SpyBara
Go Premium

use-cases/remediate-vulnerability-backlog.md 2026-06-09 18:50 UTC to 2026-06-10 20:00 UTC

57 added, 102 removed.

2026
Sat 27 00:02 Thu 25 20:59 Mon 22 19:03 Sat 20 03:58 Fri 19 23:57 Thu 18 23:01 Wed 17 17:02 Tue 16 20:00 Mon 15 19:59 Sun 14 16:58 Sat 13 00:58 Fri 12 18:02 Thu 11 20:02 Wed 10 20:00 Tue 9 18:50 Sat 6 00:58 Fri 5 18:45 Thu 4 01:09 Wed 3 19:27 Tue 2 19:22

name: Remediate a vulnerability backlog tagline: Turn reviewed findings into minimal fixes with regression evidence. summary: Bring in approved findings from ticketing tools or vulnerability reporting systems, then use the Codex Security plugin to validate and address them one at a time with bounded patches and regression evidence. skills:

  • token: $codex-security:fix-finding url: /codex/security/plugin description: Fix and verify one validated or plausible security finding with focused tests or reproduction evidence. bestFor:

  • Teams with reviewed findings from Codex Security, Linear or Jira tickets, GitHub Security Advisories, HackerOne or Bugcrowd reports, penetration tests, or internal security reviews.

  • Vulnerability backlogs where every patch needs a minimal diff and repeatable validation.

  • Maintainers who want to separate security remediation from broader refactors or cleanup. starterPrompt: title: Fix One Reviewed Finding body: >- Use $codex-security:fix-finding to fix this security finding and verify the issue no longer reproduces.

    Source: [Codex Security report / Linear or Jira ticket / GitHub Security Advisory / HackerOne or Bugcrowd report / other authorized source]

    Title and affected component: [finding title and component]

    Vulnerable source, sink, or broken control: [known path or unknown]

    Attacker-controlled input and impact: [input, prerequisites, and impact]

    Expected security invariant: [behavior the fix must enforce]

    Existing proof: [report path, PoC, reproducer, test, or validation notes]

    Affected files and lines: [paths and lines, or unknown]

    Constraints: [supported behavior to preserve, test command, rollout requirement, or none]

    Requirements:

    • Confirm that the issue still exists before changing code when feasible.

    • Make the smallest change that enforces the intended security invariant.

    • Add focused regression coverage or the strongest repeatable validation artifact available.

    • Verify legitimate behavior still works and the original issue no longer reproduces.

    • Keep unrelated backlog findings and refactors out of this change.

    Report the changed files, tests or validation artifacts, exact commands and results, proof that the original issue no longer reproduces, and remaining uncertainty. If the issue is already fixed, show the evidence and do not change code. suggestedEffort: high relatedLinks:

  • label: Codex Security plugin url: /codex/security/plugin

  • label: Run a deep security scan url: /codex/use-cases/deep-security-scan

  • label: Scan code changes for security url: /codex/use-cases/scan-code-changes-for-security


Fix reviewed findings one at a time

Use this workflow after a security finding has enough evidence for a bounded remediation decision. The finding can come from the Codex Security plugin, an issue tracker such as Linear or Jira, GitHub Security Advisories, a disclosure platform such as HackerOne or Bugcrowd, an internal review, or another authorized source. Connect the source where supported, or provide the report, ticket, or advisory with affected code and evidence whenever possible.

Don't hand Codex a broad backlog and ask it to change everything at once. A single-finding loop keeps the security invariant, patch, and validation evidence reviewable.

Close one item with evidence

  1. Select a finding from Codex Security, a ticketing system, a security advisory, a disclosure platform, or another source your team authorizes for remediation.
  2. Provide or retrieve its source reference, source or broken control, attacker-controlled input, affected files, reproduction evidence, and intended secure behavior.
  3. Ask $codex-security:fix-finding to reproduce or validate the issue before making a minimal patch, or to report that no code change is needed if it is already fixed.
  4. Review the regression test or validation artifact alongside the patch.
  5. Confirm that legitimate behavior remains supported and that the original vulnerable path no longer reproduces.
  6. Record remaining uncertainty before selecting the next item.

Keep the backlog auditable

For each completed item, keep the original ticket, advisory, or report reference; the exact code change; the checks run; and any proof gap. If Codex finds that the issue is already fixed or it can't reproduce it, record that evidence instead of forcing an unnecessary code change.