# Changelog

***

### ORL Custom Rules (turn guardrails into fixes)

March 17, 2025 `New`&#x20;

Our custom rules let teams convert existing guardrails into actionable fixes, not just pass/fail checks. You can codify organization-specific policies (including conversions from existing policy investments) into deterministic remediation rules and apply them to the environments that matter, enabling “blocking mode” style enforcement in real pipelines.

You can now **create your own deterministic remediation rules** using our **ORL engine,** so your existing internal guardrails (tagging standards, IAM patterns, encryption requirements, etc.) become **repeatable checks + auto-fixes**.&#x20;

Start with the [**Custom Rules Quickstart** guide here](/orl/quickstart.md).

***

### “Beyond IaC” demo/use cases

March 9, 2025 `New`&#x20;

Gomboc now delivers **end-to-end, deterministic remediation across codebases -** not just IaC. The shift is powered by our **ORL-based engine**, which turns remediation intent into precise, repeatable diffs across many file types and languages, so teams can trust and operationalize fixes (reviewable, consistent, and scalable). To see this in action outside Terraform, start with this demo case: [Demo case Java with dolphinscheduler log4shell](/getting-started-ce/gomboc-demo-cases/demo-case-java-with-dolphinscheduler-log4shell.md) - it walks through scanning a real Java project (Apache DolphinScheduler), flagging a Log4j risk, then using the IDE Reviewer to **preview the diff**, apply the deterministic dependency change (replacing `slf4j-log4j12` with `slf4j-reload4j`), and **verify via re-scan** that the issue is resolved.

***

### Drift Reconciliation

February 28, 2025 `New`&#x20;

We shipped drift reconciliation to keep cloud reality aligned with IaC. Gomboc maps IaC resources to live cloud resources, detects drift, and generates the exact deterministic code changes needed to reconcile differences, helping you preserve “break-glass” incident changes and avoid surprises over time.&#x20;

**Get started here:** [Drift Reconciliation (setup + steps).](/drift-reconciliation.md)

***

### ORL (Open Remediation Language)&#x20;

February 17, 2025 `New`&#x20;

We released ORL (Open Remediation Language) for our enterprise customers and the Gomboc Community Edition.

**ORL is our new execution engine** that powers how Gomboc evaluates policies, detects issues, and generates deterministic fixes directly in your code.

Instead of alerts or suggestions, ORL generates repeatable, policy-aligned code changes that engineers can safely apply, and it also lays the foundation for Custom Rules so teams can enforce, and deterministically fix, their own organization-specific controls the same way.

If you want the full mental model (what ORL is, why it exists, how it maps Policies → Policy Sets → Rules → Findings/Fixes, and the core concepts like determinism + syntax trees + separation of concerns), read the [ORL overview here](/orl.md).

***

### New Reports and Analytics Page&#x20;

February 10, 2025 `New`&#x20;

**ROI metrics framed as Focus → Progress → Outcomes**

The new Reports feature enables customers to easily track their fix burn-down, prioritize results, and report success to management.

We added new reporting and analytics centered on the three stakeholder questions: **Where should we focus?** **Are we making progress?** **What did we achieve?** Reports highlight prioritized work, show burndown and trends over time, and summarize measurable impact (like fixes delivered and time saved) to make ROI clear and easy to communicate.

Learn from our [case study](https://www.gomboc.ai/case-study/upwork-eliminates-iac-security-debt-with-gomboc) how you can save hours to you team.

***

### IDE Fix Reviewer (webview, diff preview, bulk apply patterns):

January 22, 2025 `New`&#x20;

We introduced the Gomboc IDE Fix Reviewer (webview) to bring fixes directly into the developer workflow. It provides an in-IDE review surface with diff previews before changes are applied, plus bulk actions that let you multi-select findings and apply the same fix pattern across multiple files and occurrences—turning remediation into a fast, reviewable flow.

