Key Findings

• OpenAI has launched Codex Security, an AI-powered security agent designed to find, validate, and propose fixes for software vulnerabilities.

• Over the last 30 days, Codex Security has scanned more than 1.2 million commits across external repositories, identifying 792 critical and 10,561 high-severity findings.

• The vulnerabilities found include issues in various open-source projects like OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium.

• Codex Security leverages OpenAI's frontier models and the Codex agent to ground vulnerability discovery, validation, and patching in system-specific context.

• The agent builds a threat model to understand the security-relevant structure of the system, which it then uses to identify and validate vulnerabilities.

• Codex Security proposes fixes that align with the system's intent and behavior, minimizing regressions and making patches easier to review and deploy.

• The tool has demonstrated increasing precision and declining false positive rates, with the latter falling by more than 50% across all tested repositories.

Background

OpenAI's Codex Security represents an evolution of the company's previous Aardvark project, which was unveiled in private beta in October 2025 as a way for developers and security teams to detect and fix security vulnerabilities at scale.

The latest iteration of the application security agent leverages the reasoning capabilities of OpenAI's frontier models and combines them with automated validation to minimize the risk of false positives and deliver actionable fixes.

Prioritizing and Validating Issues

Codex Security works in three steps: it analyzes a repository to generate an editable threat model that captures the system's security-relevant structure, uses this model to identify vulnerabilities and classify them based on real-world impact, and then validates the flagged issues in a sandboxed environment.

When configured with a project-specific environment, the agent can validate potential issues directly in the context of the running system, further reducing false positives and enabling the creation of working proofs-of-concept.

Contextual Patching and Continuous Learning

Codex Security proposes fixes that best align with the system's behavior, reducing the risk of regressions and making the patches easier to review and deploy. The agent also learns from user feedback, such as adjusted criticality ratings, to refine its threat model and improve precision over time.

Supporting the Open Source Community

OpenAI is using Codex Security to scan open-source repositories critical to its operations and sharing high-impact findings with maintainers. This approach aims to provide a more sustainable way to address real security concerns without overwhelming maintainers with a flood of low-quality reports.

As part of this initiative, OpenAI has reported critical vulnerabilities to widely used projects, resulting in fourteen CVEs. The company is also onboarding open-source maintainers into a program offering free ChatGPT Pro/Plus accounts, code review, and Codex Security access.

Sources

• https://thehackernews.com/2026/03/openai-codex-security-scanned-12.html

• https://www.startuphub.ai/ai-news/artificial-intelligence/2026/openai-debuts-codex-security-agent