security-agent-local-fix
Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.
Security Agent Local Fix
Use this skill for local Codex-first remediation from ~/security-agent. The local path clones the target repo, creates a security branch, fixes Maven dependency CVEs, runs build/test verification, and optionally pushes a PR.
Preflight
Run from the central workspace. If any command fails, use $security-agent-setup.
cd ~/security-agent
test -f .env
.venv/bin/edi-security-agent --version
Use only the pip-installed CLI/UI from ~/security-agent. Do not call repo-local Python modules, Azure fetcher scripts, or files from edi-security-agent-controller.
If setup needs Artifactory credentials, route to $security-agent-setup for the opt-in chat credential forwarding flow or own-Terminal fallback.
If plain pip3 or a global edi-security-agent works but .venv/bin/edi-security-agent is missing, do not use the global install. Explain the pip-scope mismatch and route to $security-agent-setup so the package is installed into ~/security-agent/.venv.
Preconditions
- Azure Defender config must be present:
AZURE_REGISTRY_NAME,AZURE_ASSESSMENT_KEY, and preferablyAZURE_SUBSCRIPTION_ID. codex --versionshould work for Codex-first execution.GITHUB_TOKENandGITHUB_ORGare required only for apply mode, PR creation, or CCA workflows.OPENAI_*is optional fallback when Codex is unavailable or fails.
Workflow
- List first unless the user already provided exact repo/severity:
.venv/bin/edi-security-agent defender list --repo <repo> --severity high --fixable-only
- Default to dry-run for first pass:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor codex
- Use apply mode only when the user explicitly asks to push/create PRs:
.venv/bin/edi-security-agent defender fix --repo <repo> --severity high --executor codex --apply
- Use
--git-repo <github-repo>when the Defender/ACR repository name differs from the GitHub repository name. - For multiple repos, use repeated
--repoflags or--all; use explicitazure-repo=github-repomappings for overrides.
What The Local Agent Does
- Runs
mvn dependency:treeto identify direct, BOM-managed, transitive, or internaledi-*dependency sources. - Uses Codex CLI as the autonomous local agent for
pom.xml, build, and test repair. - Falls back to UAIS/OpenAI JSON patch flows only when configured and needed.
- Commits, pushes, and opens PRs only in apply mode.
Safety
- Never push directly to main/develop.
- Keep dry-run as the default when the user's intent is unclear.
- Do not bypass the installed CLI by running repo-local scripts or Python modules.
- Do not store credentials or copied Security Platform cookies.
- If Maven build/test errors are environmental, report them instead of forcing code changes.
Related Assets
security-agent-cca-fix
Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.
Owner: edi-security-agent
security-agent-discovery
Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.
Owner: edi-security-agent
security-agent-setup
Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.
Owner: edi-security-agent
security-agent-ui-runs
Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.
Owner: edi-security-agent
MCP Server Development Standards (Optum)
Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.
Owner: epic-platform-sre
Azure Resource Health Diagnosis
Analyze an Azure resource’s health, diagnose issues using logs and telemetry, and produce a remediation plan for identified problems.
Owner: epic-platform-sre

