OpenAI
APIs and tools for building AI products
Start new thread
Ankit Sharma

Codex Security - Our application security agent

byβ€’
An application security agent that helps you secure your codebase by finding vulnerabilities, validating them, and proposing fixes you can review and patch. Now, teams can focus on the vulnerabilities that matter and ship code faster.

Add a comment

Replies

Best
Alan

After dealing with those npm postinstall attacks lately, seeing an agent that actually validates findings is a massive relief. Most tools just spam false positives until you kill the notifications. Does this catch transitive dependency stuff too, or just first-party code?

Modassir Alam
Security reviews are still one of the biggest bottlenecks in software development, so having an AI agent that can automatically find and validate vulnerabilities feels like a very practical step forward. I like the focus on suggesting fixes instead of just flagging issues. Curious how Codex Security prioritizes which vulnerabilities matter most in large codebases. Congrats on the launch.
aSura

The pace of releases is wild, but 5.4 actually earns it. The native computer-use feature alone changes how I think about delegating tasks. Less "AI assistant," more "AI coworker."

Abir Maji

Security is always the last thing indie hackers think about until it's too late. This is exactly the kind of tool that should be default in every solo builder's stack. Upvoted and congrats on the launch! πŸš€

Devon Kelley

Security is one of the few domains where an agent-first approach genuinely makes more sense than a human-first one. Humans reviewing security alerts at scale is already broken. Most teams either drown in false positives or miss real vulnerabilities because the volume is impossible to keep up with.

Alan's question about transitive dependencies is the right one. The npm supply chain attacks proved that the real risk lives in the dependency tree, not your first-party code. If the agent can trace vulnerability chains through transitive deps and actually validate whether they're exploitable in your specific context, that's a massive upgrade over "here's a list of 200 CVEs, good luck."

The "validates findings" part is what matters most here. Every other security tool gives you a list. The hard part is knowing which ones actually matter.

ι‚“δΉ¦ε“²

Been experimenting with GPT-4.5 and the consistency in multi-step reasoning feels noticeably better. It handles longer contexts and complex prompts more gracefully. Curious to see what builders create with this.