OpenAI released an updated version of the Codex Security application security agent. This new, powerful tool which has already scanned 1.2 million commits and found 10,561 high-severity issues. This state-of-the-art adversarial agent combines the advanced reasoning capabilities of OpenAI’s frontier models to prevent and includes automated validation for improved software security. Those new features specifically address the potential for false positives while delivering easy to act upon and prioritized fixes to developers.
The capacity to scan all public repositories has improved by leaps and bounds. OpenAI’s scans previously indicated great progress in high fidelity, or precision. They’ve gone further, decreasing false positive rates by 51% across all repositories. This is a big step forward in the security agent’s preciseness and trustworthiness.
How OpenAI’s Agent Works
OpenAI’s security agent follows a three-prong approach to deeply audit any software codebase for vulnerabilities. As a first step, it scans the GitHub repository to establish a baseline of the project’s security-sensitive structure. This kind of foundational analysis is essential for making broad, sweeping changes to pinpoint potential code weaknesses.
The second step is to create an editable threat model that documents the project’s functionality and points out where the exposure lies. By compiling even this basic model, the implementing agent gives developers an easily understandable view of where their system is likely to be most vulnerable.
Lastly, the agent provides actionable remediation recommendations for any detected vulnerabilities. As noted by OpenAI, “When Codex Security is configured with an environment tailored to your project, it can validate potential issues directly in the context of the running system.”
Enhancements in Precision and Reliability
OpenAI’s willingness to incorporate feedback and make security scanning is a sign of their commitment to improving the precision. Our most recent scans on the repositories reflect this improvement, demonstrating higher accuracy across the board as well as a significant drop in false positive rates. This reduction in noise lets developers concentrate on high-impact vulnerabilities, without being overwhelmed by the urgent but unimportant.
OpenAI’s agent creates a rich context for each endeavor. This gives it a unique capability to find complex vulnerabilities that other tools simply don’t have the capability to uncover. As stated by OpenAI, “It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs.”
Competing Solutions in the Market
OpenAI’s Codex Security isn’t the only company making innovative developments in security protection. Anthropic has already released Claude Code Security. This new tool allows open source developers to easily scan their software codebases for known vulnerabilities and recommend patches to mitigate those vulnerabilities. This competitive environment underscores the important demand for sound security practices during the software development lifecycle.
It is worth noting that many of these repositories have been recognized without a known specific CVE. GnuPG CVE-2026-24881 and CVE-2026-24882 GnuTLS CVE-2025-32988 and CVE-2025-32989. GOGS presents CVE-2025-64175 and CVE-2026-25242. In addition, Thorium has experienced several CVEs covering from CVE-2025-35430 to CVE-2025-35436.