# Fix and verify security findings

Codex Security helps you turn a backlog of accepted findings into tested code
changes. You can fix findings in the findings workspace UI or invoke the
remediation workflow from a prompt, the command line, or CI/CD. In each case,
Codex validates the issue, proposes a focused patch, adds regression coverage,
and verifies that legitimate behavior still works.

Start by fixing one accepted finding so you can evaluate the patch and
verification quality. Once the workflow meets your standards, scale it across
more accepted findings by processing each finding in a separate task or CI/CD
job. Keeping each fix scoped makes the code changes and evidence easier to
review.

## Fix a finding in the UI

Open an accepted finding in the findings workspace to generate, review, apply,
and verify its patch.

<WorkflowSteps variant="headings">

1. Generate a focused patch

   Open the finding, select the **Patch** tab, and select **Generate patch**.
   Codex validates or reproduces the issue when feasible and writes a patch
   artifact without modifying the selected checkout.

2. Review the proposed diff

   Read every changed source and regression-test file. Use **Open diff in
   editor** when you want the full patch in the editor. Reject broad refactors,
   unrelated cleanup, or changes that weaken another security control.

3. Apply the patch locally

   Select **Apply patch locally** only after the diff is acceptable. Codex
   applies the exact generated patch to the working tree and records that state.
   Review the working-tree diff before continuing.

4. Verify the fix

   Select **Verify fix**. Codex reruns the original reproducer or strongest
   available exploit check, focused regression coverage, legitimate-behavior
   checks, nearby bypass checks, and relevant repository tests.

5. Close the finding deliberately

   Verification doesn't automatically close a finding. Review the commands,
   results, and remaining proof gap, then close the finding with an accurate
   reason or keep it open for more work.

</WorkflowSteps>

<figure className="not-prose my-8">
  <div className="overflow-hidden rounded-xl border border-subtle bg-surface">
    <img
      src={fixFindingPatch.src}
      alt="Codex Security proposed patch for an accepted finding"
      className="block h-auto w-full"
    />
  </div>
  <figcaption className="mt-3 text-sm text-secondary">
    Review the proposed source and test changes before applying the patch
    locally.
  </figcaption>
</figure>

## Fix a finding from the CLI

Use the Codex CLI when you already have a finding from a scan, ticket, advisory,
disclosure, security assessment, or internal review:

The commands below assume Codex Security is already installed in the
`CODEX_HOME` used by `codex exec`. A fresh CI runner doesn't have marketplace
plugins installed by default.

```text
Use $codex-security:fix-finding to fix finding <finding-id> from <report-path>. Validate the issue, make the smallest safe change, add focused regression coverage, and verify that the issue no longer reproduces.
```

Include the known source, sink, attacker input, impact, expected invariant,
reproducer, affected files, and validation command. Codex can inspect the
repository for missing technical details, but it should ask before guessing a
product policy or intended security invariant.

For an automated run, pass the prompt to `codex exec` after checking out the
code, making the finding report available, and provisioning the plugin in that
`CODEX_HOME`:

```bash
codex exec 'Use $codex-security:fix-finding to fix finding <finding-id> from <report-path>. Validate the issue, make the smallest safe change, add focused regression coverage, and verify that the issue no longer reproduces.'
```

## Scan and fix findings in CI/CD

Provision Codex Security in the runner's `CODEX_HOME` before invoking these
skills. The command below uses the installed plugin; it doesn't install the
plugin itself.

In CI/CD, use one Codex run to scan the diff and generate fixes for every
finding it discovers. The job doesn't need finding IDs or report paths as
inputs. Codex carries the findings from the scan into remediation within the
same run.

The all-in-one run should:

1. Resolve the base and head revisions for the change.
2. Run `$codex-security:security-diff-scan` against that diff.
3. Invoke `$codex-security:fix-finding` for every finding returned by the scan.
4. Generate focused patches and regression coverage, then verify each fix.
5. Return the scan results, patches, tests, verification commands, and any
   finding it couldn't fix.

For example:

```bash
codex exec 'Use $codex-security:security-diff-scan to review changes from <base-revision> to HEAD. For every finding returned by the scan, use $codex-security:fix-finding to generate and verify a minimal fix. Continue until every finding has either a verified fix or an explicit explanation of why it could not be fixed. Return the scan results, patches, tests, verification commands, and remaining failures.'
```

After verification, merge the patch through your normal code-review and release
process. To hand findings to another team before remediation, see [Export or
track findings](https://learn.chatgpt.com/docs/security/plugin/export-findings).