From c51860395a40b49539028aa84d446eb4ac5c8b05 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Tue, 27 Jan 2026 21:13:13 +0000 Subject: [PATCH 1/6] Change scripts so that they work from the main directory of the repo. --- src/run_audit.sh | 10 +++++----- src/run_seclab_agent.sh | 6 ++++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/src/run_audit.sh b/src/run_audit.sh index b639bad..e155d36 100755 --- a/src/run_audit.sh +++ b/src/run_audit.sh @@ -9,8 +9,8 @@ if [ -z "$1" ]; then exit 1; fi -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.fetch_source_code -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.identify_applications -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.gather_web_entry_point_info -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.classify_application_local -g repo=$1 -./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.audit_issue_local_iter -g repo=$1 \ No newline at end of file +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.fetch_source_code -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.identify_applications -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.gather_web_entry_point_info -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.classify_application_local -g repo=$1 +python -m seclab_taskflow_agent -t seclab_taskflows.taskflows.audit.audit_issue_local_iter -g repo=$1 diff --git a/src/run_seclab_agent.sh b/src/run_seclab_agent.sh index 276a930..d1897bf 100755 --- a/src/run_seclab_agent.sh +++ b/src/run_seclab_agent.sh @@ -6,8 +6,10 @@ if [ ! -f ".env" ]; then fi mkdir -p logs -mkdir -p data docker run -i \ --mount type=bind,src="$PWD",dst=/app \ - -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" "ghcr.io/githubsecuritylab/seclab-taskflow-agent" "$@" + --mount type=bind,src="./logs",dst=/root/.local \ + -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" --entrypoint /bin/bash \ + "ghcr.io/githubsecuritylab/seclab-taskflow-agent" \ + -c "pip install -q -e /app ; $*" From 51dd8dd863116ef81308f5693bc372150ceb317a Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Tue, 27 Jan 2026 21:13:45 +0000 Subject: [PATCH 2/6] Move scripts to their own directory. --- {src => scripts/audit}/run_audit.sh | 0 {src => scripts}/run_seclab_agent.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {src => scripts/audit}/run_audit.sh (100%) rename {src => scripts}/run_seclab_agent.sh (100%) diff --git a/src/run_audit.sh b/scripts/audit/run_audit.sh similarity index 100% rename from src/run_audit.sh rename to scripts/audit/run_audit.sh diff --git a/src/run_seclab_agent.sh b/scripts/run_seclab_agent.sh similarity index 100% rename from src/run_seclab_agent.sh rename to scripts/run_seclab_agent.sh From 263712d0e63f99fbad2435933afb2b2dd3d9880b Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Tue, 27 Jan 2026 21:48:14 +0000 Subject: [PATCH 3/6] Better argument passing to bash. --- scripts/run_seclab_agent.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/scripts/run_seclab_agent.sh b/scripts/run_seclab_agent.sh index d1897bf..081a4ad 100755 --- a/scripts/run_seclab_agent.sh +++ b/scripts/run_seclab_agent.sh @@ -7,9 +7,11 @@ fi mkdir -p logs +# Note: this uses the trick described [here](https://unix.stackexchange.com/a/646335) +# to pass extra command line arguments into `bash -c`. docker run -i \ --mount type=bind,src="$PWD",dst=/app \ --mount type=bind,src="./logs",dst=/root/.local \ -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" --entrypoint /bin/bash \ "ghcr.io/githubsecuritylab/seclab-taskflow-agent" \ - -c "pip install -q -e /app ; $*" + -c 'pip install -q -e /app ; exec "$@"' this-is-bash-dollar-zero "$@" From 8e2ec44982fedfda746b6e683d24c1becac5fd54 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 28 Jan 2026 12:47:48 +0000 Subject: [PATCH 4/6] Update scripts/run_seclab_agent.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- scripts/run_seclab_agent.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/run_seclab_agent.sh b/scripts/run_seclab_agent.sh index 081a4ad..96f00d7 100755 --- a/scripts/run_seclab_agent.sh +++ b/scripts/run_seclab_agent.sh @@ -14,4 +14,4 @@ docker run -i \ --mount type=bind,src="./logs",dst=/root/.local \ -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" --entrypoint /bin/bash \ "ghcr.io/githubsecuritylab/seclab-taskflow-agent" \ - -c 'pip install -q -e /app ; exec "$@"' this-is-bash-dollar-zero "$@" + -c 'pip install -q -e /app && exec "$@"' this-is-bash-dollar-zero "$@" From 9f8fc90f8d362865c7b8f7370bc771d2c67c828d Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 28 Jan 2026 12:48:49 +0000 Subject: [PATCH 5/6] Add shebang to run_seclab_agent.sh --- scripts/run_seclab_agent.