Skip to content

security-agent-cca-fix

Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.

active
IDE:
codex
Version:
1.0.0
Owner:edi-security-agent
security
cca
github
copilot
remediation
remote
optum
edi

Security Agent CCA Fix

Use this skill for remote remediation through GitHub Copilot Cloud Agent from ~/security-agent. CCA is useful when fixes should run in GitHub rather than on the developer machine.

Preflight

Run from the central workspace. If any command fails, use $security-agent-setup.

cd ~/security-agent
test -f .env
.venv/bin/edi-security-agent --version

Use only the pip-installed CLI/UI from ~/security-agent. Do not call repo-local Python modules, Azure fetcher scripts, or files from edi-security-agent-controller. If setup needs Artifactory credentials, route to $security-agent-setup for the opt-in chat credential forwarding flow or own-Terminal fallback. If plain pip3 or a global edi-security-agent works but .venv/bin/edi-security-agent is missing, do not use the global install. Explain the pip-scope mismatch and route to $security-agent-setup so the package is installed into ~/security-agent/.venv.

Preconditions

  • Azure Defender findings must identify fixable CVEs.
  • GITHUB_TOKEN and GITHUB_ORG must allow repository access.
  • CCA_GITHUB_OWNER defaults to GITHUB_ORG when unset.
  • CCA should not need Security Platform cookies or UAIS/OpenAI OAuth secrets. If the installed package still validates LLM config for CCA, report that as a product issue.

Workflow

  1. Inspect findings first:
.venv/bin/edi-security-agent defender list --repo <repo> --severity high --fixable-only
  1. Run CCA dry-run or explicit CCA execution:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor cca
  1. Use apply mode only when the user wants remote task/PR creation:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor cca --apply
  1. Use --executor auto only when it is acceptable for the controller to select between local and CCA execution.
  2. For UI/server reporting, inspect CCA budget and run records through /api/runs/cca-budget and run detail endpoints.

What CCA Receives

The CCA prompt includes repository name, CVE IDs, severity, Maven package names, current versions, fixed versions, and remediation instructions. It does not need Security Platform cookies or UAIS/OpenAI OAuth secrets.

Safety

  • Prefer one repo per CCA task for clear review ownership.
  • Do not send secrets or local-only files in CCA prompts.
  • Do not bypass the installed CLI by running repo-local scripts or Python modules.
  • Treat CCA as an autonomous remote code agent; require PR review before merge.
  • If a repo has missing fixed versions, prefer local analysis or discovery before dispatching to CCA.

Related Assets

security-agent-local-fix

active

Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.

codex
security
maven
cve
remediation
codex
+3

Owner: edi-security-agent

security-agent-discovery

active

Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.

codex
security
azure-defender
vulnerability
discovery
cve
+2

Owner: edi-security-agent

security-agent-setup

active

Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.

codex
security
setup
pip
azure-defender
optum
+3

Owner: edi-security-agent

security-agent-ui-runs

active

Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.

codex
security
ui
fastapi
dashboard
vulnerability
+2

Owner: edi-security-agent

MCP Server Development Standards (Optum)

experimental

Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.

claude
codex
vscode
mcp
sdk
wall-e
security
optum

Owner: epic-platform-sre

pr-review-multi-agent-expert

active

Run a lean pull request review with real spawned agents, adaptive specialist routing, and strict synthesis. Use when a user wants a deep PR review with high signal, low noise, and read-only behavior by default.

codex
pull-request
review
multi-agent
code-review
github
+3

Owner: platform-devops