1# Remediate a vulnerability backlog | Codex use cases1---
2name: Remediate a vulnerability backlog
3tagline: Turn reviewed findings into minimal fixes with regression evidence.
4summary: Bring in approved findings from ticketing tools or vulnerability
5 reporting systems, then use the Codex Security plugin to validate and address
6 them one at a time with bounded patches and regression evidence.
7skills:
8 - token: $codex-security:fix-finding
9 url: /codex/security/plugin
10 description: Fix and verify one validated or plausible security finding with
11 focused tests or reproduction evidence.
12bestFor:
13 - Teams with reviewed findings from Codex Security, Linear or Jira tickets,
14 GitHub Security Advisories, HackerOne or Bugcrowd reports, penetration
15 tests, or internal security reviews.
16 - Vulnerability backlogs where every patch needs a minimal diff and repeatable
17 validation.
18 - Maintainers who want to separate security remediation from broader refactors
19 or cleanup.
20starterPrompt:
21 title: Fix One Reviewed Finding
22 body: >-
23 Use $codex-security:fix-finding to fix this security finding and verify the
24 issue no longer reproduces.
2 25
3Codex use cases
4 26
527 Source: [Codex Security report / Linear or Jira ticket / GitHub Security
28 Advisory / HackerOne or Bugcrowd report / other authorized source]
6 29
730 Title and affected component: [finding title and component]
8 31
9Codex use case32 Vulnerable source, sink, or broken control: [known path or unknown]
10 33
11# Remediate a vulnerability backlog34 Attacker-controlled input and impact: [input, prerequisites, and impact]
12 35
13Turn reviewed findings into minimal fixes with regression evidence.36 Expected security invariant: [behavior the fix must enforce]
14 37
15Difficulty **Advanced**38 Existing proof: [report path, PoC, reproducer, test, or validation notes]
16 39
17Time horizon **1h**40 Affected files and lines: [paths and lines, or unknown]
18 41
19Bring in approved findings from ticketing tools or vulnerability reporting systems, then use the Codex Security plugin to validate and address them one at a time with bounded patches and regression evidence.42 Constraints: [supported behavior to preserve, test command, rollout
43 requirement, or none]
20 44
21## Best for
22 45
23- Teams with reviewed findings from Codex Security, Linear or Jira tickets, GitHub Security Advisories, HackerOne or Bugcrowd reports, penetration tests, or internal security reviews.46 Requirements:
24- Vulnerability backlogs where every patch needs a minimal diff and repeatable validation.
25- Maintainers who want to separate security remediation from broader refactors or cleanup.
26 47
27# Contents48 - Confirm that the issue still exists before changing code when feasible.
28 49
29[← All use cases](https://developers.openai.com/codex/use-cases)50 - Make the smallest change that enforces the intended security invariant.
30 51
31Copy page [Export as PDF](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog/?export=pdf)52 - Add focused regression coverage or the strongest repeatable validation
53 artifact available.
32 54
33Bring in approved findings from ticketing tools or vulnerability reporting systems, then use the Codex Security plugin to validate and address them one at a time with bounded patches and regression evidence.55 - Verify legitimate behavior still works and the original issue no longer
56 reproduces.
34 57
35Advanced58 - Keep unrelated backlog findings and refactors out of this change.
36 59
371h
38 60
39Related links61 Report the changed files, tests or validation artifacts, exact commands and
40 62 results, proof that the original issue no longer reproduces, and remaining
41[Codex Security plugin](https://developers.openai.com/codex/security/plugin) [Run a deep security scan](https://developers.openai.com/codex/use-cases/deep-security-scan) [Scan code changes for security](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security)63 uncertainty. If the issue is already fixed, show the evidence and do not
42 64 change code.
43## Best for65 suggestedEffort: high
44 66relatedLinks:
45- Teams with reviewed findings from Codex Security, Linear or Jira tickets, GitHub Security Advisories, HackerOne or Bugcrowd reports, penetration tests, or internal security reviews.67 - label: Codex Security plugin
46- Vulnerability backlogs where every patch needs a minimal diff and repeatable validation.68 url: /codex/security/plugin
47- Maintainers who want to separate security remediation from broader refactors or cleanup.69 - label: Run a deep security scan
48 70 url: /codex/use-cases/deep-security-scan
49## Skills & Plugins71 - label: Scan code changes for security
50 72 url: /codex/use-cases/scan-code-changes-for-security
51- [Codex Security:fix Finding](https://developers.openai.com/codex/security/plugin)73---
52
53 Fix and verify one validated or plausible security finding with focused tests or reproduction evidence.
54
55| Skill | Why use it |
56| --- | --- |
57| [Codex Security:fix Finding](https://developers.openai.com/codex/security/plugin) | Fix and verify one validated or plausible security finding with focused tests or reproduction evidence. |
58
59## Starter prompt
60
61Use $codex-security:fix-finding to fix this security finding and verify the issue no longer reproduces.
