Codex Security helps engineering and security teams find, validate, and remediate likely vulnerabilities in connected GitHub repositories.
This page covers Codex Security, the product that scans connected GitHub repositories for likely security issues. For Codex sandboxing, approvals, network controls, and admin settings, see Agent approvals & security.
It helps teams:
- Find likely vulnerabilities by using a repo-specific threat model and real code context.
- Reduce noise by validating findings before you review them.
- Move findings toward fixes with ranked results, evidence, and suggested patch options.
How it works
Codex Security scans connected repositories commit by commit. It builds scan context from your repo, checks likely vulnerabilities against that context, and validates high-signal issues in an isolated environment before surfacing them.
You get a workflow focused on:
- repo-specific context instead of generic signatures
- validation evidence that helps reduce false positives
- suggested fixes you can review in GitHub
Access and prerequisites
Codex Security works with connected GitHub repositories through Codex cloud. OpenAI manages access. If you need access or a repository isn’t visible, contact your OpenAI account team and confirm the repository is available through your Codex cloud workspace.
Related docs
- Codex Security setup covers setup, scanning, and findings review.
- FAQ covers common product questions.
- Improving the threat model explains how to tune scope, attack surface, and criticality assumptions.