OpenAI has launched Codex Security, an innovative AI agent designed to identify vulnerabilities in code. During its beta testing phase, this tool analyzed over 1.2 million commits and uncovered 792 critical vulnerabilities along with 10,561 serious issues in popular open-source projects. Currently, Codex Security is available as a research preview for subscribers of ChatGPT Pro, Enterprise, Business, and Edu, with free access for the first month.
Codex Security builds upon the earlier Aardvark project, which was introduced in a closed beta in October 2025. Aardvark aimed to serve as an autonomous assistant for developers and information security teams, capable of finding and fixing vulnerabilities in large codebases. In internal tests, Aardvark even identified a real Server-Side Request Forgery (SSRF) vulnerability and a critical authentication bypass bug, both of which were promptly addressed by OpenAI.
What sets Codex Security apart from traditional static analysis tools is its advanced methodology. Rather than merely scanning code, it first examines the repository to construct a threat model tailored to the specific project. This customizable threat model allows security teams to adapt it according to their particular needs. Developers claim that Codex Security provides a deeper understanding of the project context, enabling the identification of complex vulnerabilities that often go unnoticed by other agents, and offers precise results with ready-made fixes.
Additionally, all detected vulnerabilities undergo verification in a sandbox to eliminate false positives. Data from OpenAI indicates that during the beta testing phase, the rate of false positives dropped by over 50% across all repositories, while irrelevant findings decreased by an astounding 84% in some cases.
Among the vulnerabilities discovered by Codex Security are issues in widely used software such as OpenSSH, GnuTLS, GOGS, Thorium, libssh, PHP, and Chromium. Some of these findings have already been assigned CVE identifiers, including CVE-2025-32988 and CVE-2025-32989 for GnuTLS, CVE-2025-64175 and CVE-2026-25242 for GOGS, as well as a series of CVEs for Thorium (CVE-2025-35430 – CVE-2025-35436).
In its final phase, the agent suggests patches that take system behavior into account, aiming to minimize the risk of recurrence. Developers can view and apply these fixes directly through the interface. Alongside the launch of Codex Security, OpenAI announced the Codex for OSS program, providing free ChatGPT Pro accounts and access to Codex Security for maintainers of open-source projects.
The introduction of this new agent comes just weeks after competitor Anthropic released its own tool, Claude Code Security. As the landscape of AI-driven security tools evolves, Codex Security positions OpenAI as a key player, potentially raising the stakes for its competitors in the market.
Informational material. 18+.
