/install gomboc-security-community
Gomboc Code Remediation Skill
Deterministic, merge-ready code fixes powered by ORL (Open Remediation Language).
Provenance & External Dependencies
Source: This skill wraps the official Gomboc.ai Community Edition code remediation engine.
Official Documentation: https://docs.gomboc.ai
Community Discussions: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions
GitHub App: https://github.com/apps/gomboc-ai-community
External API Dependency:
- Endpoint: https://api.app.gomboc.ai/graphql
- Authentication: Bearer token (Personal Access Token from https://app.gomboc.ai)
- Required: Free account at Gomboc.ai (no credit card)
- Setup: Generate token in Settings → Personal Access Tokens
Token Scope & Security (Least Privilege):
- Scope: Read-only API access (minimal required permissions)
- Capabilities: Query account, scans, runs, and fix events only
- Restrictions: Cannot modify, delete, or alter Gomboc configurations
- Safe for CI/CD: No destructive capabilities, suitable for GitHub Actions and workflow secrets
- Best Practice: Generate a dedicated token per environment/workflow; never commit to code
- Storage: Use GitHub Secrets (Actions) or CI provider's secure secret management
- Verification: Check token scope in Gomboc settings before use in production
Shipped Files:
SKILL.md— This documentationREADME.md— Quick start guideSECURITY.md— Security auditscripts/cli-wrapper.py— Python CLI wrapperscripts/docker-compose.yml— MCP server configurationexamples/vulnerable.tf— Example vulnerable codereferences/— Integration guides
License: MIT (see LICENSE.md)
Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using a deterministic remediation engine (no hallucinations). Unlike traditional scanners that generate alerts, Gomboc delivers merge-ready pull requests that clear your code issues backlogs. This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.
How Gomboc Works
Gomboc's Open Remediation Language (ORL) engine operates through a multi-stage deterministic process:
Policy Definition → Code Analysis → Deterministic Fix Generation → PR Delivery
- Understands your environment and code context
- Turns policies into executable rules using ORL
- Analyzes your code with full syntax-tree precision (via Tree-sitter)
- Generates deterministic fixes (same input = same output, always)
- Delivers merge-ready pull requests ready to review and ship
Key difference: While generative AI is probabilistic (helpful for reasoning but unpredictable), Gomboc's ORL provides deterministic remediation — predictable, repeatable, and auditable.
What It Does
- Scan any codebase for issues (infrastructure, application code, configs)
- Generate deterministic, merge-ready pull requests with fixes
- Remediate continuously via GitHub Actions or interactive CLI/MCP
- Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
- Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems
Supported Languages & Frameworks
ORL supports remediation across multiple languages and code types via syntax-tree matching (Tree-sitter):
-
Infrastructure as Code
- Terraform (HCL)
- CloudFormation (YAML/JSON)
- Kubernetes manifests (YAML)
- Helm charts
-
Configuration Files
- JSON, YAML, HCL
- Shell scripts
- Docker files
-
Code Languages
- Python
- JavaScript/TypeScript
- Go, Java, C#, Rust, and 20+ more
-
Cloud Providers
- AWS, Azure, GCP, OCI
- Kubernetes, Helm
-
Policy Coverage
- CIS benchmarks
- AWS best practices
- Security hardening
- Custom org policies
Full language list: docker run --rm gombocai/orl language
Quick Start
1. Get a Token
# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"
2. Scan Code
python scripts/cli-wrapper.py scan --path ./src
3. Generate Fixes
python scripts/cli-wrapper.py fix --path ./src
4. Apply Fixes (Optional)
python scripts/cli-wrapper.py remediate --path ./src --commit
Key Features
✅ Deterministic AI — Same fix every time, no hallucinations ✅ 94%+ Accuracy — Merge-ready fixes users actually accept ✅ Free Forever — Community Edition of Gomboc.ai ✅ Production-Ready — Battle-tested implementation ✅ Secure by Design — No token leaking, proper error handling ✅ Agent-Friendly — Perfect for autonomous code improvement loops
CLI Commands
scan
Detect issues in your codebase
gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown
fix
Generate merge-ready fixes
gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json
remediate
Apply fixes directly to code
gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true
config
Manage authentication
gomboc config --show-token
Why This Matters for Agents
Gomboc solves the determinism problem in AI-driven code improvement:
- Deterministic Fixes — ORL ensures same code always produces same fix (no randomness)
- Repeatable — Policies execute consistently across runs, repos, and teams
- Trustworthy — 94%+ merge rate because fixes are syntax-aware, not brittle regex patterns
- Safe for Agents — Agents can autonomously scan → generate → apply without human fear
- Continuous Improvement — Perfect for agentic loops: code generation → scanning → remediation → iterate
The Agent Workflow:
- Agent generates code
- Gomboc scans and identifies issues
- ORL generates deterministic fixes
- Agent reviews and applies fixes
- Repeat with next feature/iteration
This creates a feedback loop where agents learn and improve continuously.
