diff --git a/README.md b/README.md index f720f62..4d0612b 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ This repository contains example taskflows to use with the [SecLab Taskflow Agen ## Running with docker script -The recommended way of running the taskflows in this repo is by creating a codespace, and running the script [`run_seclab_agent.sh`](https://github.com/GitHubSecurityLab/seclab-taskflows/blob/main/src/run_seclab_agent.sh) to run a docker container of the `seclab-taskflow-agent` as outlined [here](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/tree/main?tab=readme-ov-file#deploying-from-docker). Note that this script needs to be run from the `src` directory, and the `.env` file with the environment variables for the custom MCP servers to store data needs to be in the same directory. +The recommended way of running the taskflows in this repo is by creating a codespace, and running the script [`run_seclab_agent.sh`](scripts/run_seclab_agent.sh) to run a docker container of the `seclab-taskflow-agent` as outlined [here](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/tree/main?tab=readme-ov-file#deploying-from-docker). Note that this script needs to be run from the main directory of the repo, and the `.env` file with the environment variables for the custom MCP servers to store data needs to be in the same directory. -First, create a directory named `data` and a `.env` file in the `src` directory. For [`run_seclab_agent.sh`](https://github.com/GitHubSecurityLab/seclab-taskflows/blob/main/src/run_seclab_agent.sh) you can use: +First, create a `.env` file in the main directory of the repo. For [`run_seclab_agent.sh`](scripts/run_seclab_agent.sh) you can use: ``` MEMCACHE_STATE_DIR=/app/data @@ -16,7 +16,7 @@ LOG_DIR=/app/logs ``` -The `MEMCACHE_STATE_DIR` is needed to persist some intermediate data in the memcache, `DATA_DIR` is needed for various mcp servers to store intermediate results, and `LOG_DIR` is used to store log files generated by the servers. These can be set in a `.env` file in the `src` directory. If no environment variables are set for the custom MCP servers, relevant folders will be created automatically. The location depends on the platform, and is set by [`platformdirs`](https://pypi.org/project/platformdirs/). +The `MEMCACHE_STATE_DIR` is needed to persist some intermediate data in the memcache, `DATA_DIR` is needed for various mcp servers to store intermediate results, and `LOG_DIR` is used to store log files generated by the servers. These can be set in a `.env` file in the main directory. If no environment variables are set for the custom MCP servers, relevant folders will be created automatically. The location depends on the platform, and is set by [`platformdirs`](https://pypi.org/project/platformdirs/). In addition, AI API endpoints and secrets also need to be configured via [environment variables or Codespace secrets](https://github.com/GitHubSecurityLab/seclab-taskflow-agent?tab=readme-ov-file#configuration). In particular, the environment variables `AI_API_TOKEN` and `AI_API_ENDPOINT` need to be set to the appropriate AI API endpoints and credentials. If not set, the default `AI_API_ENDPOINT` is GitHub models: @@ -31,7 +31,6 @@ Individual taskflows may need additional setup, please refer to the `README.md` After setting the relevant env vars, run an example taskflow with: ```bash -cd src ./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.ghsa_variant_analysis_demo -g repo=github/cmark-gfm -g ghsa=GHSA-c944-cv5f-hpvr ``` diff --git a/scripts/audit/run_audit.sh b/scripts/audit/run_audit.sh new file mode 100755 index 0000000..e155d36 --- /dev/null +++ b/scripts/audit/run_audit.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# SPDX-FileCopyrightText: 2025 GitHub +# SPDX-License-Identifier: MIT + +set -e + +if [ -z "$1" ]; then + echo "Usage: $0 "; + exit 1; +fi + +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.fetch_source_code -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.identify_applications -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.gather_web_entry_point_info -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.classify_application_local -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.audit_issue_local_iter -g repo=$1 diff --git a/scripts/run_seclab_agent.sh b/scripts/run_seclab_agent.sh new file mode 100755 index 0000000..fe08528 --- /dev/null +++ b/scripts/run_seclab_agent.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# SPDX-FileCopyrightText: 2025 GitHub +# SPDX-License-Identifier: MIT + +if [ ! -f ".env" ]; then + touch ".env" +fi + +mkdir -p .local +mkdir -p logs +mkdir -p data + +# Note: this uses the trick described [here](https://unix.stackexchange.com/a/646335) +# to pass extra command line arguments into `bash -c`. +docker run -i \ + --mount type=bind,src="$PWD",dst=/app \ + --mount type=bind,src="./local",dst=/root/.local \ + -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" --entrypoint /bin/bash \ + "ghcr.io/githubsecuritylab/seclab-taskflow-agent" \ + -c 'pip install -q -e /app && exec "$@"' this-is-bash-dollar-zero "$@" diff --git a/src/run_audit.sh b/src/run_audit.sh deleted file mode 100755 index b639bad..0000000 --- a/src/run_audit.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -# SPDX-FileCopyrightText: 2025 GitHub -# SPDX-License-Identifier: MIT - -set -e - -if [ -z "$1" ]; then - echo "Usage: $0 "; - exit 1; -fi - -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.fetch_source_code -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.identify_applications -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.gather_web_entry_point_info -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.classify_application_local -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.audit_issue_local_iter -g repo=$1 \ No newline at end of file diff --git a/src/run_seclab_agent.sh b/src/run_seclab_agent.sh deleted file mode 100755 index 276a930..0000000 --- a/src/run_seclab_agent.sh +++ /dev/null @@ -1,13 +0,0 @@ -# SPDX-FileCopyrightText: 2025 GitHub -# SPDX-License-Identifier: MIT - -if [ ! -f ".env" ]; then - touch ".env" -fi - -mkdir -p logs -mkdir -p data - -docker run -i \ - --mount type=bind,src="$PWD",dst=/app \ - -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" "ghcr.io/githubsecuritylab/seclab-taskflow-agent" "$@"