Run a deep security scan

A deep scan is slower but more thorough than a standard scan. Use it when you want to reduce variability and search more comprehensively.

Start with a standard scan. Once you're satisfied with the results, run a deep scan for a more thorough assessment.

Choose between standard and deep scans

	Standard scan	Deep scan
Best for	First runs and routine repository or folder review	More thorough reviews after a standard scan
Variability	Standard	Reduced
Scope	Repository or explicit folder	Repository or explicit folder
Runtime and resources	Lower	Higher
Pull requests and diffs	Use the change-review workflow	Not supported; use the change-review workflow instead

Start the deep scan

For a repository-wide review, send:

Use $codex-security:deep-security-scan to run a deep security scan of this repository.

For one component in a monorepo, identify the folder explicitly:

Use $codex-security:deep-security-scan to run a deep security scan of /absolute/path/to/repository/services/payments.

In the Codex app, a scoped deep scan resolves the selected folder as the Codebase and shows its scan area as the entire selected target.

Confirm setup and preflight

Confirm Scan type is Codebase and Deep scan is on.
Confirm that Codebase is the repository or exact folder you intended to scan.
Add threat-model guidance only for concrete attack vectors, sensitive application areas, or repository context that the code can't reveal.
Select Start scan.
Review the capability preflight. If it proposes a configuration change, review the exact change and let Codex apply it only if it matches your environment. Start a new thread if Codex tells you a restart is required.

Review the result

Deep scans use the same findings workspace and generated report.md as standard scans. Review the coverage summary before the findings. A deep scan searches the code more extensively, but any deferred surface or proof gap still limits the conclusion. For a finding you accept, continue with Fix and verify a finding.

To review a pull request, commit, branch range, or local patch, use Review code changes. A deep scan never substitutes for the diff-focused workflow.

security/plugin/deep-scans.md +67 −0 created

1# Run a deep security scan

3A deep scan is slower but more thorough than a standard scan. Use it when you

4want to reduce variability and search more comprehensively.

6Start with a [standard scan](https://developers.openai.com/codex/security/plugin/scans). Once you're

7satisfied with the results, run a deep scan for a more thorough assessment.

9## Choose between standard and deep scans

11| | Standard scan | Deep scan |

12| ----------------------- | -------------------------------------------------- | ----------------------------------------------------- |

13| Best for | First runs and routine repository or folder review | More thorough reviews after a standard scan |

14| Variability | Standard | Reduced |

15| Scope | Repository or explicit folder | Repository or explicit folder |

16| Runtime and resources | Lower | Higher |

17| Pull requests and diffs | Use the change-review workflow | Not supported; use the change-review workflow instead |

19## Start the deep scan

21For a repository-wide review, send:

23```text

24Use $codex-security:deep-security-scan to run a deep security scan of this repository.

25```

27For one component in a monorepo, identify the folder explicitly:

29```text

30Use $codex-security:deep-security-scan to run a deep security scan of /absolute/path/to/repository/services/payments.

31```

33In the Codex app, a scoped deep scan resolves the selected folder as the

34**Codebase** and shows its scan area as the entire selected target.

36## Confirm setup and preflight

38<WorkflowSteps>

401. Confirm **Scan type** is `Codebase` and **Deep scan** is on.

412. Confirm that **Codebase** is the repository or exact folder you intended to

42 scan.

433. Add threat-model guidance only for concrete attack vectors, sensitive

44 application areas, or repository context that the code can't reveal.

454. Select **Start scan**.

465. Review the capability preflight. If it proposes a configuration change,

47 review the exact change and let Codex apply it only if it matches your

48 environment. Start a new thread if Codex tells you a restart is required.

50</WorkflowSteps>

52<VideoPlayer

53 src="/videos/codex/security/deep-scan-progress.mp4"

54 poster="/videos/codex/security/deep-scan-progress-poster.webp"

55/>

57## Review the result

59Deep scans use the same findings workspace and generated `report.md` as standard

60scans. Review the coverage summary before the findings. A deep scan searches

61the code more extensively, but any deferred surface or proof gap still limits

62the conclusion. For a finding you accept, continue with [Fix and verify a

63finding](https://developers.openai.com/codex/security/plugin/fix-findings).

65To review a pull request, commit, branch range, or local patch, use [Review code

66changes](https://developers.openai.com/codex/security/plugin/code-changes). A deep scan never substitutes

67for the diff-focused workflow.