Codex Security Review
Purpose
Use this skill to perform security-focused review of code changes, identifying vulnerabilities aligned with OWASP Top 10 2021 and common CWE patterns.
Prerequisites
- Working directory with source code
- Optional: dependency manifest files (package.json, requirements.txt, go.mod) for supply chain analysis
codexCLI is installed and authenticatedcodex-reviewskill pack is installed (npx github:lploc94/codex_skill)
Runner
RUNNER="{{RUNNER_PATH}}"
Workflow
- Ask user to choose review effort level:
low,medium,high, orxhigh(default:high). Ask review scope:working-tree(uncommitted changes),branch(branch diff), orfull(entire codebase). SetEFFORTandSCOPE. - Build prompt from
references/prompts.md(Security Review Prompt with OWASP checklist). - Start round 1 with
node "$RUNNER" start --working-dir "$PWD" --effort "$EFFORT". - Poll with adaptive intervals (Round 1: 60s/60s/30s/15s..., Round 2+: 30s/15s...). After each poll, report specific activities from poll output (e.g. which files Codex is analyzing, what vulnerability patterns it's checking). See
references/workflow.mdfor parsing guide. NEVER report generic "Codex is running" — always extract concrete details. - Parse security findings with
references/output-format.md(includes CWE/OWASP mappings). - Fix valid vulnerabilities in code; rebut false positives with evidence.
- Resume debate via
--thread-iduntilAPPROVEor stalemate. - Return final security assessment with risk summary.
Effort Level Guide
| Level | Depth | Best for |
|----------|-------------------|---------------------------------|
| low | Common patterns | Quick security sanity check |
| medium | OWASP Top 10 | Standard security review |
| high | Deep analysis | Pre-production security audit |
| xhigh | Exhaustive | Critical/regulated systems |
Scope Guide
| Scope | Coverage | Best for |
|----------------|------------------------------------|-----------------------------|
| working-tree | Uncommitted changes only | Pre-commit security check |
| branch | Branch diff vs base | Pre-merge security review |
| full | Entire codebase | Security audit |
Security Categories Covered
OWASP Top 10 2021
- A01:2021 - Broken Access Control
- A02:2021 - Cryptographic Failures
- A03:2021 - Injection (SQL, Command, XSS, etc.)
- A04:2021 - Insecure Design
- A05:2021 - Security Misconfiguration
- A06:2021 - Vulnerable and Outdated Components
- A07:2021 - Identification and Authentication Failures
- A08:2021 - Software and Data Integrity Failures
- A09:2021 - Security Logging and Monitoring Failures
- A10:2021 - Server-Side Request Forgery (SSRF)
Additional Security Checks
- Secrets/credentials in code
- Hardcoded passwords and API keys
- Insecure random number generation
- Path traversal vulnerabilities
- XML External Entity (XXE) attacks
- Insecure deserialization
- Missing security headers
- CORS misconfigurations
Output Format
Each security finding includes:
- CWE ID: Common Weakness Enumeration identifier
- OWASP Category: OWASP Top 10 2021 mapping
- Severity:
critical,high,medium,low - Confidence:
high,medium,low(static analysis confidence) - Attack Vector: How the vulnerability could be exploited
- Suggested Fix: Secure code example
See references/output-format.md for complete specification.
Important Limitations
This is static analysis only:
- ✅ Can detect: Code patterns, hardcoded secrets, common vulnerabilities
- ❌ Cannot detect: Runtime behavior, memory leaks (need profiling), zero-days
- ⚠️ Heuristic: Findings are AI-generated suggestions, not guaranteed vulnerabilities
Always:
- Verify findings manually before treating as confirmed vulnerabilities
- Run dynamic security testing (DAST) for runtime issues
- Use dedicated tools for dependency scanning (Snyk, Dependabot)
- Consult security experts for critical systems
Required References
- Detailed execution:
references/workflow.md - Prompt templates:
references/prompts.md - Output contract:
references/output-format.md
Rules
- Codex reviews only; it does not edit files
- Mark all findings with confidence level (high/medium/low)
- Provide CWE and OWASP mappings for all vulnerabilities
- Include attack vector explanation for each finding
- If stalemate persists, present both sides and defer to user
- Never claim 100% security coverage - static analysis has limits
Scan to join WeChat group