1# Setup – Codex Security1# Codex Security cloud setup
2 2
3This page walks you from initial access to reviewed findings and remediation pull requests in Codex Security.3This page walks you from initial access to reviewed findings and remediation
4pull requests in Codex Security cloud.
4 5
5Confirm you’ve set up Codex Cloud first. If not, see [Codex6Confirm you've set up Codex cloud first. If not, see [Codex
6Cloud](https://developers.openai.com/codex/cloud) to get started.7 cloud](https://learn.chatgpt.com/docs/cloud) to get started.
7 8
8## 1. Access and environment9## 1. Access and environment
9 10
10Codex Security scans GitHub repositories connected through [Codex Cloud](https://developers.openai.com/codex/cloud).11Codex Security cloud scans GitHub repositories connected through
12[Codex cloud](https://learn.chatgpt.com/docs/cloud).
11 13
12- Confirm your workspace has access to Codex Security.14- Confirm your workspace has access to Codex Security cloud.
13- Confirm the repository you want to scan is available in Codex Cloud.15- Confirm the repository you want to scan is available in Codex cloud.
14 16
15Go to [Codex environments](https://chatgpt.com/codex/settings/environments) and check whether the repository already has an environment. If it doesn’t, create one there before continuing.17Go to [Codex environments](https://chatgpt.com/codex/settings/environments) and check whether the repository already has an environment. If it doesn't, create one there before continuing.
16 18
17[Open environments](https://chatgpt.com/codex/settings/environments)19<CtaPillLink
20 href="https://chatgpt.com/codex/settings/environments"
21 label="Open environments"
22 icon="external"
23 class="my-8"
24/>
18 25
1926<div class="not-prose my-8 max-w-6xl overflow-hidden rounded-xl border border-subtle bg-surface">
27 <img
28 src={createEnvironment.src}
29 alt="Codex environments"
30 class="block h-auto w-full"
31 />
32</div>
20 33
21## 2. New security scan34## 2. New security scan
22 35
23After the environment exists, go to [Create a security scan](https://chatgpt.com/codex/security/scans/new) and choose the repository you just connected.36After the environment exists, go to [Create a security scan](https://chatgpt.com/codex/security/scans/new) and choose the repository you just connected.
24 37
25[Create a security scan](https://chatgpt.com/codex/security/scans/new)38<CtaPillLink
39 href="https://chatgpt.com/codex/security/scans/new"
40 label="Create a security scan"
41 icon="external"
42 class="my-8"
43/>
26 44
27Codex Security scans repositories from newest commits backward first. It uses this to build and refresh scan context as new commits come in.45Codex Security scans repositories from newest commits backward first. It uses this to build and refresh scan context as new commits come in.
28 46
355. Choose a **history window**. Longer windows provide more context, but backfill takes longer.535. Choose a **history window**. Longer windows provide more context, but backfill takes longer.
366. Click **Create**.546. Click **Create**.
37 55
3856<div class="not-prose my-8 max-w-6xl overflow-hidden rounded-xl border border-subtle bg-surface">
57 <img
58 src={createScan.src}
59 alt="Create a security scan"
60 class="block h-auto w-full"
61 />
62</div>
39 63
40## 3. Initial scans can take a while64## 3. Initial scans can take a while
41 65
42When you create the scan, Codex Security first runs a commit-level security pass across the selected history window.66When you create the scan, Codex Security first runs a commit-level security pass across the selected history window.
43The initial backfill can take a few hours, especially for larger repositories or longer windows.67The initial backfill can take a few hours, especially for larger repositories or longer windows.
44If findings aren’t visible right away, this is expected. Wait for the initial scan to finish before opening a ticket or troubleshooting.68If findings aren't visible right away, this is expected. Wait for the initial scan to finish before opening a ticket or troubleshooting.
