OpenAI says Codex Security scanned 1.2 million commits and flagged more than 10,500 high-severity issues

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

OpenAI has started rolling out Codex Security, a new AI security agent that scans code repositories for vulnerabilities, validates likely findings, and proposes fixes. The company says the product is now in research preview for ChatGPT Pro, Enterprise, Business, and Edu users through Codex web, with free usage for the next month.

The headline number is large. OpenAI says that over the last 30 days of its beta, Codex Security scanned more than 1.2 million commits across external repositories and identified 792 critical findings plus 10,561 high-severity findings. OpenAI also says critical issues appeared in under 0.1% of scanned commits, which it frames as evidence that the system can operate at scale without flooding reviewers with low-value noise.

What Codex Security does

OpenAI says Codex Security works in three stages. First, it analyzes a repository and builds an editable threat model that captures what the system does, what it trusts, and where it may be exposed. Then it searches for vulnerabilities and tries to validate high-signal findings in isolated environments. Finally, it proposes fixes that aim to improve security without creating unnecessary regressions.

That approach is meant to address a common complaint about AI-assisted security tools. OpenAI says many existing systems generate too many low-impact alerts and false positives, which leaves security teams buried in triage instead of working on the issues that matter most.

OpenAI’s beta results

OpenAI says Codex Security improved significantly during its beta period. In one case, scans on the same repository cut noise by 84% since the initial rollout. The company also says it reduced over-reported severity by more than 90% and lowered false positive rates by more than 50% across all repositories in the beta cohort.

Those figures remain OpenAI’s own measurements, but they help explain why the company now presents Codex Security as a step beyond Aardvark, the private beta security effort it introduced last year. OpenAI says Codex Security is the evolution of that earlier work.

Open-source projects already affected

OpenAI says it has already used Codex Security to scan widely used open-source projects that it depends on. In its announcement, the company named OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium among the projects where it reported high-impact issues. OpenAI says 14 CVEs have been assigned, with dual reporting on two of them.

The company’s appendix includes sample vulnerabilities across projects such as GnuTLS, GOGS, GnuPG-related components, and Thorium. OpenAI did not claim that every listed project was fully compromised in the wild. Instead, it said Codex Security surfaced vulnerabilities that it then reported to maintainers.

Why this matters

Codex Security shows where AI coding and AI security are starting to merge. Instead of stopping at code review, OpenAI wants the same agentic workflow to understand a project, test whether a bug is real, and help produce a patch. The developer documentation also makes clear that the product focuses on connected GitHub repositories and structured findings with remediation suggestions, not just generic scanning.

OpenAI is also using the launch to push support for open-source maintainers. Its Codex for Open Source program offers six months of ChatGPT Pro with Codex, conditional access to Codex Security, and API credits for eligible projects.

Codex Security at a glance

ItemOfficial detail
ProductCodex Security
AvailabilityResearch preview in Codex web for ChatGPT Pro, Enterprise, Business, and Edu users
Free access windowFree usage for the next month
Beta scale1.2 million+ commits scanned in the last 30 days
Findings792 critical and 10,561 high-severity findings
WorkflowThreat model, validation, and fix suggestions
OSS programSix months of ChatGPT Pro with Codex, conditional Codex Security access, and API credits

FAQ

What is Codex Security?

OpenAI describes it as an application security agent that helps engineering and security teams find, validate, and remediate likely vulnerabilities in connected GitHub repositories.

Who can use Codex Security right now?

OpenAI says the research preview is rolling out to ChatGPT Pro, Enterprise, Business, and Edu customers through Codex web.

How many issues did it find during beta?

OpenAI says it found 792 critical findings and 10,561 high-severity findings while scanning more than 1.2 million commits across external repositories in the last 30 days of beta.

How does it reduce false positives?

OpenAI says it uses repository-specific context, editable threat models, and isolated validation environments before surfacing findings.

Did OpenAI say it found real CVEs?

Yes. OpenAI says 14 CVEs have been assigned from issues it reported in open-source projects, with dual reporting on two of them.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages