Skip to content

endorlabs/github-copilot-plugin

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
agents
agents
 
 
README.md
README.md
 
 
plugin.json
plugin.json
 
 

Repository files navigation

Endor Labs Developer AgentHQ Plugin

This repository contains a GitHub AgentHQ/Copilot plugin that packages a single Endor Labs Developer Edition (free) dependency and vulnerability intelligence agent.

The agent starts the Endor Labs MCP server with:

endorctl ai-tools mcp-server

This avoids cold-starting endorctl through npx, which can time out while downloading the Endor Labs binary. The AgentHQ runner must already have endorctl available on PATH.

This plugin uses the no-key Endor Labs Developer Edition MCP flow. It does not configure Endor Labs API credentials, tenant namespaces, or Enterprise authentication. It is scoped to public dependency and vulnerability intelligence tools and excludes repository scan, reachability, tenant-resource, and Enterprise-only tools.

Contents

.
├── plugin.json
├── agents/
│   └── main.agent.md
└── README.md
  • plugin.json declares the installable plugin package.
  • agents/main.agent.md is the main AgentHQ agent and includes the local stdio MCP server configuration.
  • The agent only exposes the three Developer Edition dependency and vulnerability tools from endor-cli-tools; it does not expose shell, file, edit, search, repository scan, tenant-resource, Enterprise, or GitHub platform tools.

Agent Capabilities

The endor-cli-tools MCP server enables:

  • check_dependency_for_vulnerabilities
  • check_dependency_for_risks
  • get_endor_vulnerability

The repository scan, tenant-resource get_resource, and Enterprise-only security_review tools are deliberately not enabled. In GitHub AgentHQ's headless runner, those flows can trigger namespace or browser-auth behavior; this plugin stays on the no-key Developer Edition path.

Developer Edition may use browser authentication in local IDEs on first use. This AgentHQ plugin avoids browser-auth and tenant-auth paths by exposing only the no-key dependency and vulnerability tools.

Copilot Cloud Agent MCP Configuration

The agent frontmatter already includes the MCP server configuration. For AgentHQ plugin testing, leave repository-level Copilot Cloud agent MCP configuration empty unless you are intentionally testing the MCP server outside this plugin.

Repository-level MCP configuration is processed after custom agent MCP configuration and can override or add servers. A stale repository-level MCP entry with the wrong command can make Copilot time out even when this plugin is correct.

If you are testing the MCP server outside the AgentHQ plugin, paste this JSON into the MCP configuration field under repository settings:

Settings -> Copilot -> Cloud agent -> MCP configuration

Do not add this JSON as an Agents variable or secret. GitHub does not allow variables or secrets with the GITHUB_ prefix, and GITHUB_COPILOT_MCP_JSON is an internal implementation detail, not a variable you should create manually.

Use the same server name as the agent frontmatter:

{
  "mcpServers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": ["ai-tools", "mcp-server"],
      "tools": [
        "check_dependency_for_vulnerabilities",
        "check_dependency_for_risks",
        "get_endor_vulnerability"
      ]
    }
  }
}

The endor-cli-tools name matters because the agent enables tools with the endor-cli-tools/<tool-name> prefix.

AgentHQ Debugging

If AgentHQ still times out, enable verbose platform logs in the repository you use for testing:

Settings -> Secrets and variables -> Agents -> Variables
COPILOT_AGENT_DEBUG=true

In the next run, inspect verbose logs and logs.zip to confirm whether the failure occurs while starting endorctl, listing MCP tools, or invoking a specific Endor Labs tool.

If the timeout happens before MCP initialization, verify that endorctl --version succeeds in the AgentHQ runner environment. If endorctl is missing, preinstall it in the runner image or switch the MCP command back to npx -y endorctl, accepting the cold-start timeout risk.

{
  "mcpServers": {
    "endor-cli-tools": {
      "type": "stdio",
      "command": "endorctl",
      "args": ["ai-tools", "mcp-server"],
      "tools": [
        "check_dependency_for_vulnerabilities",
        "check_dependency_for_risks",
        "get_endor_vulnerability"
      ]
    }
  }
}

Local Testing

Install from this repository root:

copilot plugin install .

Verify it loaded:

copilot plugin list

Start a Copilot CLI session and check that the agent is available:

/agent

After editing plugin files, reinstall because Copilot caches installed plugin components:

copilot plugin install .

Uninstall the local plugin when finished:

copilot plugin uninstall endor-labs-developer

AgentHQ Setup

To wrap this plugin as a GitHub Agentic App:

  1. Make this repository public.
  2. Create or update a GitHub App and enable Agent features.
  3. Point the Agentic App at this repository.
  4. Set the SHA to the commit you want GitHub to load.
  5. Save the app configuration and trigger it from GitHub by assigning, mentioning, or selecting the app agent.

This repository should contain one plugin for the app identity. Future authentication work can add OIDC or other Endor Labs Enterprise configuration when needed.

Requirements

  • GitHub Copilot CLI or AgentHQ environment with plugin support.
  • endorctl available on PATH before MCP starts.

References

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors