How do I connect a GitHub repo to Codex Security?

Open chatgpt.com/codex/security/scans/new, choose the GitHub organization, repository, branch, and the matching Codex environment, then pick a history window and click Create. The repo must already be available in Codex Cloud with an environment set up, and the GitHub App needs pull-request write and contents read scopes.

How much does Codex Security cost?

Independent reviews price Codex Security around two cents per 1,000 lines of code scanned. A 100,000-line repo runs roughly two dollars per full scan, and a twenty-repo workspace with daily scans averaging 50,000 lines tracks near six hundred dollars per month. Access is currently gated through ChatGPT Business, Enterprise, or Edu plans.

How does Codex Security reduce false positives?

Each candidate finding gets pushed into an isolated sandbox where the agent attempts to exploit it. If the exploit fails because input validation or a WAF rule catches it upstream, the finding is downgraded or dropped. Coupled with the editable threat model, OpenAI reports false positives down more than fifty percent and noise reduction near eighty-four percent versus traditional SAST.

What languages does Codex Security support?

Independent reviews show the deepest analysis on Python, JavaScript, TypeScript, Go, and Java. Ruby, PHP, and Kotlin are noted as roadmap gaps as of March 2026. If your stack centers on a supported language, results are strong. On unsupported languages, treat Codex Security as advisory only and lean harder on Semgrep or CodeQL.

Can Codex Security replace Semgrep or Snyk?

No. It complements them. Codex Security excels at semantic reasoning and sandbox-validated impact analysis. Semgrep remains the fast deterministic gate that costs nothing per scan, and Snyk owns dependency CVE coverage with the largest vulnerability database. A layered pipeline with all three catches more than any single tool, per the 2026 sanj.dev comparison.

What does Codex Security miss that DAST still catches?

Codex Security is code-level, so it misses runtime issues: CORS misconfig, debug flags in production, TLS settings, missing security headers, and broken authorization checks that only fail under real authenticated traffic. OWASP API number one is at runtime. Pair Codex Security with a DAST tool like StackHawk or ZAP in CI to cover the gap.

AI Security

OpenAI Codex Security GitHub Setup Guide: 2026 Walkthrough

Q: What is OpenAI Codex Security?

OpenAI Codex Security is an AI application security agent that connects to GitHub repositories, scans commits against a repo-specific threat model, validates likely vulnerabilities in a sandbox, and opens patches as pull requests. It lives at chatgpt.com/codex/security and is the practitioner front end of OpenAI's Daybreak cybersecurity stack.

Q: How is Codex Security different from Daybreak?

Daybreak is OpenAI's broader cybersecurity initiative launched May 11, 2026, bundling GPT-5.5-Cyber, a Trusted Access tier, and integrations with Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler. Codex Security is the practitioner-facing scanner inside Daybreak. You set up Codex Security to use Daybreak capabilities on your repos.

OpenAI Codex Security is a vulnerability-scanning agent that connects to your GitHub repos, builds a codebase-specific threat model, validates findings in a sandbox, and opens patches as pull requests. You set it up at chatgpt.com/codex/security, give it a repo and history window, then edit the auto-generated threat model so triage matches your architecture.

May 14, 2026-

12 min read-Last updated: 2026-05-14

OpenAI CodexCodex SecurityDaybreakAI SASTDevSecOps

Table of Contents

TL;DR

Codex Security lives at chatgpt.com/codex/security. It is a SaaS scanner, not a GitHub Action. The openai/codex-action action is a separate product for the coding agent.
Three-stage loop: identify (commit-by-commit pass against a threat model), validate (sandbox exploit attempt), remediate (PR patch).
Independent testing reports 74% true positive rate on 31 findings versus Semgrep at 20% and Snyk at 28% on the same 162,000-line, four-language corpus.
Editing the threat model is the highest-leverage step. Default findings without that edit drift toward generic priorities.
Daybreak (May 11, 2026) makes Codex Security the front end of OpenAI's full cybersecurity stack with GPT-5.5-Cyber, a Trusted Access tier, and integrations with eight enterprise security vendors.

What Is OpenAI Codex Security?

Codex Security is OpenAI's AI application security agent. It connects to your GitHub repositories, scans them commit-by-commit against a codebase-specific threat model, validates likely findings in isolated sandboxes, and proposes patches as pull requests for human review. The product launched in private beta in March 2026 and graduated into the centerpiece of OpenAI's Daybreak cybersecurity initiative on May 11, 2026.

