security-agent-cca-fix
Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.
Security Agent CCA Fix
Use this skill for remote remediation through GitHub Copilot Cloud Agent from ~/security-agent. CCA is useful when fixes should run in GitHub rather than on the developer machine.
Preflight
Run from the central workspace. If any command fails, use $security-agent-setup.
cd ~/security-agent
test -f .env
.venv/bin/edi-security-agent --version
Use only the pip-installed CLI/UI from ~/security-agent. Do not call repo-local Python modules, Azure fetcher scripts, or files from edi-security-agent-controller.
If setup needs Artifactory credentials, route to $security-agent-setup for the opt-in chat credential forwarding flow or own-Terminal fallback.
If plain pip3 or a global edi-security-agent works but .venv/bin/edi-security-agent is missing, do not use the global install. Explain the pip-scope mismatch and route to $security-agent-setup so the package is installed into ~/security-agent/.venv.
Preconditions
- Azure Defender findings must identify fixable CVEs.
GITHUB_TOKENandGITHUB_ORGmust allow repository access.CCA_GITHUB_OWNERdefaults toGITHUB_ORGwhen unset.- CCA should not need Security Platform cookies or UAIS/OpenAI OAuth secrets. If the installed package still validates LLM config for CCA, report that as a product issue.
Workflow
- Inspect findings first:
.venv/bin/edi-security-agent defender list --repo <repo> --severity high --fixable-only
- Run CCA dry-run or explicit CCA execution:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor cca
- Use apply mode only when the user wants remote task/PR creation:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor cca --apply
- Use
--executor autoonly when it is acceptable for the controller to select between local and CCA execution. - For UI/server reporting, inspect CCA budget and run records through
/api/runs/cca-budgetand run detail endpoints.
What CCA Receives
The CCA prompt includes repository name, CVE IDs, severity, Maven package names, current versions, fixed versions, and remediation instructions. It does not need Security Platform cookies or UAIS/OpenAI OAuth secrets.
Safety
- Prefer one repo per CCA task for clear review ownership.
- Do not send secrets or local-only files in CCA prompts.
- Do not bypass the installed CLI by running repo-local scripts or Python modules.
- Treat CCA as an autonomous remote code agent; require PR review before merge.
- If a repo has missing fixed versions, prefer local analysis or discovery before dispatching to CCA.
Related Assets
security-agent-local-fix
Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.
Owner: edi-security-agent
security-agent-discovery
Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.
Owner: edi-security-agent
security-agent-setup
Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.
Owner: edi-security-agent
security-agent-ui-runs
Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.
Owner: edi-security-agent
MCP Server Development Standards (Optum)
Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.
Owner: epic-platform-sre
pr-review-multi-agent-expert
Run a lean pull request review with real spawned agents, adaptive specialist routing, and strict synthesis. Use when a user wants a deep PR review with high signal, low noise, and read-only behavior by default.
Owner: platform-devops

