How to Use Codex CLI for Code Review

OpenAI Codex CLI includes a built-in code review feature that analyzes your changes and provides actionable feedback before you commit or open a pull request. The /review command launches a dedicated reviewer that examines diffs and reports prioritized findings without modifying your code.

Prerequisites

Before using the review feature, ensure you have:

• Codex CLI installed - See How to Install OpenAI Codex CLI for setup instructions
• Git repository - The review feature requires a git repository to analyze diffs
• Changes to review - Either staged changes, uncommitted modifications, or commits to examine

The /review Command

The /review command is a slash command you run from within an active Codex session. It launches a dedicated reviewer that reads the diff you select and reports prioritized, actionable findings.

Starting a Review

1. Open Codex in your project directory:

codex

2. Type the review command:

/review

3. Codex presents a menu of review options:
   • Review against a base branch
   • Review uncommitted changes
   • Review a commit
   • Custom review instructions

Review Modes

Review Against a Base Branch

This mode is ideal for preparing pull requests. Codex finds the merge base against the upstream branch, diffs your work, and highlights the biggest risks before you open a PR.

When you select this option:

1. Codex lists your local branches
2. You pick the branch to compare against (typically main or develop)
3. Codex analyzes all changes between your branch and the base

This helps you catch issues before requesting reviews from teammates.

Review Uncommitted Changes

This mode inspects everything in your working tree:

• Staged changes - Files you have added with git add
• Unstaged changes - Modified files not yet staged
• Untracked files - New files Git is not tracking

Use this before committing to ensure your changes are clean and well-structured.

Review a Commit

This mode lets you examine a specific commit:

1. Codex lists your recent commits
2. You select the SHA you want to review
3. Codex reads the exact changeset for that commit

This is useful for reviewing your own work or understanding changes made by others.

Custom Review Instructions

Provide your own review criteria for tailored analysis. Examples:

Security-focused review:

Focus on SQL injection, XSS, and auth bypasses

Performance review:

Find N+1 queries and unnecessary database calls

Accessibility review:

Focus on accessibility regressions and WCAG compliance

Test coverage review:

Identify untested code paths and suggest test cases

Using /diff to Inspect Changes

Before or after running /review, use the /diff command to see exactly what has changed:

/diff

This shows:

• Staged changes
• Unstaged changes
• Untracked files

The output helps you understand what Codex is reviewing and verify its findings against the actual code changes.

Customizing Review Settings

Setting a Dedicated Review Model

You can configure a specific model for code reviews in your ~/.codex/config.toml:

# Use a specific model for /review
review_model = "gpt-5.2-codex"

When this setting is unset (the default), Codex uses your current session model. Setting a dedicated review model is useful if you want to use a more capable model specifically for reviews while using a faster model for general tasks.

Review in Transcript

Each review appears as its own turn in the conversation transcript. This enables you to:

• Rerun reviews as your code evolves
• Compare feedback across iterations
• Reference previous review findings

PR Preparation Workflow

Here is a recommended workflow for using Codex reviews before opening a pull request:

Step 1: Review Your Work

codex

Then in Codex:

/review

Select "Review against a base branch" and choose main.

Step 2: Address Findings

Codex reports findings in priority order. Address high-priority issues first:

1. Security vulnerabilities
2. Logic errors
3. Missing error handling
4. Code style issues

Step 3: Verify Fixes

After making changes, run another review:

/review

Select "Review uncommitted changes" to verify your fixes.

Step 4: Check the Diff

/diff

Inspect the final changes before committing.

Step 5: Commit and Push

Once satisfied with the review results, exit Codex and commit:

git add -A
git commit -m "Implement feature with reviewed changes"
git push origin feature-branch

Platform-Specific Notes

macOS

Codex CLI works natively on macOS with full sandbox support (Seatbelt). Reviews run in a read-only context by default, ensuring your working tree is not modified.

To run Codex:

codex

Linux

Codex CLI supports Linux with Landlock sandbox security. The review feature works identically to macOS.

To run Codex:

codex

Windows

Windows support is available but comes with some considerations:

Native Windows (PowerShell):

• Review features work but sandbox support is experimental
• Use WSL for the most reliable experience

Windows Subsystem for Linux (WSL) - Recommended:

# In WSL terminal
codex

Using WSL provides Unix-style semantics that match the training data for better review accuracy.

Windows Note

Keep your repositories in your Linux home directory (~/projects/myrepo) rather than Windows paths (/mnt/c/Users/...) for best performance in WSL.

CI/CD Integration

You can integrate Codex reviews into your CI/CD pipeline using headless mode.

GitHub Actions Example

name: Code Review
on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Codex
        run: npm install -g @openai/codex

      - name: Run Review
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          codex exec --json "Review the diff between origin/main and HEAD. Focus on security issues and code quality."

Using the Codex GitHub Action

OpenAI provides an official GitHub Action for code reviews:

- uses: openai/codex-action@v1
  with:
    api-key: ${{ secrets.OPENAI_API_KEY }}
    command: review

The action can apply patches, post review comments, and integrate with your existing workflow.

Security Best Practices

When using Codex for code reviews:

1. Treat suggestions as PR feedback - Review diffs and verify recommendations before accepting
2. Run targeted verification - Test that suggested changes work correctly
3. Document decisions - Include reasoning in commit messages for auditing
4. Keep Codex updated - Security patches are released regularly (ensure you have version 0.23.0 or later)
5. Use read-only mode - The /review command is read-only by default, but verify your sandbox settings

Troubleshooting

Review Shows No Changes

If /review reports no changes to review:

1. Check that you have uncommitted changes:

git status

2. Verify you are in a git repository:

git rev-parse --is-inside-work-tree

Review Takes Too Long

For large changesets, Codex may take time to analyze. Consider:

1. Review smaller batches of changes
2. Use custom instructions to focus on specific concerns
3. Increase timeout if using headless mode

Authentication Errors During Review

If you see authentication errors:

codex auth logout
codex

Sign in again when prompted.

Next Steps

• Learn about Codex CLI slash commands for additional features
• Explore the Codex GitHub Action for CI/CD integration
• Read about orchestrating multiple AI tools for efficient development workflows