Skip to main content
Hashnodesechackfi

Command Palette

Search for a command to run...

Codex CLI - Your Little Coding Pet

Updated
3 min read
A
Anirudh

While casually scrolling through X (formerly Twitter) last week, a tweet from Sam Altman caught my attention. He introduced Codex, a lightweight CLI agent recently launched by OpenAI, built on top of their o3 and o4-mini models. Naturally, I was curious.

During one of our weekly security meetup forums, I decided to give Codex a spin. (If you’re into tech and security, feel free to join us on our Discord forum.

Getting Started with Codex

Setting up Codex is refreshingly straightforward. Here's how you can get started:

You need to install it via npm and export your OpenAI API key for use in the current session, or configure it in the shell configuration file, or the project environment file, depending on your use case.

npm install -g @openai/codex

To build from source, follow these steps:

  1. Clone the repository and navigate to the CLI package:

     git clone https://github.com/openai/codex.git
 cd codex/codex-cli

  2. Enable corepack:

     corepack enable

  3. Install dependencies and build:

     pnpm install
 pnpm build

  4. Get usage and options:

     node ./dist/cli.js --help

  5. Run the locally built CLI directly:

     node ./dist/cli.js

  6. Or link the command globally for convenience:

     pnpm link

You can generate the API key by visiting OpenAI’s platform settings page.

Disclaimer: Payments are required as it uses credits to hit OpenAI’s API endpoints and resources to interact with the models.

First Experiments with Codex

Once everything was ready, we started experimenting. One of our first prompts was:

codex "Write a Python script to serialize and deserialize objects in Python."

You can also specify which model Codex should use for generating or reviewing code, giving you the flexibility based on your needs.

codex -m o3 "<prompt>"

To spice things up from a security engineer’s perspective, we decided to test Codex in a real-world scenario:

  • Cloned the WebGoat repository, a well-known, deliberately insecure application used for learning web app sec and code reviews.

  • Then, asked Codex to perform a security code review on the repo.

  • To our surprise, Codex:

    • Prepared a security report.

    • Identified the application as intentionally vulnerable.

    • Listed vulnerabilities along with recommendations for remediation.

We further expanded its use case to identify security misconfigurations in a pod.yaml file, perform taint analysis, prepare a SARIF report, and conduct SCA analysis within a venv.

With local git repositories, you can ask codex to write code, explain code, perform linting, generate test cases, examine the codebase to raise PRs, and conduct code reviews. It can also be used in a headless mode in your pipelines, like this:

- name: Update readme.md in codex
  run: |
    npm install -g @openai/codex
    export OPENAI_API_KEY="${{ secrets.OPENAI_KEY }}"
    codex -a auto-edit --quiet "update readme.md"

As models become more fine-tuned and their capabilities expand, I can see it becoming a valuable tool for developers and security engineers alike, helping them to write, test, and review code faster and smarter.

Could Codex eventually become a viable alternative to traditional SAST tools?
Maybe. It’s early days, but the potential is there. Let’s wait and watch. 😉

References:

Codex CLI

#security#genai

Comments

Join the discussion

No comments yet. Be the first to comment.