Security plugin to examine a Git-backed change set, validate plausible...
Engineering Quality](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security)[
Add evals to your AI application
Ask Codex to inspect your AI application, identify the behavior you want to evaluate, and...
Evaluation Quality](https://developers.openai.com/codex/use-cases/ai-app-evals)[
Audit dependency incidents
Use Codex to turn a public package or supply chain advisory into a read-only audit, then...
Engineering Quality](https://developers.openai.com/codex/use-cases/dependency-incident-audits)