**External findings ingest (e.g., Checkov) + verification**

The Fix Reviewer can ingest external findings (for example, from Checkov) and map them into Gomboc’s deterministic remediation logic. After applying fixes, verification helps confirm the issue is actually resolved, identify false positives from third-party tools, and ensure the change matches the intended policies and rules.

**To try it right now**, follow the [**VSCode Plugin setup**](/integrations/vscode-plugin.md) (install extension, add your personal token, enable scan-on-save), then run **`“Gomboc: Scan current file or scenario”`** and open **`“Gomboc: Reviewer (webview)”`** from the Command Palette.

***

### **Workspaces Tags**

January 10, 2025 `New`&#x20;

We added workspace tagging to strengthen deterministic fix delivery and make remediation operational at scale.  Workspace tags help you segment and route work simpler by letting teams group and filter workspaces by dimensions like team, application, environment, business unit, or compliance tier. This improves ownership and reporting! so leaders can quickly answer “what’s running where, who owns it, and what’s the remediation status?” across large numbers of repos and environments.

***

### **Policy Sets Per Environment Or Workspace**

January 6, 2025 `New`&#x20;

You can create and apply **Policy Sets** for each environment (e.g., dev, staging, prod) and attach them to specific **workspaces**, so the right guardrails, and the right fixes, apply automatically wherever the code lives.&#x20;

Teams typically start with the **Gomboc default policy set** as a baseline, then tighten standards for production and create targeted sets for high-risk repos or critical services.&#x20;

Because policy is the control plane, fix configuration stays simple and consistent: results and fix reports roll up **by policy**, with **severity and risk-based prioritization**, and you can also align policies to known frameworks (e.g., CIS/NIST) and deliver **custom fixes** only to the environments that matter.

***

### **New Policy Management + Smart Prioritization**

December 23, 2025 `New`&#x20;

We are shifting remediation from “a list of findings” to “fixes aligned with intent.” Teams can define what guardrails matter (by category, framework, internal standards, or tool-mapped policies), and Gomboc consistently generates deterministic fixes that match those guardrails. The outcome is higher trust and adoption: engineers see fixes that reflect agreed-upon standards, and security teams get predictable enforcement without repeated manual interpretation.

**Smart prioritization**

Smart prioritization ranks fixes by severity, risk, and impact so teams tackle what matters first (especially production blockers). The outcome is faster risk reduction, fewer stalled backlogs, and clearer progress over time.

***

### **Gomboc Portal Redesign**

December 21, 2025 `New`&#x20;

We shipped a complete Portal overhaul with a refreshed UX/UI and significantly faster navigation and page load performance. The new experience is designed around real remediation workflows, making it easier to move from “what did we find?” to “what do we fix next?” without jumping between disconnected views.

Book a fully interactive demo with our team: [Book a demo](https://meetings.hubspot.com/gomboc-demo/one?uuid=02ec3652-7555-49d9-ab35-b01b2dc09cdb&__hstc=239846108.d9abb7a6c8409d9962c467d347a3b69a.1747674668709.1771607018868.1771619176053.93&__hssc=239846108.3.1771619176053&__hsfp=36b799a02b3d61e1a71fb88f8f5d5cb5).

***

### **Workspaces**

November 13, 2025 `New`

A Workspace is the single unit of IaC: **IaC tool + repository + branch + path**. It mirrors how code is deployed and reviewed and becomes the **control plane** for scans, and fixes.

**Why this change**

We’re deprecating the **Projects** and **Repositories** views and consolidating them into **Workspaces** to provide:

* One coherent view instead of bouncing between pages.
* No manual linking of repos/paths.
* Clear ownership and reporting per deployable unit.

**How it works**

* **Auto-discovery:** New repos under your connected SCM scope are discovered and turned into Workspaces; PRs auto-map to their ancestor Workspace.
* **Indexer:** An hourly job indexes new repos, new workspaces, and new subgroups and performs an IaC presence check.
* **Scans:** Run on demand from the Portal, or automatically on PR open/update.
* **Scope:** Workspace creation is limited to default/protected branches for stability.
* **Manual setup:** You can Add Workspace manually and edit names if needed.