The three-stage workflow is the part worth keeping in mind: identification, validation, and remediation. Identification is the commit-level pass that generates candidate findings. Validation is the step that separates Codex Security from pattern-matching SAST tools: a sandbox spins up, the agent tries to exploit the candidate, and if the exploit fails because input validation, a WAF rule, or framework defaults catch it upstream, the finding gets dropped or downgraded. Remediation is the patch generation step, which lands as a normal GitHub pull request you can review and merge.

There's a naming-collision worth clearing up before you start. Three different products carry the "Codex" brand and they are not interchangeable:

Product	What it is	Where it lives
Codex Security	Vulnerability scanner with sandbox validation and PR patches	`chatgpt.com/codex/security`
Codex CLI	Local coding agent (think Claude Code equivalent)	`npm install -g @openai/codex`
openai/codex-action	GitHub Action for running the coding agent in CI	`github.com/openai/codex-action`

This guide is about the first one. If you arrived expecting a YAML workflow, you want the action repo instead. There is no GitHub Action that runs Codex Security findings yet; the scanner is a hosted SaaS surface and the integration is the GitHub App that authorizes repository access.

OpenAI's own beta data is worth knowing as context. The agent scanned 1.2 million commits across external repos during private beta and surfaced 10,561 high-severity findings plus 792 critical ones, including heap-buffer overflows and auth bypasses in projects like OpenSSH and Chromium according to The Hacker News coverage from March 2026. Daybreak then folded Codex Security under a broader umbrella that includes GPT-5.5-Cyber, a Trusted Access tier, and enterprise integrations with Akamai, Cisco, Cloudflare, CrowdStrike, Fortinet, Oracle, Palo Alto Networks, and Zscaler.

Prerequisites for Connecting a GitHub Repo

Codex Security is gated access today. Before you spend time clicking through the UI, check four boxes. Missing any of them sends you back to an admin or your OpenAI account team, and there's no point starting the scan setup until they're all green.

1. Workspace with Codex Security enabled

You need a ChatGPT Business, Enterprise, or Edu workspace with the Codex Security toggle on. Free, Plus, Pro, and Go accounts can use the Codex coding agent but not the security scanner. If you don't see chatgpt.com/codex/security in your workspace nav, that's the toggle: your account team turns it on after a short eligibility review. The Codex Security help center article covers the request flow.

2. Repo available in Codex Cloud

Codex Security scans repos that are reachable through Codex Cloud, the same workspace surface that powers the Codex Web coding agent. If you've never used Codex on this repo before, install or re-install the OpenAI GitHub App against the organization that owns the repo, with these scopes at minimum:

Contents: read for the source scan
Pull requests: write so patches can open PRs
Metadata: read for the basic repo info
Commit statuses: read if you want findings tied to commit history

3. Codex environment for the repo

Each repo Codex Security touches needs a matching Codex environment, which is where the sandbox validation step runs. Open chatgpt.com/codex/settings/environments and create one if the repo doesn't already have it. The environment controls the runtime, network policy, and any setup scripts the agent runs before exploring code.

4. Production branch identified

Pick the branch you actually deploy from before you start. Most teams use main or master. You can scan multiple branches by creating multiple scans against the same repo, but the threat model is scoped per scan, so it pays to start with the production branch where findings have the most blast radius.

How to Set Up Codex Security on GitHub

With the prerequisites in place, the click-path is short. The slow part is the initial backfill, which on a midsize repo can take a few hours. Plan to fire this off and check back later rather than babysitting it.

Step 1: Start a new security scan

Open chatgpt.com/codex/security/scans/new. The form is short: organization, repository, branch, environment, history window. The official setup docs walk through the same flow in developers.openai.com/codex/security/setup.

Step 2: Pick the history window deliberately

The history window controls how much git history Codex Security pulls in for the initial pass. It's the one knob in the form that meaningfully changes both backfill duration and finding quality. My defaults:

30 to 60 days for an app on active development. Backfill finishes in a few hours. You catch recent regressions without paying for context on stale code.
6 to 12 months for mature production services where the attack surface accumulated slowly. Backfill takes overnight. You catch latent bugs that have been sitting around.
Full history when you're onboarding a legacy codebase for the first time and need a baseline. Plan for several days.

Step 3: Click Create and let backfill run

Once you click Create, Codex Security runs a commit-level security pass across the selected window. This is the long step. On my first scan against a 40,000-line Python repo with a 90-day window, backfill took about 3 hours. The scan stays available in chatgpt.com/codex/security/scans with a status indicator while it works.

Step 4: Verify near-real-time scanning

After backfill completes, push a small commit to the scanned branch. Codex Security should pick it up within minutes and run an incremental pass. If the incremental scan never fires, the GitHub App likely lost its webhook permissions, which is the most common silent failure I've seen. Re-install the app against the org and the scan resumes.