45 69
46Initial scan setup is automatic and thorough. This can take a few hours. Don’t70Initial scan setup is automatic and thorough. This can take a few hours. Don’t
47be alarmed if the first set of findings is delayed.71 be alarmed if the first set of findings is delayed.
48 72
49## 4. Review scans and improve the threat model73## 4. Review scans and improve the threat model
50 74
51[Review scans](https://chatgpt.com/codex/security/scans)75<CtaPillLink
52 76 href="https://chatgpt.com/codex/security/scans"
5377 label="Review scans"
78 icon="external"
79 class="my-8"
80/>
81
82<div class="not-prose my-8 max-w-6xl overflow-hidden rounded-xl border border-subtle bg-surface">
83 <img
84 src={reviewThreatModel.src}
85 alt="Threat model editor in Codex Security"
86 class="block h-auto w-full"
87 />
88</div>
54 89
55When the initial scan finishes, open the scan and review the threat model that was generated.90When the initial scan finishes, open the scan and review the threat model that was generated.
56After initial findings appear, update the threat model so it matches your architecture, trust boundaries, and business context.91After initial findings appear, update the threat model so it matches your architecture, trust boundaries, and business context.
57This helps Codex Security rank issues for your team.92This helps Codex Security rank issues for your team.
58 93
59If you want scan results to change, you can edit the threat model with your94If you want scan results to change, you can edit the threat model with your
60updated scope, priorities, and assumptions.95 updated scope, priorities, and assumptions.
61 96
62After initial findings appear, revisit the model so scan guidance stays aligned with current priorities.97After initial findings appear, revisit the model so scan guidance stays aligned with current priorities.
63Keeping it current helps Codex Security produce better suggestions.98Keeping it current helps Codex Security produce better suggestions.
64 99
65For a deeper explanation of threat models and how they affect criticality and triage, see [Improving the threat model](https://developers.openai.com/codex/security/threat-model).100For a deeper explanation of threat models and how they affect criticality and triage, see [Improving the threat model](https://learn.chatgpt.com/docs/security/threat-model).
66 101
67## 5. Review findings and patch102## 5. Review findings and patch
68 103
69After the initial backfill completes, review findings from the **Findings** view.104After the initial backfill completes, review findings from the **Findings** view.
70 105
71[Open findings](https://chatgpt.com/codex/security/findings)106<CtaPillLink
107 href="https://chatgpt.com/codex/security/findings"
108 label="Open findings"
109 icon="external"
110 class="my-8"
111/>
72 112
73You can use two views:113You can use two views:
74 114
75- **Recommended Findings**: an evolving top 10 list of the most critical issues in the repo115- **Recommended Findings**: an evolving top 10 list of the most critical issues in the repo
76- **All Findings**: a sortable, filterable table of findings across the repository116- **All Findings**: a sortable, filterable table of findings across the repository
77 117
78118
79 119
80Click a finding to open its detail page, which includes:120Click a finding to open its detail page, which includes:
81 121
88 128
89You can review each finding and create a PR directly from the finding detail page.129You can review each finding and create a PR directly from the finding detail page.
90 130
91[Review findings and create a PR](https://chatgpt.com/codex/security/findings)131<CtaPillLink
132 href="https://chatgpt.com/codex/security/findings"
133 label="Review findings and create a PR"
134 icon="external"
135 class="my-8"
136/>
92 137
93## Related docs138## Related docs
94 139
95- [Codex Security](https://developers.openai.com/codex/security) gives the product overview.140- [Codex Security](https://learn.chatgpt.com/docs/security) gives the product overview.
96- [FAQ](https://developers.openai.com/codex/security/faq) covers common questions.141- [FAQ](https://learn.chatgpt.com/docs/security/faq) covers common questions.
97- [Improving the threat model](https://developers.openai.com/codex/security/threat-model) explains how to improve scan context and finding prioritization.142- [Improving the threat model](https://learn.chatgpt.com/docs/security/threat-model) explains how to improve scan context and finding prioritization.
98