Primary navigation

Propose security hardening

Develop evidence-backed structural security improvements, compare tradeoffs, and prepare an implementation handoff.

Use $codex-security:propose-security-hardening to turn a collection of security evidence into structural or architectural hardening options. The workflow can analyze a completed Codex Security scan or start from supplied findings, disclosure reports, incident reviews, assessment documents, and source code.

The result is a design portfolio, not a patch, and doesn’t prove that it fixes a vulnerability. Codex changes the repository only after you select an option and explicitly ask it to make that change.

Prepare the evidence

Provide the workflow with:

  • A scan directory or an explicit collection of findings and reports.
  • The target source tree and relevant revision or snapshot when available.
  • PoCs, traces, incident evidence, or assessment material that supports the findings.
  • Constraints for performance, memory, compatibility, reliability, operations, delivery time, or change scope.

The workflow uses the evidence to identify repeated broken invariants, dispersed controls, privileged choke points, weak isolation boundaries, and recurring remediation patterns. It can also conclude that local fixes are more proportionate than an architectural change.

Run the workflow

Send a prompt like:

Use $codex-security:propose-security-hardening to analyze [scan directory or finding paths] against [source tree and revision]. Develop evidence-backed structural hardening options with engineering tradeoffs, before-and-after diagrams, a migration plan, and an implementation handoff. Do not modify the repository.

Review the portfolio

A useful portfolio should:

  • Connect each proposed change to concrete findings, source, and threat-model evidence.
  • Describe the current design and the security invariants the new design should preserve.
  • Compare distinct options, including residual risk, performance, reliability, operations, compatibility, and migration cost.
  • Recommend an option only when the evidence supports it, with explicit assumptions and open questions.
  • Include rollout, validation, rollback, and implementation guidance.
  • Separate observed facts, inferences, and proposed design properties.

Review the evidence and tradeoffs before choosing an option. An architecture diagram or design recommendation doesn’t replace validation of the original findings or the implemented fix.

Use hardening guidance from a scan

When a standard, deep, or change scan has reportable findings, Codex runs this workflow once after the detailed vulnerability reports are ready. It writes the portfolio to hardening/hardening.md, structured analysis to hardening/hardening.json, and supporting proposals or diagrams under hardening/. The scan links the portfolio from report.md.

Keep the full scan directory together so those links remain usable. To review the individual reports that inform the portfolio, see Write vulnerability reports.