Primary navigation

Codex Security plugin quickstart

Install the Codex Security plugin, run your first read-only scan, and review the result in Codex.

Codex Security is a security-review plugin for Codex that scans your code for vulnerabilities, validates plausible findings, and presents evidence and remediation guidance in a reviewable workspace. Use it to find security issues in code you own or have authorization to assess before they reach production.

This quickstart takes you through one recommended first run: an ordinary, read-only scan of a local repository in Codex.

This page covers the plugin that runs in a local Codex chat. To scan a connected GitHub repository in Codex cloud, see Codex Security cloud setup.

Install the plugin

  1. Open the repository you want to assess in Codex in the ChatGPT desktop app.

  2. Go to Plugins and search for Codex Security, or select the button below:

  3. Start a new chat in Codex for that repository (don’t continue in a chat that was already open).

Run your first scan

For the best scan quality, use gpt-5.6 with high or xhigh reasoning effort.

  1. Ask for an ordinary scan

    Send this prompt in the new chat:

    Run a Codex Security scan on this repository.
  2. Confirm the setup

    Codex opens a setup workspace before it starts. For your first run, use these settings:

    • Scan type: Codebase
    • Deep scan: Off
    • Scan area: Entire codebase
    • Threat model scoping guidance: Leave blank unless you already know a specific attack vector or application area that deserves priority.

    Confirm that Codebase, Current branch, and Last commit identify the repository you intended to scan. Then select Start scan.

    Codex Security setup workspace configured to scan an entire codebase

    Configure the scan target, scan area, branch, and optional threat model guidance before starting the scan.

  3. Let the scan finish

    The scan can take time. Keep the scan running until the workspace reports completion. If Codex identifies a configuration limitation, review the exact limitation and proposed change before allowing it to update your configuration.

  4. Review the result

    Use the UI to browse findings, or open report.md as the entry point to the complete scan directory.

    Completed Codex Security findings workspace for OWASP Juice Shop

    Browse findings by severity, category, directory, patch status, and review status.

What the scan creates

Every completed scan opens a findings workspace. Use it to review findings and coverage without inspecting raw artifacts. The scan also creates the files below.

  • report.md, the primary readable entry point to the scan results.
  • findings/<slug>/, with one detailed vulnerability report per reportable finding and supporting proof-of-concept files when available.
  • hardening/, with a structural hardening portfolio and supporting proposals or diagrams when the scan has reportable findings.
  • Structured scan data in scan-manifest.json, findings.json, and coverage.json for automation and integrations. You normally don’t need to open these files yourself.

Keep the full scan directory together when sharing or archiving results so the links from report.md continue to work.

Choose your next workflow