OpenAI Pivots Codex to Code Security

The new security-focused version of Codex originated from an internal OpenAI tool named Aardvark. During its private beta, the tool helped OpenAI's internal security team patch a critical cross-tenant authentication vulnerability and a server-side request forgery (SSRF) issue within hours of discovery. Codex Security operates by first analyzing a repository to create a project-specific threat model, which outlines the system's architecture and potential weak points. This context-first approach allows it to then scan for vulnerabilities, which are tested in a sandboxed environment to validate their real-world impact before being flagged to developers. During its beta program, the system's precision improved significantly, cutting false positive rates by over 50% and reducing findings with overstated severity by more than 90%. In one case, repeated scans on the same repository reduced noise by 84% from its initial rollout. In the 30 days leading up to its public preview, Codex Security scanned over 1.2 million commits and identified 792 critical and 10,561 high-severity vulnerabilities. The tool has also been used to find and report 14 vulnerabilities in major open-source projects, earning CVEs for issues in tools like OpenSSH, GnuTLS, PHP, and Chromium. This move into automated security comes just two weeks after competitor Anthropic launched a similar product, Claude Code Security. The release of Anthropic's tool was followed by a drop in the stock prices of several publicly traded cybersecurity firms, including Crowdstrike and Cloudflare. The original OpenAI Codex models, launched in 2021, famously powered the first version of GitHub Copilot before being deprecated in 2023 in favor of newer models like GPT-4. Codex Security is now being offered as a research preview to ChatGPT Enterprise, Business, and Edu customers.