OpenAI Codex Security scans 1.2M commits, finds 792 critical software vulnerabilities

OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues

OpenAI on Friday began rolling out Codex Security, an artificial intelligence (AI)-powered security agent that's designed to find, validate, and propose fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the next month. "It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs," the company said. Codex Security represents an evolution of Aardvark⁠, which OpenAI unveiled in private beta in October 2025 as a way for developers and security teams to detect and fix security vulnerabilities at scale. Over the last 30 days, Codex Security has scanned more than 1.2 million commits across external repositories over the course of the beta, identifying 792 critical findings and 10,561 high-severity findings. These include vulnerabilities in various open-source projects like OpenSSH⁠, GnuTLS⁠, GOGS⁠, Thorium⁠, libssh, PHP, and Chromium, among others. Some of them have been listed below - According to the AI company, the latest iteration of the application security agent leverages the reasoning capabilities of its frontier models and combines them with automated validation to minimize the risk of false positives and deliver actionable fixes. OpenAI's scans on the same repositories over time have demonstrated increasing precision and declining false positive rates, with the latter falling by more than 50% across all repositories. In a statement shared with The Hacker News, OpenAI said Codex Security is designed to improve signal-to-noise by grounding vulnerability discovery in system context and validating findings before surfacing them to users. Specifically, the agent works in three steps: it analyzes a repository to get a handle on the project's security-relevant structure of the system and generates an editable threat model that captures what it does and where it's most exposed. Once the system context is built, Codex Security uses it as a foundation to identify vulnerabilities and classifies findings based on their real-world impact. The flagged issues are pressure-tested in a sandboxed environment to validate them. "When Codex Security is configured with an environment tailored to your project, it can validate potential issues directly in the context of the running system," OpenAI said. "That deeper validation can reduce false positives even further and enable the creation of working proofs-of-concept, giving security teams stronger evidence and a clearer path to remediation." The final stage involves the agent proposing fixes that best align with the system behavior so as to reduce regressions and make them easier to review and deploy. News of Codex Security comes weeks after Anthropic launched Claude Code Security to help users scan a software codebase for vulnerabilities and suggest patches.

OpenAI rolls out Codex Security to automate code security reviews

Why it matters: OpenAI is entering a growing market for AI-enabled code security tools -- escalating competition among both traditional application security vendors and rival AI labs. Driving the news: Codex Security evolved from Aardvark, a security research agent that OpenAI began testing last year with a small group of customers. * The platform analyzes code repositories, pressure-tests suspected vulnerabilities in sandboxed environments, generates proof-of-concept exploits to confirm impact, and proposes fixes. * OpenAI is rolling out Codex Security as a research preview to Enterprise, Business and education customers starting today, allowing those customers to use the tool for free for the first month. What they're saying: "We wanted to make sure that we're empowering defenders," Ian Brelinsky, a member of OpenAI's Codex Security team, told Axios. By the numbers: OpenAI says Codex Security identified nearly 800 critical findings, including more than 10,500 high-severity issues, in external-facing code repositories during testing. * The company has already used Codex Security to identify bugs across open-source projects like OpenSSH, GnuTLS, Chromium and more. The big picture: As attackers weaponize AI models, frontier AI labs are increasingly rolling out new ways to help defenders beef up their own security. * Anthropic made a similar move last month when it introduced Claude Code Security -- rattling share prices for traditional cybersecurity vendors. Yes, but: Many security executives argue enterprises will likely continue to rely on a mix of vendors, rather than depend solely on the same AI platform provider to both build and secure their systems. What's next: Code security is just one part of the broader cybersecurity ecosystem, and Brelinksy said that the company is eying ways to bring more agentic capabilities to defenders.

OpenAI Launches Codex Security Vulnerability Scanner

OpenAI unveiled Codex Security on Friday, an advanced application security tool that detects complex software vulnerabilities. Available in research preview to ChatGPT Enterprise, Business, and Edu users, it is free for the first month. Using OpenAI's frontier models, Codex Security builds detailed threat models for projects, prioritizing real-world risks and reducing false positives, allowing security teams to focus on critical issues. Originally released as a private beta named Aardvark, it identified severe flaws like cross-tenant authentication vulnerabilities and improved accuracy during testing, cutting noise by 84% and false positives by over 50%. In the past month, Codex Security scanned 1.2 million commits, finding 792 critical and 10,561 high-severity issues. OpenAI is also supporting open-source security by scanning major repositories, sharing high-confidence findings with maintainers, and reporting vulnerabilities in projects like OpenSSH, GnuTLS, and PHP. The company plans to expand its support to more open-source maintainers, offering tools and resources to enhance security measures across the ecosystem. Photo: Shutterstock This content was partially produced with the help of AI tools and was reviewed and published by Benzinga editors. Market News and Data brought to you by Benzinga APIs To add Benzinga News as your preferred source on Google, click here.

OpenAI Challenges Security Giants With New AI Agent | PYMNTS.com

"By combining agentic reasoning from our frontier models with automated validation, it delivers high-confidence findings and actionable fixes so teams can focus on the vulnerabilities that matter and ship secure code faster," OpenAI said in the post. OpenAI began rolling out Codex Security in research preview to ChatGPT Enterprise, Business and Edu customers via Codex web on Friday and will offer free usage for the next month, per the post. PYMNTS reported in July that a new category of tools is emerging. They are AI-first threat prevention platforms that don't wait for alerts but seek out weak points in code, configurations or behavior and take defensive action automatically. The solutions are being developed as AI-enabled tools, such as agentic AI systems and polymorphic malware, are accelerating cyberattacks, lowering barriers to entry for fraudsters and exposing gaps in traditional incident response and forensic models. The World Economic Forum said in January that it found that AI is expected to be the most consequential factor shaping cybersecurity strategies this year. It said 94% of surveyed executives cited the technology as a force multiplier for defense and offense. The WEF also highlighted how generative AI technologies are expanding the attack surface. In this environment, enterprises and investors are shifting toward autonomous remediation, PYMNTS reported in February. In some scenarios, defensive agents remove the need for human intervention on a specific class of vulnerability. In others, they compress triage and coordination, so engineers focus on higher-order judgment. In both cases, the common thread is speed, as human-speed remediation is no longer sufficient when AI-driven attackers operate in continuous loops.