OpenAI Launches Codex Security
OpenAI launched Codex Security, an AI agent for automating code security reviews that aims to surface real vulnerabilities and suggest fixes. Codex Security leverages OpenAI’s latest models to analyze codebases, identify subtle bugs, and recommend remediations. OpenAI is also offering open-source maintainers free access to ChatGPT Pro alongside Codex tooling to bolster the security and quality of widely-used open-source infrastructure.
OpenAI's Codex Security, previously known as Aardvark, evolved from an internal AI-powered vulnerability research project. During its private beta phase, Codex Security identified vulnerabilities like SSRF and cross-tenant authentication issues, which OpenAI's security team quickly patched. Codex Security leverages agentic reasoning and automated validation to deliver high-confidence findings and actionable fixes. It analyzes code repositories, builds threat models, and categorizes findings based on real-world impact. The tool pressure-tests potential flaws in sandboxed environments to reduce false positives. During initial testing, Codex Security scanned over 1.2 million commits across external repositories. It identified 792 critical and 10,561 high-severity issues, including 14 vulnerabilities logged in the CVE database. The tool uncovered vulnerabilities in projects like OpenSSH, GnuTLS, and Chromium. OpenAI is offering open-source maintainers API credits, six months of free ChatGPT Pro with Codex, and Codex Security access through the "Codex for OSS" initiative. To qualify, projects must be hosted on GitHub and have at least 1,000 stars. The program aims to provide maintainers with tools for code generation, analysis, and security review. Codex Security is available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via Codex web, with free usage for the first month. ChatGPT Plus costs $20 per month, while Pro costs $200 per month. Business plans start at $30 per user per month. Competitors to Codex Security and Codex include Claude Code Security, GitHub Copilot, Google Jules, and Windsurf (formerly Codeium). These alternatives offer features like on-premise deployment, integration with various IDEs, and asynchronous task handling. Limitations of Codex include potential knowledge gaps regarding recent technologies and challenges with very large codebases. It may also struggle with specific business logic or understanding implicit requirements. Codex is not infallible and may generate code with vulnerabilities. Codex Security can learn from user feedback to refine its threat model and improve precision. Users can adjust the criticality of findings to help the system learn what matters in their architecture.
