Hi everyone, Recently both OpenAI and Anthropic announced new AI-based security agents designed to detect and help fix vulnerabilities in software projects.
Two announcements that caught my attention: • *Codex Security (OpenAI)* – currently in research preview OpenAI Codex https://openai.com/index/codex-security-now-in-research-preview/ • *Claude Code Security (Anthropic)* Claude (AI assistant) https://www.anthropic.com/news/claude-code-security Both tools aim to automatically: - Scan repositories for security vulnerabilities - Identify insecure patterns or dependency risks - Suggest fixes or patches - Help developers remediate issues directly in code An interesting aspect is that both organizations are offering free access for open-source projects, which could make them particularly useful for projects like Apache OFBiz. Given OFBiz’s size and long history, tools like these could potentially help us: - detect vulnerabilities earlier - automate parts of security review - assist contributors in fixing issues faster - strengthen overall project security posture I’m curious whether anyone in the community has already experimented with either of these tools. If there is interest, we could explore: 1. Applying for *open-source access* for the OFBiz project 2. Running scans against the repository 3. Evaluating the results and usefulness of the findings 4. Potentially integrating these tools into the development workflow (for example during code reviews or CI pipelines) I would love to hear thoughts from the community: - Has anyone tried these tools already? - Do these look useful for Apache OFBiz? - Would it make sense to run an experiment with one or both? Looking forward to hearing your opinions. Thanks -- Divesh Dutta www.hotwaxsystems.com