{% hint style="danger" %}
Note: The Projects and Repositories views will no longer be available starting November 28, 2025.
{% endhint %}

***

### **Fixes for CIS Benchmarks**

October 17, 2025 `New`

Today we release over 100 new fixes that relate to CIS Benchmarks. This marks a significant advancement supporting multiple cloud providers (AWS, Azure, and Google) across an array of services from data storage, databases, compute, Kubernetes, and general cloud configuration. The following CIS benchmarks were addressed:

* AWS
  * Amazon Web Services Foundations Benchmark v5.0
  * AWS Database Service Benchmark v1.0
  * AWS End User Compute Services Benchmark - v1.1
  * AWS Storage Services Benchmark v1.0
  * AWS Compute Services Benchmark v1.1
  * AWS Elastic Kubernetes Service Benchmark v1.7
* Azure
  * Microsoft Azure Foundations Benchmark v4.0
  * Microsoft Azure Kubernetes Service Benchmark v1.7
  * Microsoft Azure Compute Services Benchmark v2.0
  * Microsoft Azure Database Services Benchmark v1.0
  * Microsoft Azure Storage Services Benchmark v1.0
* Google Cloud
  * Google Cloud Platform Foundations Benchmark
  * Google Kubernetes Engine (GKE) Benchmark
  * Google Kubernetes Engine (GKE) Autopilot Benchmark
  * Google Workspace Foundations Benchmark

**Why this change**

We've been working on scaling our fix generation capabilities and this is a step toward making it possible to gain assurance that your cloud configuration adopts CIS best practices.&#x20;

**How it works**

* **Enable policy recommendations**: applying the new rules simply involves turning on the corresponding benchmark in the "Security Policy" view.

***

### **HashiCorp Terraform Run Task Integration**

August 6, 2025 `New`

We’ve added a new integration with HashiCorp Terraform, a leading IaC platform used to provision and manage any of your cloud environments. With this update, Gomboc can automatically check and fix issues in your infrastructure code before deployment, helping prevent security risks, downtime, and unnecessary costs by delivering ready-to-merge pull requests.

Authentication is secured via HMAC, and enforcement can be set to advisory or mandatory. Detailed pass/fail callbacks include severity‑ranked outcomes, resource addresses, and remediation guidance, helping teams focus on the highest‑impact fixes first.

Engineers benefit from native workflow integration with no CLI changes or extra tools, plus RFC‑style documentation for knowledge sharing and easy troubleshooting.

Setup takes minutes via Settings > Integrations > HashiCorp in the Gomboc Portal. See our [user documentation](https://docs.gomboc.ai/integrations/cloud-orchestration/hcp-terraform) for complete instructions.

***

### **Gomboc MCP Server (Beta) Released**

July 16, 2025 `New`

We’ve launched the Gomboc MCP Server (Beta): a local server that lets you to interact directly with Gomboc’s deterministic AI. With this release, you can request individual IaC fixes and access the complete list of supported security benchmarks (CIS, NIST, and more), all from your local environment.

Even more exciting, you can now connect your own AI agents or tools (like Claude) to the MCP server to programmatically fetch precise remediations or benchmark data. This opens up a powerful new way to embed Gomboc into custom workflows, copilots, or automation layers.

You can pull the Docker image and find [setup instructions in our docs](https://docs.gomboc.ai/integrations/mcp-server).

***

### **Create Custom Rules**

June 30, 2025 `New`

We’ve introduced the ability to create custom security policies, giving teams control over how Gomboc enforces best practices in their environment. Whether it’s tagging standards, KMS key access, or IAM permissions, users can now define and scope their own policy rules, customized down to the cloud resource and attribute level.

* Build from scratch or start with existing rules using our new policy builder interface.
* Apply rules globally or scope them to specific projects, repositories, or folders.
* Customize policy logic using exact values, value patterns (e.g., starts with), or organizational tags.
* Automatically generate rule descriptions and link policies to your security frameworks (e.g., CIS, NIST).