Integration Methods
Gomboc integrates into your workflow through multiple paths:
1. VS Code / Cursor IDE (Developers)
Fastest way to try Gomboc interactively:
# Install: Gomboc VS Code Extension
# Set: GOMBOC_PAT in extension settings
# Run: Gomboc: Scan current file
# Review: Problems panel → Apply Fix
- Real-time scanning as you save
- Interactive fix review and apply
- See: https://docs.gomboc.ai/getting-started-ce
2. MCP Server (Agents)
Run the MCP server for agent integration:
docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100
# Or: docker run -p 3100:3100 -e GOMBOC_PAT='your_token' gombocai/mcp:latest
Agents interact with Gomboc via MCP protocol:
@gomboc scan path:./src
@gomboc fix path:./src format:pull_request
@gomboc remediate path:./code commit:true
See references/mcp-integration.md for details.
3. CLI Tool (Developers & Scripts)
Use the Python CLI for local scanning:
export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src --format markdown
python scripts/cli-wrapper.py fix --path ./src --format pull_request
python scripts/cli-wrapper.py remediate --path ./src --commit
See references/setup.md for detailed instructions.
4. GitHub App (Automated)
Install Gomboc GitHub App for automatic PRs:
- https://github.com/apps/gomboc-ai-community
- Select repos to monitor
- Gomboc automatically scans on PR, generates fixes
5. GitHub Actions (CI/CD)
Automate continuous remediation in pipelines:
- uses: gomboc-action@v1
with:
path: ./terraform
auto-fix: true
policy: default
See references/github-action.md for configuration.
Configuration
All configuration is via environment variables:
| Variable | Purpose | Required | Example |
|---|---|---|---|
GOMBOC_PAT |
Personal Access Token | Yes | gpt_abc123... |
GOMBOC_MCP_URL |
MCP server URL | No | http://localhost:3100 |
GOMBOC_POLICY |
Remediation policy | No | default or aws-cis |
Security & Audit
This skill has been:
- ✅ Security-audited for token handling
- ✅ Verified against live Gomboc API
- ✅ Tested with real vulnerabilities
- ✅ Confirmed production-ready
See SECURITY.md for complete audit details.
Open Remediation Language (ORL)
ORL is the deterministic execution engine that powers Gomboc fixes:
Deterministic Remediation
- Same input = same output, always (no probabilistic AI)
- Syntax-tree aware (via Tree-sitter) instead of brittle regex
- Safe for bulk remediation across large codebases
- Results are auditable and reviewable
How ORL Works
- Detects policy violations by analyzing syntax trees
- Evaluates context and code structure
- Applies precise transformations (insert, modify, delete)
- Validates fixes are safe and complete
Policy-Driven Fixes
- Policies define what should be fixed (CIS, AWS best practices, custom rules)
- ORL rules execute those policies to generate code changes
- Policy Sets let you customize enforcement by environment/team
See: https://docs.gomboc.ai/orl
Support & Documentation
- Setup Guide:
references/setup.md - MCP Integration:
references/mcp-integration.md - GitHub Actions:
references/github-action.md - Security Audit:
SECURITY.md - Changelog:
CHANGELOG.md - Gomboc Official Docs: https://docs.gomboc.ai
- ORL Documentation: https://docs.gomboc.ai/orl
- GitHub Feedback: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions
License
MIT License — See LICENSE file
Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install gomboc-security-community - 安装完成后,直接呼叫该 Skill 的名称或使用
/gomboc-security-community触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
Code Remediation with Gomboc.ai Community Edition 是什么?
Automatically scans and generates deterministic, merge-ready code fixes for infrastructure, app code, and configs using Gomboc.ai's Open Remediation Language. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。
如何安装 Code Remediation with Gomboc.ai Community Edition?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install gomboc-security-community」即可一键安装,无需额外配置。
Code Remediation with Gomboc.ai Community Edition 是免费的吗?
是的,Code Remediation with Gomboc.ai Community Edition 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Code Remediation with Gomboc.ai Community Edition 支持哪些平台?
Code Remediation with Gomboc.ai Community Edition 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Code Remediation with Gomboc.ai Community Edition?
由 Gomboc AI(@gomboc-ai)开发并维护,当前版本 v0.2.5。