62Source: [Codex Security report / Linear or Jira ticket / GitHub Security Advisory / HackerOne or Bugcrowd report / other authorized source]
63Title and affected component: [finding title and component]
64Vulnerable source, sink, or broken control: [known path or unknown]
65Attacker-controlled input and impact: [input, prerequisites, and impact]
66Expected security invariant: [behavior the fix must enforce]
67Existing proof: [report path, PoC, reproducer, test, or validation notes]
68Affected files and lines: [paths and lines, or unknown]
69Constraints: [supported behavior to preserve, test command, rollout requirement, or none]
70Requirements:
71- Confirm that the issue still exists before changing code when feasible.
72- Make the smallest change that enforces the intended security invariant.
73- Add focused regression coverage or the strongest repeatable validation artifact available.
74- Verify legitimate behavior still works and the original issue no longer reproduces.
75- Keep unrelated backlog findings and refactors out of this change.
76Report the changed files, tests or validation artifacts, exact commands and results, proof that the original issue no longer reproduces, and remaining uncertainty. If the issue is already fixed, show the evidence and do not change code.
77
78Open in the Codex app
79
80Use $codex-security:fix-finding to fix this security finding and verify the issue no longer reproduces.
81Source: [Codex Security report / Linear or Jira ticket / GitHub Security Advisory / HackerOne or Bugcrowd report / other authorized source]
82Title and affected component: [finding title and component]
83Vulnerable source, sink, or broken control: [known path or unknown]
84Attacker-controlled input and impact: [input, prerequisites, and impact]
85Expected security invariant: [behavior the fix must enforce]
86Existing proof: [report path, PoC, reproducer, test, or validation notes]
87Affected files and lines: [paths and lines, or unknown]
88Constraints: [supported behavior to preserve, test command, rollout requirement, or none]
89Requirements:
90- Confirm that the issue still exists before changing code when feasible.
91- Make the smallest change that enforces the intended security invariant.
92- Add focused regression coverage or the strongest repeatable validation artifact available.
93- Verify legitimate behavior still works and the original issue no longer reproduces.
94- Keep unrelated backlog findings and refactors out of this change.
95Report the changed files, tests or validation artifacts, exact commands and results, proof that the original issue no longer reproduces, and remaining uncertainty. If the issue is already fixed, show the evidence and do not change code.
96 74
97## Fix reviewed findings one at a time75## Fix reviewed findings one at a time
98 76
103authorized source. Connect the source where supported, or provide the report,81authorized source. Connect the source where supported, or provide the report,
104ticket, or advisory with affected code and evidence whenever possible.82ticket, or advisory with affected code and evidence whenever possible.
105 83
106Don’t hand Codex a broad backlog and ask it to change everything at once. A84Don't hand Codex a broad backlog and ask it to change everything at once. A
107single-finding loop keeps the security invariant, patch, and validation85single-finding loop keeps the security invariant, patch, and validation
108evidence reviewable.86evidence reviewable.
109 87
120 102
121For each completed item, keep the original ticket, advisory, or report103For each completed item, keep the original ticket, advisory, or report
122reference; the exact code change; the checks run; and any proof gap. If Codex104reference; the exact code change; the checks run; and any proof gap. If Codex
123finds that the issue is already fixed or it can’t reproduce it, record that105finds that the issue is already fixed or it can't reproduce it, record that
124evidence instead of forcing an unnecessary code change.106evidence instead of forcing an unnecessary code change.
125
126## Related use cases
127
128[
129
130### Run a deep security scan
131
132Use the Codex Security plugin to run a higher-recall, repository-wide audit that repeats...
133
134Engineering Quality](https://developers.openai.com/codex/use-cases/deep-security-scan)[
135
136### Scan code changes for security
137
138Use the Codex Security plugin to examine a Git-backed change set, validate plausible...
139
140Engineering Quality](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security)[
141
142### Audit dependency incidents
143
144Use Codex to turn a public package or supply chain advisory into a read-only audit, then...
145
146Engineering Quality](https://developers.openai.com/codex/use-cases/dependency-incident-audits)
147