Loading...
Loading...
OpenAI Codex CLI code review with GPT-5.2-Codex, CI/CD integration
npx skill4agent add alinaqi/claude-bootstrap codex-review| Feature | Benefit |
|---|---|
| GPT-5.2-Codex | Specialized training for code review |
| 88% detection rate | Bugs, security flaws, style issues (LiveCodeBench) |
| Structured output | JSON schema for consistent findings |
| GitHub native | |
| Headless mode | CI/CD automation without TUI |
# Check Node.js version (requires 22+)
node --version
# Install Node.js 22 if needed
# macOS
brew install node@22
# Or via nvm
nvm install 22
nvm use 22# Via npm (recommended)
npm install -g @openai/codex
# Via Homebrew (macOS)
brew install --cask codex
# Verify installation
codex --versioncodex
# Follow prompts to sign in with ChatGPT account# Set environment variable
export OPENAI_API_KEY=sk-proj-...
# Or add to shell profile
echo 'export OPENAI_API_KEY=sk-proj-...' >> ~/.zshrc
# Run Codex
codex# Bash
codex completion bash >> ~/.bashrc
# Zsh
codex completion zsh >> ~/.zshrc
# Fish
codex completion fish > ~/.config/fish/completions/codex.fish# Start Codex
codex
# In the TUI, type:
/review| Preset | Use Case |
|---|---|
| Review against base branch | Before opening PR - diffs against upstream |
| Review uncommitted changes | Before committing - staged + unstaged + untracked |
| Review a commit | Analyze specific SHA from history |
| Custom instructions | e.g., "Focus on security vulnerabilities" |
$ codex
> /review
Select review type:
❯ Review against a base branch
Review uncommitted changes
Review a commit
Custom review instructions
Select base branch: main
Reviewing changes...
┌─────────────────────────────────────────────────────────────┐
│ CODE REVIEW FINDINGS │
├─────────────────────────────────────────────────────────────┤
│ 🔴 CRITICAL: SQL Injection vulnerability │
│ File: src/api/users.ts:45 │
│ Issue: User input directly interpolated in query │
│ Fix: Use parameterized queries │
├─────────────────────────────────────────────────────────────┤
│ 🟠 HIGH: Missing authentication check │
│ File: src/api/admin.ts:23 │
│ Issue: Admin endpoint accessible without auth │
│ Fix: Add requireAuth middleware │
├─────────────────────────────────────────────────────────────┤
│ 🟡 MEDIUM: Inefficient database query │
│ File: src/services/orders.ts:89 │
│ Issue: N+1 query pattern in loop │
│ Fix: Use batch query or JOIN │
└─────────────────────────────────────────────────────────────┘# Simple review
codex exec "review the code for bugs and security issues"
# Review with JSON output
codex exec --json "review uncommitted changes" > review.json
# Save final message to file
codex exec --output-last-message review.txt "review the diff against main"# Full auto mode (use only in isolated runners!)
codex exec \
--full-auto \
--json \
--output-last-message findings.txt \
--sandbox read-only \
-m gpt-5.2-codex \
"Review this code for bugs, security issues, and performance problems"# Define output schema
cat > review-schema.json << 'EOF'
{
"type": "object",
"properties": {
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"severity": { "enum": ["critical", "high", "medium", "low"] },
"title": { "type": "string" },
"file": { "type": "string" },
"line": { "type": "integer" },
"description": { "type": "string" },
"suggestion": { "type": "string" }
},
"required": ["severity", "title", "file", "description"]
}
},
"summary": { "type": "string" },
"approved": { "type": "boolean" }
},
"required": ["findings", "summary", "approved"]
}
EOF
# Run with schema validation
codex exec \
--output-schema review-schema.json \
--output-last-message review.json \
"Review the staged changes and output findings"@codex review# .github/workflows/codex-review.yml
name: Codex Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Codex Review
uses: openai/codex-action@main
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
model: gpt-5.2-codex
safety_strategy: drop-sudo# .github/workflows/codex-review.yml
name: Codex Code Review
on:
pull_request:
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex CLI
run: npm install -g @openai/codex
- name: Run Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
# Get diff
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
# Run Codex review
codex exec \
--full-auto \
--sandbox read-only \
--output-last-message review.md \
"Review this git diff for bugs, security issues, and code quality: $(cat diff.txt)"
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🤖 Codex Code Review\n\n${review}`
});# .gitlab-ci.yml
codex-review:
image: node:22
stage: review
script:
- npm install -g @openai/codex
- |
codex exec \
--full-auto \
--sandbox read-only \
--output-last-message review.md \
"Review the merge request changes for bugs and security issues"
- cat review.md
artifacts:
paths:
- review.md
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"pipeline {
agent any
environment {
OPENAI_API_KEY = credentials('openai-api-key')
}
stages {
stage('Install Codex') {
steps {
sh 'npm install -g @openai/codex'
}
}
stage('Code Review') {
steps {
sh '''
codex exec \
--full-auto \
--sandbox read-only \
--output-last-message review.md \
"Review the code changes for bugs and security issues"
'''
}
}
stage('Publish Results') {
steps {
archiveArtifacts artifacts: 'review.md'
script {
def review = readFile('review.md')
echo "Code Review Results:\n${review}"
}
}
}
}
}# ~/.codex/config.toml
[model]
default = "gpt-5.2-codex" # Best for code review
[sandbox]
default = "read-only" # Safe for reviews
[review]
# Custom review instructions applied to all reviews
instructions = """
Focus on:
1. Security vulnerabilities (OWASP Top 10)
2. Performance issues (N+1 queries, memory leaks)
3. Error handling gaps
4. Type safety issues
"""# .codex/config.toml (in project root)
[review]
instructions = """
This is a Python FastAPI project. Focus on:
- Async/await correctness
- Pydantic model validation
- SQL injection via SQLAlchemy
- Authentication/authorization gaps
"""# Interactive
codex # Start TUI
/review # Open review presets
# Headless
codex exec "prompt" # Non-interactive execution
codex exec --json "prompt" # JSON output
codex exec --full-auto "prompt" # No approval prompts
# Key Flags
--output-last-message FILE # Save response to file
--output-schema FILE # Validate against JSON schema
--sandbox read-only # Restrict file access
-m gpt-5.2-codex # Use best review model
--json # Machine-readable output
# Resume
codex exec resume SESSION_ID # Continue previous session| Aspect | Claude (Built-in) | Codex CLI |
|---|---|---|
| Setup | None (already in Claude Code) | Install CLI + auth |
| Model | Claude | GPT-5.2-Codex (specialized) |
| Context | Full conversation context | Fresh context per review |
| Integration | Native | GitHub, GitLab, Jenkins |
| Output | Markdown | JSON schema support |
| Best for | Quick reviews, in-flow | CI/CD, critical PRs |
# Always use these flags in CI/CD:
--sandbox read-only # Prevent file modifications
--safety-strategy drop-sudo # Revoke elevated permissions# GitHub Actions - use secrets
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
# Never hardcode keys
# Never echo keys in logsdrop-sudo| Issue | Solution |
|---|---|
| Run |
| Upgrade to Node.js 22+ |
| Re-run |
| Check |
| Add |
| Reduce frequency or upgrade plan |
--dangerously-bypass-approvals-and-sandbox--sandbox read-only