Overview
- Access is limited to a private beta with select partners as the company tunes detection accuracy, validation steps, and reporting.
- When connected to a repository, the agent models the codebase, scans new commits, validates suspected issues in a sandbox, prioritizes severity, and attaches Codex-generated fixes for human approval.
- OpenAI reports 92% recall on internal benchmark repositories and says the system can also surface logic and privacy issues alongside security flaws.
- Early use on open-source projects led to multiple responsible disclosures, with ten findings assigned CVE identifiers, and the company plans pro-bono scanning for some noncommercial repositories.
- The approach relies on LLM reasoning rather than traditional techniques like fuzzing or software composition analysis, with a defender-first framing aimed at continuous, proactive protection.