Skip to content

security-agent-setup

Set up Security Agent for users who have not cloned the controller repo. Use when Codex needs to create ~/security-agent, create a Python virtual environment, install the pip3 package edi-security-agent, explain private Artifactory package index setup when package install fails, verify edi-security-agent --version, guide local .env creation for Azure Defender and optional GitHub/OpenAI values, verify az login, or troubleshoot private package index configuration.

active
IDE:
codex
Version:
1.0.0
Owner:edi-security-agent
security
setup
pip
azure-defender
optum
edi
python
configuration

Security Agent Setup

Use this skill for first-time setup on a user's machine without cloning edi-security-agent-controller. The working directory is ~/security-agent, and the installed package provides the CLI and local UI.

Configuration Model

  • JFrog/Artifactory credentials are install-time pip credentials only.
  • ~/security-agent/.env is runtime Security Agent configuration only.
  • Do not put JFROG_USER, JFROG_TOKEN, PIP_EXTRA_INDEX_URL, or Artifactory URLs in ~/security-agent/.env.
  • The Codex Shell output panel is not a user input terminal. If a command waits at Artifactory username:, the user cannot type into that shell directly from chat.
  • Users may opt in to paste Artifactory credentials into chat so Codex can forward them to the owned shell session through stdin. Treat this as a convenience path with explicit token-in-chat risk.
  • Package index config is pip-specific. A pip3 config --site change on the system Python does not apply to ~/security-agent/.venv/bin/pip3.

Setup Workflow

  1. Create the workspace and virtual environment, then try the normal package install:
mkdir -p ~/security-agent
cd ~/security-agent
python3 -m venv .venv
.venv/bin/pip3 install edi-security-agent
  1. If package installation fails because the internal package index is not configured, stop the failed install and explain the opt-in credential flow. Tell the user that normal chat text does not type into the shell prompt, but Codex can forward pasted credentials to a shell session it owns. Ask the user to paste credentials only in this exact format:
I accept token-in-chat risk.
JFROG_USER=<username>
JFROG_TOKEN=<token>

Do not proceed unless the acceptance sentence is present.

If the user says the package installs with plain pip3, explain that the setup uses the virtualenv pip at ~/security-agent/.venv/bin/pip3. The package must be installed into that virtualenv, and any --site pip config must be set with .venv/bin/pip3 config --site, not system pip3 config --site.

  1. After the user opts in, start a shell session that reads the username and token from stdin. Do not put either value in the command string. Forward only the raw username and token lines to stdin.

Use this command for the owned shell session:

set +x
cd ~/security-agent
test -d .venv || python3 -m venv .venv

restore_echo() { stty echo 2>/dev/null || true; }
trap restore_echo EXIT
stty -echo 2>/dev/null || true
IFS= read -r JFROG_USER
IFS= read -r JFROG_TOKEN
restore_echo
trap - EXIT

export JFROG_USER
export JFROG_TOKEN
export PIP_EXTRA_INDEX_URL=$(
python3 - <<'PY'
from urllib.parse import quote
import os

user = quote(os.environ["JFROG_USER"], safe="")
token = quote(os.environ["JFROG_TOKEN"], safe="")
print(f"https://{user}:{token}@centraluhg.jfrog.io/artifactory/api/pypi/mednet-batch-edi-pypi-vir/simple")
PY
)

.venv/bin/pip3 install --quiet --disable-pip-version-check edi-security-agent
INSTALL_STATUS=$?

unset JFROG_USER
unset JFROG_TOKEN
unset PIP_EXTRA_INDEX_URL
exit "$INSTALL_STATUS"

Forward stdin to that command exactly as:

<username>
<token>

Do not print, repeat, summarize, save, or transform the pasted token. Do not use verbose pip output. After successful setup, advise the user to rotate the Artifactory token because it was pasted into chat.

  1. If the user does not accept token-in-chat risk, show this own-Terminal fallback instead:
cd ~/security-agent
test -d .venv || python3 -m venv .venv

printf "Artifactory username: "
IFS= read -r JFROG_USER
printf "Artifactory token: "
stty -echo
IFS= read -r JFROG_TOKEN
stty echo
printf "\n"

export JFROG_USER
export JFROG_TOKEN
export PIP_EXTRA_INDEX_URL=$(
python3 - <<'PY'
from urllib.parse import quote
import os

user = quote(os.environ["JFROG_USER"], safe="")
token = quote(os.environ["JFROG_TOKEN"], safe="")
print(f"https://{user}:{token}@centraluhg.jfrog.io/artifactory/api/pypi/mednet-batch-edi-pypi-vir/simple")
PY
)

