security-agent-setup
Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.
Security Agent Setup
Use this skill for first-time setup on a user's machine without cloning edi-security-agent-controller. The working directory is ~/security-agent, and the installed package provides the CLI and local UI.
Configuration Model
- JFrog/Artifactory credentials are install-time pip credentials only.
~/security-agent/.envis runtime Security Agent configuration only.- Do not put
JFROG_USER,JFROG_TOKEN,PIP_EXTRA_INDEX_URL, or Artifactory URLs in~/security-agent/.env. - The Codex Shell output panel is not a user input terminal. If a command waits at
Artifactory username:, the user cannot type into that shell directly from chat. - Users may opt in to paste Artifactory credentials into chat so Codex can forward them to the owned shell session through stdin. Treat this as a convenience path with explicit token-in-chat risk.
- Package index config is pip-specific. A
pip3 config --sitechange on the system Python does not apply to~/security-agent/.venv/bin/pip3.
Setup Workflow
- Create the workspace and virtual environment, then try the normal package install:
mkdir -p ~/security-agent
cd ~/security-agent
python3 -m venv .venv
.venv/bin/pip3 install edi-security-agent
- If package installation fails because the internal package index is not configured, stop the failed install and explain the opt-in credential flow. Tell the user that normal chat text does not type into the shell prompt, but Codex can forward pasted credentials to a shell session it owns. Ask the user to paste credentials only in this exact format:
I accept token-in-chat risk.
JFROG_USER=<username>
JFROG_TOKEN=<token>
Do not proceed unless the acceptance sentence is present.
If the user says the package installs with plain pip3, explain that the setup uses the virtualenv pip at ~/security-agent/.venv/bin/pip3. The package must be installed into that virtualenv, and any --site pip config must be set with .venv/bin/pip3 config --site, not system pip3 config --site.
- After the user opts in, start a shell session that reads the username and token from stdin. Do not put either value in the command string. Forward only the raw username and token lines to stdin.
Use this command for the owned shell session:
set +x
cd ~/security-agent
test -d .venv || python3 -m venv .venv
restore_echo() { stty echo 2>/dev/null || true; }
trap restore_echo EXIT
stty -echo 2>/dev/null || true
IFS= read -r JFROG_USER
IFS= read -r JFROG_TOKEN
restore_echo
trap - EXIT
export JFROG_USER
export JFROG_TOKEN
export PIP_EXTRA_INDEX_URL=$(
python3 - <<'PY'
from urllib.parse import quote
import os
user = quote(os.environ["JFROG_USER"], safe="")
token = quote(os.environ["JFROG_TOKEN"], safe="")
print(f"https://{user}:{token}@centraluhg.jfrog.io/artifactory/api/pypi/mednet-batch-edi-pypi-vir/simple")
PY
)
.venv/bin/pip3 install --quiet --disable-pip-version-check edi-security-agent
INSTALL_STATUS=$?
unset JFROG_USER
unset JFROG_TOKEN
unset PIP_EXTRA_INDEX_URL
exit "$INSTALL_STATUS"
Forward stdin to that command exactly as:
<username>
<token>
Do not print, repeat, summarize, save, or transform the pasted token. Do not use verbose pip output. After successful setup, advise the user to rotate the Artifactory token because it was pasted into chat.
- If the user does not accept token-in-chat risk, show this own-Terminal fallback instead:
cd ~/security-agent
test -d .venv || python3 -m venv .venv
printf "Artifactory username: "
IFS= read -r JFROG_USER
printf "Artifactory token: "
stty -echo
IFS= read -r JFROG_TOKEN
stty echo
printf "\n"
export JFROG_USER
export JFROG_TOKEN
export PIP_EXTRA_INDEX_URL=$(
python3 - <<'PY'
from urllib.parse import quote
import os
user = quote(os.environ["JFROG_USER"], safe="")
token = quote(os.environ["JFROG_TOKEN"], safe="")
print(f"https://{user}:{token}@centraluhg.jfrog.io/artifactory/api/pypi/mednet-batch-edi-pypi-vir/simple")
PY
)
.venv/bin/pip3 install --quiet --disable-pip-version-check edi-security-agent
unset JFROG_USER
unset JFROG_TOKEN
unset PIP_EXTRA_INDEX_URL
- Verify the package install before asking for
.envvalues:
cd ~/security-agent
.venv/bin/edi-security-agent --version
- After
edi-security-agent --versionsucceeds, ask the user to create or update~/security-agent/.envlocally. Do not ask them to paste runtime secrets into chat.
cd ~/security-agent
vi .env
Minimum Azure Defender configuration:
AZURE_SUBSCRIPTION_ID=
AZURE_REGISTRY_NAME=
AZURE_ASSESSMENT_KEY=
VULN_SOURCE=azure
Optional configuration:
GITHUB_TOKEN=
GITHUB_ORG=
OPENAI_CLIENT_ID=
OPENAI_CLIENT_SECRET=
OPENAI_TOKEN_ENDPOINT=
OPENAI_SCOPE=
OPENAI_API_ENDPOINT=
OPENAI_PROJECT_ID=
OPENAI_MODEL=
Do not add JFrog or Artifactory values to this file. They are only needed for package installation, not for running edi-security-agent.
- After
.envis saved, verify Azure login and Defender discovery:
az login
cd ~/security-agent
.venv/bin/edi-security-agent defender list --severity high
- Start the packaged local UI when requested:
cd ~/security-agent
.venv/bin/edi-security-agent-ui
Validation Expectations
- Azure Defender discovery requires
AZURE_REGISTRY_NAMEandAZURE_ASSESSMENT_KEY. AZURE_SUBSCRIPTION_IDis strongly recommended for predictable results.GITHUB_TOKENandGITHUB_ORGare required for--apply, PR creation, and CCA workflows.OPENAI_*values are required for natural-language chat and LLM fallback. They are not required for basic Defender listing.
Safety
- Never commit, persist, print, or summarize secrets.
- If a user pastes an Artifactory token into chat, use it only for the explicitly accepted stdin-forwarding install flow and advise token rotation after setup.
- Never include personal Artifactory tokens in instructions.
- Do not persist Artifactory credentials in pip config by default.
- Do not put JFrog or Artifactory credentials in
~/security-agent/.env. - Never place the Artifactory token in a shell command string, file,
.env, or pip config. - Keep setup local to
~/security-agent. - If the user asks for discovery, fixes, CCA, or UI operations after setup, switch to the matching
security-agent-*workflow skill.
Related Assets
security-agent-discovery
Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.
Owner: edi-security-agent
security-agent-cca-fix
Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.
Owner: edi-security-agent
security-agent-local-fix
Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.
Owner: edi-security-agent
security-agent-ui-runs
Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.
Owner: edi-security-agent
Super-Linter Configuration Generator
Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.
Owner: epic-platform-sre
MCP Server Development Standards (Optum)
Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.
Owner: epic-platform-sre

