OpenAI's new AI-powered security agent Codex Security has scanned over 1.2 million commits during beta testing, identifying thousands of critical vulnerabilities across major open-source projects including OpenSSH, GnuTLS, and Chromium.
OpenAI has launched Codex Security, an AI-powered security agent that scans code repositories for vulnerabilities and suggests fixes. The tool, which builds on the earlier Aardvark project, has already analyzed over 1.2 million commits during its beta phase, uncovering 792 critical and 10,561 high-severity findings across major open-source projects.
How Codex Security Works
The security agent operates in three distinct phases. First, it analyzes a repository to understand the project's security-relevant structure and generates an editable threat model. This contextual understanding forms the foundation for identifying vulnerabilities based on their real-world impact. Second, the tool pressure-tests flagged issues in a sandboxed environment to validate them, significantly reducing false positives. Third, it proposes fixes that align with system behavior to minimize regressions and make deployment easier.
Impressive Accuracy Improvements
OpenAI reports that its scans have shown increasing precision over time, with false positive rates falling by more than 50% across all repositories. The tool leverages the reasoning capabilities of OpenAI's frontier models combined with automated validation to deliver actionable fixes while minimizing noise from insignificant bugs.
Real-World Impact on Open-Source Projects
During the beta period, Codex Security identified vulnerabilities in several prominent open-source projects:
- GnuPG: CVE-2026-24881, CVE-2026-24882
- GnuTLS: CVE-2025-32988, CVE-2025-32989
- GOGS: CVE-2025-64175, CVE-2026-25242
- Thorium: Seven separate CVEs ranging from CVE-2025-35430 to CVE-2025-35436
- Other affected projects include libssh, PHP, and Chromium
Competitive Landscape
This launch comes weeks after Anthropic introduced Claude Code Security, which offers similar functionality for scanning codebases and suggesting patches. The emergence of these AI-powered security tools represents a significant shift in how organizations approach vulnerability detection and remediation.
Availability and Pricing
Codex Security is currently available in research preview to ChatGPT Pro, Enterprise, Business, and Edu customers through the Codex web interface. OpenAI is offering free usage for the next month as part of the preview period. The company emphasizes that the tool is designed to improve signal-to-noise ratios by grounding vulnerability discovery in system context and validating findings before presenting them to users.
For developers and security teams dealing with large codebases, this AI-driven approach could significantly reduce the time spent on manual security reviews while improving the quality of vulnerability detection. The ability to validate findings in a sandboxed environment before surfacing them represents a meaningful advancement over traditional static analysis tools that often overwhelm users with false positives.
The tool's success in identifying real vulnerabilities across major open-source projects suggests it could become an essential part of the DevSecOps toolkit, particularly for organizations struggling to keep pace with the growing complexity of modern software systems.
Comments
Please log in or register to join the discussion