Editing the Threat Model (the Step Most Posts Skip)

Backfill produces an initial threat model the agent auto-generates from the code. It captures what Codex Security thinks your application is, where attackers come in, and what matters. This is the highest-leverage knob in the entire product. Most public guides mention it exists; few show how to actually use it.

From chatgpt.com/codex/security/scans, open the repo and click Edit. A markdown-style editor appears with the auto-generated model. Four sections matter: entry points and untrusted inputs, trust boundaries and authentication assumptions, sensitive data paths or privileged actions, and review priorities. The official threat-model docs give an example that maps cleanly to most web apps:

markdownthreat-model.md

# Application overview

Public API for account changes. Accepts JSON requests and file uploads.
Uses an internal auth service for identity checks and writes billing
changes through an internal service.

## Entry points and untrusted inputs

- POST /api/v1/account: JSON body, untrusted, requires session token
- POST /api/v1/uploads: multipart, untrusted, max 25 MB, jpeg/png/pdf
- Webhook: POST /hooks/stripe: signed payload, validated upstream

## Trust boundaries

- /api/* requires a valid session cookie verified against internal auth
- /internal/* binds to 127.0.0.1, no auth on purpose, ops-only
- All service-to-service calls go through service mesh with mTLS

## Sensitive data paths

- Billing writes route through services/billing.py:apply_change
- Token rotation in services/auth.py:rotate_session
- PII exports in handlers/exports.py guarded by role admin

## Review priorities

Focus review on auth checks in /api/*, upload parsing in /api/v1/uploads,
and service-to-service trust boundaries. Deprioritize /internal/* which
is bound to localhost and not exposed.

Edits change ranking on the next scan pass. Re-run the scan after a meaningful edit so the impact shows up in the Recommended Findings list. On a Django repo where the initial pass surfaced thirty generic findings, adding a focused threat model and re-running cut the Recommended list to twelve with much sharper prioritization.

A workflow tip that saves time

Don't draft the threat model in the web editor. Paste the auto-generated version into Claude or ChatGPT, paste your repo's top-level structure alongside it, and iterate through conversation. You get a sharper model in five minutes than you would in twenty in the web UI. Then paste the polished result back. This is a pattern OpenAI's own team has recommended in conversations about Codex Security workflow.

Triaging Findings and Shipping Patches

Once findings appear, the workflow becomes a normal review loop. The Findings view at chatgpt.com/codex/security/findings splits into two tabs.

Recommended Findings: the top 10 prioritized by impact and validation confidence. Start here every session.
All Findings: the full sortable, filterable table. Filter by Validated first to skip unvalidated candidates.

Each finding card includes description, impact reasoning, code excerpt, and the sandbox validation evidence. The validation block is the one piece that distinguishes Codex Security from a generic LLM scanner. When the agent says "exploit succeeded in sandbox," it ran the actual payload, not a guess. When it says "exploit failed because input validation caught it," the finding gets dropped or downgraded automatically.

From finding to merged PR

Each finding has a Generate Patch action that opens a pull request against the scanned branch. The PR includes the proposed fix, a short rationale, and a back-link to the finding. Independent testing reports a high merge rate: an Agent Finder review tracked 18 of 23 proposed fixes merged without modification, with the remaining 5 needing only minor adjustments to match project conventions.

Treat the patches as a strong first draft rather than green-light merges. Run your normal review, CI, and lint gates. The model has no awareness of your downstream consumers or release process, so a patch that looks isolated in the finding card may break a contract somewhere else. The mitigation is the same as for any external contributor PR: read it, run tests, ask questions before clicking merge.

Accuracy Benchmarks vs Semgrep and Snyk

The most-cited comparison comes from an independent 2026 test on 162,000 lines across four production repos (Python Django, TypeScript React, Go microservice, Java Spring Boot). The numbers are the headline reason practitioners are paying attention to Codex Security at all:

Tool	Findings reported	Confirmed real	True positive rate
Codex Security	31	23	74%
Snyk	89	25	28%
Semgrep	147	29	20%

Source: Agent Finder, Codex Security Review 2026. OpenAI's own beta data tells a similar story from the other direction: false positives down more than 50% across all repositories, and noise reduction roughly 84% versus traditional SAST tools per the StackHawk analysis.

Two honest caveats. First, these are vendor-friendly comparisons run on corpora where contextual reasoning has an inherent advantage over pattern matching. Real-world results depend heavily on whether the threat model is actually edited and whether the codebase is in a supported language. Second, Semgrep's 20% TPR doesn't mean Semgrep is useless. It means Semgrep over-fires by default, which is a different problem with a different solution (tighter rule sets, custom YAML).

