Skip to content

security-agent-local-fix

Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.

active
IDE:
codex
Version:
1.0.0
Owner:edi-security-agent
security
maven
cve
remediation
codex
optum
edi
local

Security Agent Local Fix

Use this skill for local Codex-first remediation from ~/security-agent. The local path clones the target repo, creates a security branch, fixes Maven dependency CVEs, runs build/test verification, and optionally pushes a PR.

Preflight

Run from the central workspace. If any command fails, use $security-agent-setup.

cd ~/security-agent
test -f .env
.venv/bin/edi-security-agent --version

Use only the pip-installed CLI/UI from ~/security-agent. Do not call repo-local Python modules, Azure fetcher scripts, or files from edi-security-agent-controller. If setup needs Artifactory credentials, route to $security-agent-setup for the opt-in chat credential forwarding flow or own-Terminal fallback. If plain pip3 or a global edi-security-agent works but .venv/bin/edi-security-agent is missing, do not use the global install. Explain the pip-scope mismatch and route to $security-agent-setup so the package is installed into ~/security-agent/.venv.

Preconditions

  • Azure Defender config must be present: AZURE_REGISTRY_NAME, AZURE_ASSESSMENT_KEY, and preferably AZURE_SUBSCRIPTION_ID.
  • codex --version should work for Codex-first execution.
  • GITHUB_TOKEN and GITHUB_ORG are required only for apply mode, PR creation, or CCA workflows.
  • OPENAI_* is optional fallback when Codex is unavailable or fails.

Workflow

  1. List first unless the user already provided exact repo/severity:
.venv/bin/edi-security-agent defender list --repo <repo> --severity high --fixable-only
  1. Default to dry-run for first pass:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor codex
  1. Use apply mode only when the user explicitly asks to push/create PRs:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor codex --apply
  1. Use --git-repo <github-repo> when the Defender/ACR repository name differs from the GitHub repository name.
  2. For multiple repos, use repeated --repo flags or --all; use explicit azure-repo=github-repo mappings for overrides.

What The Local Agent Does

  • Runs mvn dependency:tree to identify direct, BOM-managed, transitive, or internal edi-* dependency sources.
  • Uses Codex CLI as the autonomous local agent for pom.xml, build, and test repair.
  • Falls back to UAIS/OpenAI JSON patch flows only when configured and needed.
  • Commits, pushes, and opens PRs only in apply mode.

Safety

  • Never push directly to main/develop.
  • Keep dry-run as the default when the user's intent is unclear.
  • Do not bypass the installed CLI by running repo-local scripts or Python modules.
  • Do not store credentials or copied Security Platform cookies.
  • If Maven build/test errors are environmental, report them instead of forcing code changes.

Related Assets

security-agent-cca-fix

active

Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.

codex
security
cca
github
copilot
remediation
+3

Owner: edi-security-agent

security-agent-discovery

active

Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.

codex
security
azure-defender
vulnerability
discovery
cve
+2

Owner: edi-security-agent

security-agent-setup

active

Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.

codex
security
setup
pip
azure-defender
optum
+3

Owner: edi-security-agent

security-agent-ui-runs

active

Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.

codex
security
ui
fastapi
dashboard
vulnerability
+2

Owner: edi-security-agent

MCP Server Development Standards (Optum)

experimental

Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.

claude
codex
vscode
mcp
sdk
wall-e
security
optum

Owner: epic-platform-sre

Azure Resource Health Diagnosis

experimental

Analyze an Azure resource’s health, diagnose issues using logs and telemetry, and produce a remediation plan for identified problems.

claude
codex
vscode
azure
diagnostics
monitoring
incident
remediation
+1

Owner: epic-platform-sre