.venv/bin/pip3 install --quiet --disable-pip-version-check edi-security-agent

unset JFROG_USER
unset JFROG_TOKEN
unset PIP_EXTRA_INDEX_URL
  1. Verify the package install before asking for .env values:
cd ~/security-agent
.venv/bin/edi-security-agent --version
  1. After edi-security-agent --version succeeds, ask the user to create or update ~/security-agent/.env locally. Do not ask them to paste runtime secrets into chat.
cd ~/security-agent
vi .env

Minimum Azure Defender configuration:

AZURE_SUBSCRIPTION_ID=
AZURE_REGISTRY_NAME=
AZURE_ASSESSMENT_KEY=
VULN_SOURCE=azure

Optional configuration:

GITHUB_TOKEN=
GITHUB_ORG=
OPENAI_CLIENT_ID=
OPENAI_CLIENT_SECRET=
OPENAI_TOKEN_ENDPOINT=
OPENAI_SCOPE=
OPENAI_API_ENDPOINT=
OPENAI_PROJECT_ID=
OPENAI_MODEL=

Do not add JFrog or Artifactory values to this file. They are only needed for package installation, not for running edi-security-agent.

  1. After .env is saved, verify Azure login and Defender discovery:
az login
cd ~/security-agent
.venv/bin/edi-security-agent defender list --severity high
  1. Start the packaged local UI when requested:
cd ~/security-agent
.venv/bin/edi-security-agent-ui

Validation Expectations

  • Azure Defender discovery requires AZURE_REGISTRY_NAME and AZURE_ASSESSMENT_KEY.
  • AZURE_SUBSCRIPTION_ID is strongly recommended for predictable results.
  • GITHUB_TOKEN and GITHUB_ORG are required for --apply, PR creation, and CCA workflows.
  • OPENAI_* values are required for natural-language chat and LLM fallback. They are not required for basic Defender listing.

Safety

  • Never commit, persist, print, or summarize secrets.
  • If a user pastes an Artifactory token into chat, use it only for the explicitly accepted stdin-forwarding install flow and advise token rotation after setup.
  • Never include personal Artifactory tokens in instructions.
  • Do not persist Artifactory credentials in pip config by default.
  • Do not put JFrog or Artifactory credentials in ~/security-agent/.env.
  • Never place the Artifactory token in a shell command string, file, .env, or pip config.
  • Keep setup local to ~/security-agent.
  • If the user asks for discovery, fixes, CCA, or UI operations after setup, switch to the matching security-agent-* workflow skill.

Related Assets

security-agent-discovery

active

Discover, inspect, import, refresh, and export Security Agent vulnerability data from a pip-installed setup. Use when Codex needs to list Azure Defender findings, filter by repo/severity/CVE/fixable state, refresh the local UI vulnerability cache, import Security Platform findings through explicit cookie and DPoP values, or explain discovery-only workflows without cloning the controller repo.

codex
security
azure-defender
vulnerability
discovery
cve
+2

Owner: edi-security-agent

security-agent-cca-fix

active

Run or explain Security Agent remediation through GitHub Copilot Cloud Agent from a pip-installed setup. Use when Codex needs to use --executor cca or --executor auto, create remote Copilot/CCA remediation tasks, reason about CCA budget/status, or compare local Codex execution with remote GitHub Cloud Agent execution without cloning the controller repo.

codex
security
cca
github
copilot
remediation
+3

Owner: edi-security-agent

security-agent-local-fix

active

Run local Security Agent remediation from a pip-installed setup with the Codex executor. Use when Codex needs to plan or execute edi-security-agent defender fix with --executor codex or --executor local, dry-run Maven CVE remediation, apply local fixes, create Git branches/PRs, or explain the local autonomous Codex remediation path without cloning the controller repo.

codex
security
maven
cve
remediation
codex
+3

Owner: edi-security-agent

security-agent-ui-runs

active

Operate the Security Agent local FastAPI/UI workflow from a pip-installed setup. Use when Codex needs to start or inspect edi-security-agent-ui, refresh vulnerability data in the local SQLite cache, use the natural-language chat workflow, create/monitor/cancel UI runs, or explain local dashboard run behavior without cloning the controller repo.

codex
security
ui
fastapi
dashboard
vulnerability
+2

Owner: edi-security-agent

Super-Linter Configuration Generator

active

Generate and configure GitHub Super-Linter setup including workflow files, environment configuration, and pre-commit hooks for new or existing repositories.

claude
codex
vscode
super-linter
github-actions
ci-cd
configuration
code-quality
+1

Owner: epic-platform-sre

MCP Server Development Standards (Optum)

experimental

Standards, patterns, and guardrails for building Model Context Protocol (MCP) servers compatible with Wall-E, VS Code Copilot, and enterprise systems.

claude
codex
vscode
mcp
sdk
wall-e
security
optum

Owner: epic-platform-sre