---
type: "Evidence Item"
title: "Why Codex Security Doesn’t Include a SAST Report"
description: "A deep dive into why Codex Security doesn’t rely on traditional SAST, instead using AI-driven constraint reasoning and validation to find real vulnerabilities with fewer false."
resource: "https://openai.com/index/why-codex-security-doesnt-include-sast"
tags: ["appendix-iii", "vendor", "openai"]
timestamp: "2026-03-16"
category: "vendor"
publisher: "OpenAI"
cope_score: 74
confidence: 0.9
---

# Why Codex Security Doesn’t Include a SAST Report

# Claim

A deep dive into why Codex Security doesn’t rely on traditional SAST, instead using AI-driven constraint reasoning and validation to find real vulnerabilities with fewer false positives.

# Relevance

Appendix III, section two: vendor threshold and platform capability evidence

# Oracle Verdict

This is a lower-to-mid strength vendor signal for the capability register. It does not prove displacement on its own, but it records another platform step that can later show up as workflow automation, procurement change, or organisational dependency.

# Metadata

* Publisher: OpenAI
* Category: vendor
* Sector: Software engineering
* Capability: Autonomous software engineering and computer-use agents
* Cope score: 74
* Confidence: 0.9

# Related Concepts

* [Live evidence index](index.md)
* [Thesis](../thesis.md)

# Citations

[1] [Why Codex Security Doesn’t Include a SAST Report](https://openai.com/index/why-codex-security-doesnt-include-sast)