OpenAI opens Codex Security research preview for repository security workflows

On March 6, 2026, OpenAI introduced Codex Security in research preview. The product extends the Codex agent workflow into application security by giving teams a way to scan repositories, inspect code changes, reason over threat models, reproduce bugs, validate fixes, and propose patches from the same interface.

OpenAI says the system was designed for development teams that want more than static findings. Instead of only surfacing alerts, Codex Security can pull in repository context, review the code path around a finding, attempt to reproduce the issue, and return remediation guidance that developers can verify inside existing engineering workflows. The company also says the agent supports open source projects as well as private GitHub repositories.

What OpenAI reported

• Across OpenAI’s internal benchmark set, total security-review noise dropped by 84%.
• Over-reported severity fell by more than 90%.
• False positives were reduced by more than 50%.
• OpenAI says Codex Security has scanned 1.2 million commits from the last 30 days and surfaced 792 critical and 10,561 high-severity findings.

The announcement also included concrete disclosure examples. OpenAI said the system helped identify critical vulnerabilities that were reported to maintainers of projects including OpenSSH and the Linux kernel. That matters because it suggests the company is trying to show end-to-end utility: discovery, validation, reporting, and repair, not just ranking issues from an existing scanner.

Availability is limited for now. OpenAI says research preview access starts with ChatGPT Pro, Enterprise, Business, and Edu users through the Codex web surface, with free usage during the first month. For engineering organizations, the larger signal is that model vendors are moving beyond code generation into software assurance, where precision and triage quality matter as much as raw model fluency.