use-cases/scan-code-changes-for-security.md

name: Scan code changes for security tagline: Review a pull request or local diff for security regressions. summary: Use the Codex Security plugin to examine a Git-backed change set, validate plausible security regressions, and produce an evidence-based report before merge. skills:

token: $codex-security:security-diff-scan url: /codex/security/plugin/code-changes description: Review a pull request, commit, branch diff, or working-tree patch for security regressions with validation and attack-path evidence. bestFor:
Pull requests that touch authentication, authorization, parsing, file access, secrets, or privileged workflows.
Release branches or local patches that need a security-focused check before merge.
Reviewers who need findings anchored to changed code and directly supporting files. starterPrompt: title: Review a Change for Security Regressions body: >- Use $codex-security:security-diff-scan to review this PR, commit, branch diff, or working-tree patch for security regressions.

Scope and rules:
- Target: [this pull request / commit SHA / branch diff from BASE to HEAD / the current working-tree patch]
- I am authorized to assess this repository and change set.
- Pay particular attention to [auth, input handling, secrets, filesystem, network, dependencies, or other sensitive surface].
Return the final Markdown report and any Codex app review directives for findings that require human review. suggestedEffort: high relatedLinks:
label: Security change-review guide url: /codex/security/plugin/code-changes
label: Review GitHub pull requests url: /codex/use-cases/github-code-reviews
label: Agent approvals and security url: /codex/agent-approvals-security

Review the change instead of the whole repository

Use a security diff scan when a pull request, commit, branch, or local patch changes a sensitive code path. The Codex Security plugin uses repository context to understand the change, then keeps finding discovery and validation focused on the diff and directly supporting code.

This workflow complements ordinary code review. Use it when you want evidence about security regressions, not a general style or test review.

Run a focused pass

Open the repository and check out or describe the exact Git-backed change set to review.
Complete the Codex Security plugin quickstart and specify the pull request, commit, branch diff, or working-tree patch in the starter prompt.
Name high-risk surfaces in the change, such as authentication, parsers, file paths, network requests, or credential handling.
Run the prompt without requesting a fix so the first result remains a review artifact.
Check each reported affected line, validation result, and stated proof gap before deciding whether to remediate.

Follow through on a finding

A useful report distinguishes a reachable, supported security finding from a suspicion that still needs confirmation and can include Codex app review directives for affected lines. For an actionable result, open a new bounded fix task with the finding identifier or the relevant report section. See Remediate a vulnerability backlog for the fix-and-validation loop.

For change selectors, diff scope, and result review, see Review code changes for security.

use-cases/scan-code-changes-for-security.md +9 −9

6 before merge.6 before merge.

7skills:7skills:

8 - token: $codex-security:security-diff-scan8 - token: $codex-security:security-diff-scan

~~9 url: /codex/security/plugin~~9 url: /codex/security/plugin/code-changes

10 description: Review a pull request, commit, branch diff, or working-tree patch10 description: Review a pull request, commit, branch diff, or working-tree patch

11 for security regressions with validation and attack-path evidence.11 for security regressions with validation and attack-path evidence.

12bestFor:12bestFor:

19starterPrompt:19starterPrompt:

20 title: Review a Change for Security Regressions20 title: Review a Change for Security Regressions

21 body: >-21 body: >-

~~22 /goal Scan this PR, commit, branch diff, or working-tree patch for security~~22 Use $codex-security:security-diff-scan to review this PR, commit, branch

~~23 regressions. Do not stop until all in-scope changed files are covered and~~23 diff, or working-tree patch for security regressions.

~~24 all required steps are complete.~~

25 24

26 25

27 Scope and rules:26 Scope and rules:

34 - Pay particular attention to [auth, input handling, secrets, filesystem,33 - Pay particular attention to [auth, input handling, secrets, filesystem,

35 network, dependencies, or other sensitive surface].34 network, dependencies, or other sensitive surface].

36 35

~~37 - Keep this pass read-only; do not modify code or open a pull request.~~

39 36

40 Return the final Markdown report and any Codex app review directives for37 Return the final Markdown report and any Codex app review directives for

41 findings that require human review.38 findings that require human review.

42 suggestedEffort: high39 suggestedEffort: high

43relatedLinks:40relatedLinks:

~~44 - label: Codex Security plugin~~41 - label: Security change-review guide

~~45 url: /codex/security/plugin~~42 url: /codex/security/plugin/code-changes

46 - label: Review GitHub pull requests43 - label: Review GitHub pull requests

47 url: /codex/use-cases/github-code-reviews44 url: /codex/use-cases/github-code-reviews

48 - label: Agent approvals and security45 - label: Agent approvals and security

64 61

65 62

661. Open the repository and check out or describe the exact Git-backed change set to review.631. Open the repository and check out or describe the exact Git-backed change set to review.

~~672. Install the [Codex Security plugin](https://developers.openai.com/codex/security/plugin) and specify the pull request, commit, branch diff, or working-tree patch in the starter prompt.~~642. Complete the [Codex Security plugin quickstart](https://developers.openai.com/codex/security/plugin) and specify the pull request, commit, branch diff, or working-tree patch in the starter prompt.

683. Name high-risk surfaces in the change, such as authentication, parsers, file paths, network requests, or credential handling.653. Name high-risk surfaces in the change, such as authentication, parsers, file paths, network requests, or credential handling.

694. Run the prompt without requesting a fix so the first result remains a review artifact.664. Run the prompt without requesting a fix so the first result remains a review artifact.

705. Check each reported affected line, validation result, and stated proof gap before deciding whether to remediate.675. Check each reported affected line, validation result, and stated proof gap before deciding whether to remediate.

79fix task with the finding identifier or the relevant report section.76fix task with the finding identifier or the relevant report section.

80See [Remediate a vulnerability backlog](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog)77See [Remediate a vulnerability backlog](https://developers.openai.com/codex/use-cases/remediate-vulnerability-backlog)

81for the fix-and-validation loop.78for the fix-and-validation loop.

80For change selectors, diff scope, and result review, see [Review code changes

81for security](https://developers.openai.com/codex/security/plugin/code-changes).

use-cases/scan-code-changes-for-security.md 2026-06-17 17:02 UTC to 2026-06-18 23:01 UTC

Review the change instead of the whole repository

Run a focused pass

Follow through on a finding