1---1---
2name: Run a deep security scan2name: Run a deep security scan
3tagline: Search an authorized repository deeply for plausible vulnerabilities.3tagline: Search an authorized repository deeply for plausible vulnerabilities.
4summary: Use the Codex Security plugin to run a higher-recall, repository-wide4summary: Use the Codex Security plugin to run a more comprehensive audit of a
5 audit that repeats discovery, validates candidates, and produces reviewable5 repository or scoped folder that repeats discovery, validates candidates, and
6 report artifacts.6 produces reviewable coverage and findings.
7skills:7skills:
8 - token: $codex-security:deep-security-scan8 - token: $codex-security:deep-security-scan
9 url: /codex/security/plugin9 url: /codex/security/plugin/deep-scans
10 description: Run repeated repository-wide security discovery passes, validate10 description: Run repeated discovery passes over a repository or scoped folder,
11 surviving findings, analyze attack paths, and create reviewable reports.11 validate surviving findings, analyze attack paths, and generate reviewable
12 artifacts.
12bestFor:13bestFor:
13 - Application security reviews of a complete repository that you own or are14 - Application security reviews of a repository or component that you own or
14 authorized to assess.15 are authorized to assess.
15 - High-recall reviews where additional runtime and token use are appropriate16 - More comprehensive reviews where additional runtime and token use are
16 for finding more candidate issues.17 appropriate for finding more candidate issues.
17 - Security teams that need traceable finding evidence before deciding what to18 - Security teams that need traceable finding evidence before deciding what to
18 remediate.19 remediate.
19starterPrompt:20starterPrompt:
20 title: Run a Deep Security Scan21 title: Run a Deep Security Scan
21 body: >-22 body: >-
22 /goal Run a deep security scan on this repository. Do not stop until all23 Use $codex-security:deep-security-scan to run a deep security scan on [this
23 required steps are complete and the final report is ready.24 repository / absolute path to a scoped folder].
24 25
25 26
26 Scope and rules:27 Scope and rules:
27 28
28 - I am authorized to assess this repository.29 - I am authorized to assess this repository.
29 30
30 - Treat the entire repository as in scope.31 - Keep the scan within [the entire repository / the exact folder named
32 above].
31 33
32 - Use the Codex Security plugin's deep scan workflow; do not broaden this34 - Use the Codex Security plugin's deep-scan workflow; do not reinterpret
33 into a diff or scoped-path review.35 this as a pull request or diff review.
34 36
35 - Keep the scan read-only; do not modify code, open pull requests, or test
36 external targets.
37 37
38 38 Return the generated report path. Summarize the findings, reviewed surfaces,
39 Return the final Markdown and HTML report paths and summarize the findings39 and proof gaps that require human review first.
40 that require human review first.
41 suggestedEffort: high40 suggestedEffort: high
42relatedLinks:41relatedLinks:
43 - label: Codex Security plugin42 - label: Deep-scan guide
44 url: /codex/security/plugin43 url: /codex/security/plugin/deep-scans
45 - label: Agent approvals and security44 - label: Agent approvals and security
46 url: /codex/agent-approvals-security45 url: /codex/agent-approvals-security
47 - label: Codex cyber safety46 - label: Codex cyber safety
50 49
51## Choose a deep repository review50## Choose a deep repository review
52 51
53Use a deep scan when you need high-recall vulnerability discovery across a52Use a deep scan when you need a more comprehensive vulnerability review across
54complete repository and can budget for a longer run. The Codex Security plugin53a repository or explicit folder and can budget for a longer run. The Codex
55repeats discovery passes before validating and prioritizing findings, so this54Security plugin repeats discovery passes before validating and prioritizing
56workflow takes more time and tokens than an ordinary scan.55findings, so this workflow takes more time and resources than an ordinary scan.
57 56
58A deep scan is for an entire repository. To review one package or directory,57A deep scan can review an entire repository or one explicitly named package or
59use `$codex-security:security-scan`. To review a pull request, commit, branch58directory. To review a pull request, commit, branch diff, or working-tree patch,
60diff, or working-tree patch, use59use
61[$codex-security:security-diff-scan](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security).60[$codex-security:security-diff-scan](https://developers.openai.com/codex/use-cases/scan-code-changes-for-security).
62 61
63## Prepare an authorized scan62## Prepare an authorized scan
64 63
65 64
66 65
671. Open the repository in Codex and install the [Codex Security plugin](https://developers.openai.com/codex/security/plugin).661. Open the repository in Codex and complete the [Codex Security plugin quickstart](https://developers.openai.com/codex/security/plugin).
682. Confirm that you own the repository or have authorization to assess it.672. Confirm that you own the repository or have authorization to assess it.
693. Add repository-specific architecture, trust-boundary, build, test, and validation guidance in `AGENTS.md` when it will improve the review.683. Add repository-specific architecture, trust-boundary, build, test, and validation guidance in `AGENTS.md` when it will improve the review.
704. Run the starter prompt and let the scan complete its repeated discovery, validation, attack-path analysis, and final reporting stages.694. Run the starter prompt and let the scan complete its repeated discovery, validation, attack-path analysis, and final reporting stages.
715. Review the final reports before asking Codex to change code or reproduce a finding further.705. Review the findings workspace and any proof gaps before asking Codex to change code or reproduce a finding further.
72 71
73 72
74 73
82Start remediation only for a finding you have selected and reviewed. Use81Start remediation only for a finding you have selected and reviewed. Use
83[Remediate a vulnerability backlog](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog)82[Remediate a vulnerability backlog](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog)
84to fix findings one at a time with focused regression validation.83to fix findings one at a time with focused regression validation.
84
85For setup, preflight, scoped targets, and runtime expectations, see [Run a deep
86security scan](https://developers.openai.com/codex/security/plugin/deep-scans).