The right takeaway: Codex Security raises the signal-to-noise ratio of a scan, and the sandbox-validation step is what gets it there. Where it doesn't fit, the older tools still earn their seat in the pipeline.

Codex Security vs Claude Code Security Review

Both products ship as official vendor tooling. The deployment models are different enough that picking the wrong one wastes a week of setup.

Dimension	Codex Security	Claude Code Security Review
Shape	Hosted SaaS dashboard	GitHub Action you install
Scope	Whole repo + history, continuous	Per-PR diff only
Validation	Sandbox exploit attempt	Self-verification sub-task
Output	Ranked findings + auto-PR patches	Inline PR comments
Billing	~$0.02 per 1,000 LOC scanned	Tokens against your Anthropic API key
Access	ChatGPT Business/Enterprise/Edu (gated)	Anyone with a Claude API key

Pick by workload. If you want continuous repo-wide audit with sandbox-validated findings ranked by impact, Codex Security fits. If you want per-PR advisory commentary with transparent cost-per-PR math, the Claude action fits. I wrote a full setup walkthrough for the Anthropic side that pairs with this one: Claude Code Security Review GitHub Action: 2026 Setup Guide.

In practice, layering both on the same repo is more useful than picking a winner. Codex Security does the continuous background audit. The Claude action runs at PR time as an advisory commenter. Underneath them both, Semgrep stays as the deterministic blocking gate that costs nothing per scan. The point is layered coverage, not benchmark wars between vendors.

Cost, Limits, and What Codex Security Misses

Independent reviews price Codex Security at roughly $0.02 per 1,000 lines of code scanned. A 100,000-line repo runs about $2 per full scan. Twenty repos averaging 50,000 lines each, scanned daily, work out to around $600 per month per the Agent Finder review. These numbers are directional. OpenAI is still iterating on pricing and access is gated through ChatGPT Business, Enterprise, or Edu plans, so your contract may look different.

For broader cost-control patterns that apply across AI coding tools, I wrote a separate guide on Claude Code cost tracking. The same approach works for any token-billed or LOC-billed scanner.

Language coverage

Deepest analysis on Python, JavaScript, TypeScript, Go, and Java. Ruby, PHP, and Kotlin are roadmap gaps as of the March 2026 reviews I pulled from. If your stack lives outside the supported set, treat Codex Security as advisory only and lean harder on Semgrep with custom rules or CodeQL for that language.

Runtime gaps where DAST still matters

Codex Security is a code-level scanner. It cannot see four categories of issue that only manifest at runtime, called out by StackHawk's analysis:

Deployment misconfiguration: CORS policies, debug mode left on in production, TLS settings, missing security headers.
Broken authorization at runtime: OWASP API number one. Requires real authenticated requests across user identities.
Business logic flaws across microservices: order manipulation, workflow bypass, privilege escalation chains that emerge from how services compose at runtime.
Infrastructure-dependent issues: rate limits, auto-scaling behavior, secrets management at the orchestrator layer.

For those, you still want a DAST tool running against the deployed application in CI: StackHawk, ZAP, Burp Suite Enterprise. The combination of Codex Security at code level and DAST at runtime closes more of the attack surface than either alone.

False positive flags during normal work

One real friction point: multiple GitHub issues against openai/codex report cyber-safety flags firing on ordinary development work, including simple version-comparison scripts, document management, and benign Kaggle ONNX Runtime competition code. The triage rate isn't zero. If your team builds tools that look adjacent to security or networking, budget time to clear false flags or appeal them through the cyber-safety review process.

Troubleshooting Common Failures

Five issues show up often enough that they're worth calling out before you hit them.

Scan stuck in backfill for over 24 hours

Narrow the history window to 90 days and recreate the scan. Long windows on large repos can stall when commits hit the agent's context limits. Once a focused backfill completes, you can clone the scan and extend the window incrementally.

Findings feel generic

Edit the threat model. Generic findings are a threat-model problem, not a model problem. After a substantive edit, re-run the scan and the Recommended Findings list reshuffles to match the priorities you documented.

PR patches conflict with project style

Add a STYLEGUIDE.md reference into the repo's Codex environment setup so patch generation picks up your conventions on the next pass. The agent reads environment context before drafting fixes.

Cyber-safety flag on benign code

Known friction, multiple GitHub reports. File against openai/codex with a reproduction. The OpenAI team triages these and the false positive rate has been trending down release over release.

Repo not appearing in Codex Cloud

The GitHub App needs reinstall scoped to that org or repo. Check Settings, Integrations, GitHub and confirm the OpenAI app has the required scopes. Re-installing usually fixes scan discovery within a minute or two.