This repository contains security-oriented Codex skills and documentation. It is not an executable scanner, but incorrect guidance or misleading defaults can still create risk.
codex-sentinel provides advisory security guidance and checkpoint offers. It does not certify a repository as secure, fully reviewed, or production-ready.
- Do not post sensitive exploit details, live secrets, or private customer information in a public issue.
- Use GitHub private vulnerability reporting or a repository security advisory when it is enabled for this repository.
- If private reporting is not enabled yet, open a minimal public issue without exploit details and request a secure contact path from the maintainer.
- guidance that could cause dangerous false negatives
- prompts or rules that encourage unsafe default behavior
- examples that normalize insecure coding patterns
- metadata or docs that make users think the suite certifies security
- vulnerabilities in third-party tools that are only mentioned as examples
- general secure coding debates without a concrete issue in this repository
- Keep private reports in GitHub security advisories when possible so triage stays tied to the repository history.
- If a public issue is needed to start contact, keep it minimal and move exploit details to a private channel before sharing reproducer data.