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/run_seclab_agent.sh b/scripts/run_seclab_agent.sh index 96f00d7..b0510c1 100755 --- a/scripts/run_seclab_agent.sh +++ b/scripts/run_seclab_agent.sh @@ -1,3 +1,4 @@ +#!/bin/bash # SPDX-FileCopyrightText: 2025 GitHub # SPDX-License-Identifier: MIT From 434df1c96149e965cce1a01755dcd50f3f223459 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Wed, 28 Jan 2026 14:49:16 +0000 Subject: [PATCH 6/6] Update documentation --- README.md | 7 +++---- scripts/run_seclab_agent.sh | 4 +++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f720f62..4d0612b 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ This repository contains example taskflows to use with the [SecLab Taskflow Agen ## Running with docker script -The recommended way of running the taskflows in this repo is by creating a codespace, and running the script [`run_seclab_agent.sh`](https://github.com/GitHubSecurityLab/seclab-taskflows/blob/main/src/run_seclab_agent.sh) to run a docker container of the `seclab-taskflow-agent` as outlined [here](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/tree/main?tab=readme-ov-file#deploying-from-docker). Note that this script needs to be run from the `src` directory, and the `.env` file with the environment variables for the custom MCP servers to store data needs to be in the same directory. +The recommended way of running the taskflows in this repo is by creating a codespace, and running the script [`run_seclab_agent.sh`](scripts/run_seclab_agent.sh) to run a docker container of the `seclab-taskflow-agent` as outlined [here](https://github.com/GitHubSecurityLab/seclab-taskflow-agent/tree/main?tab=readme-ov-file#deploying-from-docker). Note that this script needs to be run from the main directory of the repo, and the `.env` file with the environment variables for the custom MCP servers to store data needs to be in the same directory. -First, create a directory named `data` and a `.env` file in the `src` directory. For [`run_seclab_agent.sh`](https://github.com/GitHubSecurityLab/seclab-taskflows/blob/main/src/run_seclab_agent.sh) you can use: +First, create a `.env` file in the main directory of the repo. For [`run_seclab_agent.sh`](scripts/run_seclab_agent.sh) you can use: ``` MEMCACHE_STATE_DIR=/app/data @@ -16,7 +16,7 @@ LOG_DIR=/app/logs ``` -The `MEMCACHE_STATE_DIR` is needed to persist some intermediate data in the memcache, `DATA_DIR` is needed for various mcp servers to store intermediate results, and `LOG_DIR` is used to store log files generated by the servers. These can be set in a `.env` file in the `src` directory. If no environment variables are set for the custom MCP servers, relevant folders will be created automatically. The location depends on the platform, and is set by [`platformdirs`](https://pypi.org/project/platformdirs/). +The `MEMCACHE_STATE_DIR` is needed to persist some intermediate data in the memcache, `DATA_DIR` is needed for various mcp servers to store intermediate results, and `LOG_DIR` is used to store log files generated by the servers. These can be set in a `.env` file in the main directory. If no environment variables are set for the custom MCP servers, relevant folders will be created automatically. The location depends on the platform, and is set by [`platformdirs`](https://pypi.org/project/platformdirs/). In addition, AI API endpoints and secrets also need to be configured via [environment variables or Codespace secrets](https://github.com/GitHubSecurityLab/seclab-taskflow-agent?tab=readme-ov-file#configuration). In particular, the environment variables `AI_API_TOKEN` and `AI_API_ENDPOINT` need to be set to the appropriate AI API endpoints and credentials. If not set, the default `AI_API_ENDPOINT` is GitHub models: @@ -31,7 +31,6 @@ Individual taskflows may need additional setup, please refer to the `README.md` After setting the relevant env vars, run an example taskflow with: ```bash -cd src ./run_seclab_agent.sh -t seclab_taskflows.taskflows.audit.ghsa_variant_analysis_demo -g repo=github/cmark-gfm -g ghsa=GHSA-c944-cv5f-hpvr ``` diff --git a/scripts/run_seclab_agent.sh b/scripts/run_seclab_agent.sh index b0510c1..fe08528 100755 --- a/scripts/run_seclab_agent.sh +++ b/scripts/run_seclab_agent.sh @@ -6,13 +6,15 @@ if [ ! -f ".env" ]; then touch ".env" fi +mkdir -p .local mkdir -p logs +mkdir -p data # Note: this uses the trick described [here](https://unix.stackexchange.com/a/646335) # to pass extra command line arguments into `bash -c`. docker run -i \ --mount type=bind,src="$PWD",dst=/app \ - --mount type=bind,src="./logs",dst=/root/.local \ + --mount type=bind,src="./local",dst=/root/.local \ -e GH_TOKEN="$GH_TOKEN" -e AI_API_TOKEN="$AI_API_TOKEN" --entrypoint /bin/bash \ "ghcr.io/githubsecuritylab/seclab-taskflow-agent" \ -c 'pip install -q -e /app && exec "$@"' this-is-bash-dollar-zero "$@"