SpyBara
Go Premium

security/plugin.md 2026-07-14 17:03 UTC to 2026-07-15 19:58 UTC

33 added, 21 removed.

2026
Fri 17 22:57 Thu 16 20:57 Wed 15 19:58 Tue 14 17:03 Wed 8 02:01 Mon 6 22:58

Codex Security plugin quickstart

Codex Security is a security-review plugin for Codex that scans your code for vulnerabilities, validates plausible findings, and presents evidence and remediation guidance in a reviewable workspace. Use it to find security issues in code you own or have authorization to assess before they reach production.

This quickstart takes you through one recommended first run: an ordinary, read-only scan of a local repository in Codex.

This page covers the plugin that runs in a local Codex task. To scan a connected GitHub repository in Codex cloud, see Codex Security cloud setup.

Install the plugin

  1. Open the repository you want to assess in Codex in the ChatGPT desktop app.

  2. Go to Plugins and search for Codex Security, or select the button below:

    Install the Codex Security plugin
  3. Start a new task in Codex for that repository (don't continue in a task that was already open).

Run your first scan

For the best scan quality, use gpt-5.6 with high or xhigh reasoning effort.

<VideoPlayer src="/videos/codex/security/scan-setup-to-findings.mp4" poster="/videos/codex/security/scan-setup-to-findings-poster.webp" />

  1. Ask for an ordinary scan

    Send this prompt in the new task:

    Run a Codex Security scan on this repository.
    
  2. Confirm the setup

    Codex opens a setup workspace before it starts. For your first run, use these settings:

    • Scan type: Codebase
    • Deep scan: Off
    • Scan area: Entire codebase
    • Threat model scoping guidance: Leave blank unless you already know a specific attack vector or application area that deserves priority.

    Confirm that Codebase, Current branch, and Last commit identify the repository you intended to scan. Then select Start scan.

    Codex Security setup workspace configured to scan an entire codebase
    Configure the scan target, scan area, branch, and optional threat model guidance before starting the scan.
  3. Let the scan finish

    The scan can take time. Keep the task running until the workspace reports completion. If Codex identifies a configuration limitation, review the exact limitation and proposed change before allowing it to update your configuration.

  4. Review the result

    Use the UI to browse findings or open the generated report for a complete, portable review.

    Completed Codex Security findings workspace for OWASP Juice Shop
    Browse findings by severity, category, directory, patch status, and review status.

What the scan creates

Every completed scan opens a findings workspace. Use it to review findings and coverage without inspecting raw artifacts. The scan also creates the files below.

  • report.md, a complete portable report for sharing or archiving.
  • Structured scan data in scan-manifest.json, findings.json, and coverage.json for automation and integrations. You normally don't need to open these files yourself.

Choose your next workflow