Vulnerability Scanning & Compliance

Vulnerability scanning for Codex Cloud operates at two levels: the base image and the task output. Base image scanning checks the custom sandbox image for known CVEs in system packages, runtime versions, and pre-installed tools. This runs during image build and blocks deployment of images with critical vulnerabilities. Task output scanning checks the code generated by the agent for vulnerable dependency versions, insecure patterns (hardcoded credentials, SQL injection, XSS), and license compliance issues. This runs as a post-task step before the results are made available for review.

Compliance frameworks (SOC 2, ISO 27001, HIPAA, FedRAMP) require evidence that AI-generated code is subject to the same security controls as human-written code. For Codex Cloud, this means: access control (who can submit tasks), audit logging (what did each task do), data protection (no sensitive data in prompts or logs), vulnerability management (scanning of generated code), and change management (all changes go through PR review). The review-gate pattern — where every cloud task output goes through a PR — satisfies change management requirements without additional tooling.

# Vulnerability scanning pipeline

Base image build:
  1. Build custom image from Dockerfile
  2. Scan with Trivy/Grype for CVEs
  3. Block if critical/high CVEs found
  4. Push to registry only if scan passes

Task output:
  1. Task completes → diff extracted
  2. Dependency scan: check new/updated packages against CVE databases
  3. Code scan: SAST for insecure patterns (Semgrep, CodeQL)
  4. License scan: check new dependencies against approved license list
  5. Results attached to PR as review comments

# Compliance evidence mapping

SOC 2 CC6.1 (Access control):     Task authentication logs
SOC 2 CC7.2 (Monitoring):         Traffic logs, task audit logs
SOC 2 CC8.1 (Change management):  PR review + CI gate
ISO 27001 A.12.6 (Vulnerability): Image + output scanning
HIPAA §164.312 (Audit controls):  Full task execution logs