Codex Security

For a prescriptive first local scan, start with the Codex Security plugin quickstart.

Explore plugin use cases

Run a security scan for a repository or one scoped folder.
Run a deep security scan when you need a more comprehensive scan and can wait longer for it to finish.
Review code changes before you merge a pull request or branch.
Triage a backlog when you have existing security findings to review.
Fix and verify findings with bounded patches for approved findings.
Export or track findings as portable artifacts or approval-gated tracking destinations.
See what's new in the Codex Security plugin.

The plugin runs in your Codex thread. Codex Security cloud scans connected GitHub repositories through Codex Web. For Codex sandboxing, approvals, network controls, and admin settings, see Agent approvals & security.

Codex Security cloud

Codex Security cloud is currently in research preview. It scans connected GitHub repositories for likely security issues.

It helps teams:

Find likely vulnerabilities by using a repo-specific threat model and real code context.
Reduce noise by validating findings before you review them.
Move findings toward fixes with ranked results, evidence, and suggested patch options.

How Codex Security cloud works

Codex Security scans connected repositories commit by commit. It builds scan context from your repo, checks likely vulnerabilities against that context, and validates high-signal issues in an isolated environment before surfacing them.

You get a workflow focused on:

repo-specific context instead of generic signatures
validation evidence that helps reduce false positives
suggested fixes you can review in GitHub

Codex Security cloud access and prerequisites

Codex Security is available for ChatGPT Enterprise, Edu, Business, and Pro users. It works with connected GitHub repositories through Codex Web. If you need access or a repository isn't visible, confirm the repository is available through your Codex Web workspace or contact your OpenAI account team.

Codex Security plugin quickstart walks through installation and a first local scan.
Codex Security cloud setup details setup, scanning, and findings review.
Improving the threat model explains how to tune scope, attack surface, and criticality assumptions.
FAQ covers common product questions.

security.md +11 −7

7 class="my-8"7 class="my-8"

8/>8/>

9 9

~~10For installation steps, supported skills, and review boundaries, see the~~10For a prescriptive first local scan, start with the [Codex Security plugin

~~11[Codex Security plugin guide](https://developers.openai.com/codex/security/plugin).~~11quickstart](https://developers.openai.com/codex/security/plugin).

12 12

13### Explore plugin use cases13### Explore plugin use cases

14 14

~~15- [Run a deep security scan](https://developers.openai.com/codex/use-cases/deep-security-scan) to perform a higher-recall repository-wide audit.~~15- [Run a security scan](https://developers.openai.com/codex/security/plugin/scans) for a repository or one scoped folder.

~~16- [Scan code changes for security](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security) before you merge a pull request or branch.~~16- [Run a deep security scan](https://developers.openai.com/codex/security/plugin/deep-scans) when you need a more comprehensive scan and can wait longer for it to finish.

~~17- [Remediate a vulnerability backlog](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog) with bounded fixes for approved findings.~~17- [Review code changes](https://developers.openai.com/codex/security/plugin/code-changes) before you merge a pull request or branch.

18- [Triage a backlog](https://developers.openai.com/codex/security/plugin/triage-backlog) when you have existing security findings to review.

19- [Fix and verify findings](https://developers.openai.com/codex/security/plugin/fix-findings) with bounded patches for approved findings.

20- [Export or track findings](https://developers.openai.com/codex/security/plugin/export-findings) as portable artifacts or approval-gated tracking destinations.

21- [See what's new](https://developers.openai.com/codex/security/plugin/changelog) in the Codex Security plugin.

18 22

19The plugin runs in your Codex thread. Codex Security cloud scans connected23The plugin runs in your Codex thread. Codex Security cloud scans connected

20 GitHub repositories through Codex Web. For Codex sandboxing, approvals,24 GitHub repositories through Codex Web. For Codex sandboxing, approvals,

49 53

50## Related docs54## Related docs

51 55

~~52- [Codex Security plugin guide](https://developers.openai.com/codex/security/plugin) covers local repository and diff-review workflows in Codex.~~56- [Codex Security plugin quickstart](https://developers.openai.com/codex/security/plugin) walks through installation and a first local scan.

~~53- [Codex Security cloud setup](https://developers.openai.com/codex/security/setup) covers setup, scanning, and findings review.~~57- [Codex Security cloud setup](https://developers.openai.com/codex/security/setup) details setup, scanning, and findings review.

54- [Improving the threat model](https://developers.openai.com/codex/security/threat-model) explains how to tune scope, attack surface, and criticality assumptions.58- [Improving the threat model](https://developers.openai.com/codex/security/threat-model) explains how to tune scope, attack surface, and criticality assumptions.

55- [FAQ](https://developers.openai.com/codex/security/faq) covers common product questions.59- [FAQ](https://developers.openai.com/codex/security/faq) covers common product questions.