add local EdgeScan setup instructions and prerequisites

[SevenThomas]

Summary by Sourcery

Document local EdgeScan usage and wire it into project scripts for development and automation.

New Features:

• Add npm scripts to run EdgeScan scans via Docker and Apple Native Containers for both CI/agent and local development workflows.

Documentation:

• Add introductory documentation for local EdgeScan setup, including usage instructions and prerequisites for macOS developers.

[sourcery-ai]

Reviewer's Guide

Adds local EdgeScan security scanning support and documentation, including prerequisites for macOS containerization, API token and asset ID configuration, plus new npm scripts for CI/agent and local dev scans.

Sequence diagram for EdgeScan scans in dev and CI

sequenceDiagram
  actor Developer
  participant DevShell as Dev_shell
  participant CI as CI_pipeline
  participant Npm as pnpm_scripts
  participant Container as Container_runtime
  participant Image as edgescan_image
  participant EdgeScan as EdgeScan_API

  Developer->>DevShell: export ES_API_TOKEN
  Developer->>DevShell: export ES_ASSET_ID
  Developer->>Npm: pnpm run edgescan:dev
  Npm->>Container: start container run
  Container->>Image: launch edgescan/cicd-integration:latest
  Image->>EdgeScan: authenticate with ES_API_TOKEN
  Image->>EdgeScan: start scan for ES_ASSET_ID
  EdgeScan-->>Image: scan results
  Image-->>Developer: print results in terminal

  CI->>Npm: pnpm run edgescan:agent
  Npm->>Container: docker run edgescan/cicd-integration:latest
  Container->>Image: launch image
  Image->>EdgeScan: authenticate with ES_API_TOKEN
  Image->>EdgeScan: start scan for ES_ASSET_ID
  EdgeScan-->>Image: scan results
  Image-->>CI: return status for pipeline

Loading

File-Level Changes

Change	Details	Files
Document how to run local EdgeScan security scans and required prerequisites.	Add a new 'Local EdgeScan Setup' section explaining what EdgeScan is and how it differs from static analysis tools. Document usage guidance, explicitly recommending the edgescan:dev script for local scans and prohibiting local use of the agent script. Describe Apple Native Containers one-time setup steps for macOS, including installation, start, and status verification commands. Document environment variable setup for ES_API_TOKEN and ES_ASSET_ID, including examples for shell export and persistence.	apps/docs/docs/intro.md
Add npm scripts to run EdgeScan for CI/agent and local development.	Add an edgescan:agent script that runs the official edgescan/cicd-integration Docker image with ES_API_TOKEN and ES_ASSET_ID for automated scans with a max risk threshold. Add an edgescan:dev script that runs the same container via Apple Native Containers (container run) for local linux/amd64 scans. Preserve existing Snyk script configuration and extend the scripts object without modifying existing behavior.	package.json

Assessment against linked issues

Issue	Objective	Addressed	Explanation
#339	Add a new edgescan:dev script in package.json that runs the EdgeScan Docker image via Apple Native Containers on macOS for local development, requiring ES_API_TOKEN and using the DEV asset ID (hardcoded) as --asset-id.	❌	The PR adds an edgescan:dev script that uses Apple Native Containers (container run) and passes --api-token $ES_API_TOKEN, but it uses an ES_ASSET_ID environment variable instead of hardcoding the DEV asset ID as required.
#339	Rename the existing Docker-based edgescan:run script to edgescan:agent in package.json, preserving its behavior for CI/CD and Copilot automation (not for local use).	❌	The PR adds a new edgescan:agent script that runs the EdgeScan Docker image, but there is no removal or renaming of an existing edgescan:run script in the package.json diff. Therefore, the required rename from edgescan:run to edgescan:agent is not implemented in this change.
#339	Update documentation/Copilot instructions so that references to edgescan:run are changed to edgescan:agent and local usage of edgescan:dev on macOS is documented.	❌	The PR adds documentation in apps/docs/docs/intro.md describing local EdgeScan setup and explicitly distinguishing edgescan:dev (local) from edgescan:agent (automation-only). However, there is no evidence in the diff of existing Copilot or other instructions referencing edgescan:run being updated to edgescan:agent, so this objective is only partially met and not fully addressed.

Possibly linked issues

• #Implement EdgeScan Local Dev Command with Apple Native Containers (macOS): PR adds edgescan:dev using Apple Native Containers and edgescan:agent, plus docs—directly implementing the requested local dev setup.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• In intro.md, the fenced code block closing marker was changed from toi, which will break markdown rendering and should be reverted to a plain triple backtick.
• The new EdgeScan scripts and setup instructions are tightly coupled to macOS Apple Native Containers and bash-style environment variables; consider clarifying or guarding these for non-macOS/non-bash environments (e.g., documenting alternatives or adding OS checks in the scripts).

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `intro.md`, the fenced code block closing marker was changed from ``` to ```i, which will break markdown rendering and should be reverted to a plain triple backtick.
- The new EdgeScan scripts and setup instructions are tightly coupled to macOS Apple Native Containers and bash-style environment variables; consider clarifying or guarding these for non-macOS/non-bash environments (e.g., documenting alternatives or adding OS checks in the scripts).

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}