***

### **Gomboc Community Edition**

June 24, 2025 `New`

We’ve launched **Gomboc Community Edition -** a free, quick-start version of Gomboc deterministic AI platform automating IaC remediation, designed to let developers explore our core functionality.

Community Edition delivers:

* Merge-ready PRs for Terraform misconfigurations.
* Instant onboarding via GitHub.
* Real-world policies covering security and compliance best practices for AWS, Azure and Google Cloud.
* Deterministic AI that delivers verifiable fixes you can trust.

Unlike static scanners or recommendation tools, Gomboc Community Edition actually fixes the problem.

This release reflects our commitment to supporting Platform and DevOps teams with tools that work the way they do: fast, reliable, and developer-first.\
Grab it now at <https://docs.gomboc.ai/> and see Gomboc in action.

***

### **Code Validation for Gomboc PRs**

May 30, 2025 `Improvement`

Gomboc now automatically validates the Terraform code in its generated pull requests for type and configuration accuracy before it ever reaches your repo.

What this means:

* Every PR from Gomboc now runs `terraform validate` behind the scenes.
* This catches syntax and type issues early, before any human review.
* We simulate backend and provider authentication to avoid the need for user credentials or setup.
* Future phases will include full `terraform plan` validation and state analysis for customers who want deeper trust signals and automation.

Time is key, and having to check out a branch, run `init`, and review `plan` output slows developers down. This validation upgrade Gomboc to fully trusted IaC remediation that developers can merge with confidence.

***

### **Gomboc Compliance Companion**

April 21, 2025 `New`

The Gomboc Compliance Companion is a new feature that helps companies keep their cloud systems secure and compliant automatically, without slowing down developers or rewriting existing code.

Automatically scans all your configurations across AWS, Azure, and GCP, and provides:

* Instant, auditable security fixes in PRs with one-click approval.
* Real-time compliance enforcement in development, CI/CD, and pipelines.
* No rewrites required, works with your existing codebase.
* $100K+ potential annual savings per workload by eliminating 50+ days of developer toil

Compliance Companion shifts teams from periodic audits to automated, continuous compliance, accelerating delivery while reducing risk.

***

### **Automated Onboarding Assessment**

April 2, 2025 `Improvement`

We’ve streamlined the onboarding experience to make it faster, smarter, and easier to manage. With just a few clicks, Gomboc now automatically discovers your IaC repositories and delivers a comprehensive report with actionable insights in under 5 minutes.

What’s better:

* Zero manual setup: Automated repo discovery means no team or project gets missed.
* Smart impact report: Highlights misconfigurations, team activity, and ROI projections.
* Prioritized fixes: Aligned to compliance frameworks like CIS IG1/2/3.
* No code stored: All data is processed securely and ephemerally.

[Try the improved onboarding flow](https://meetings.hubspot.com/celsinger?uuid=007a6d36-2959-4c04-8ad5-e0c69ef11ce7&__hstc=239846108.d9abb7a6c8409d9962c467d347a3b69a.1747674668709.1752262501325.1752599560527.46&__hssc=239846108.8.1752599560527&__hsfp=1666919083) and see your first value, fast.

***

### **Gomboc Extension for Visual Studio Code**

March 13, 2025 `New`

We just dropped a VSCode extension that enables developers to get a real-time generated code as they develop cloud infrastructure. The extension applies Gomboc’s deterministic AI to highlight and fix misconfigurations precisely and instantly. Whether you're writing new infra or cleaning up legacy code, it keeps your cloud setup tight, without slowing you down.

Install it via the [VSCode Marketplace](https://marketplace.visualstudio.com/items?itemName=GombocAI.gomboc-vscode-extension\&ssr=false#overview), learn about all the features, and start building reliable cloud infrastructure without leaving your editor.

***

### **CSPM Alert to Code Discovery and Fix**

March 2, 2025 `New`

We’ve closed the loop from cloud alerts to actual code-generated remediations. Gomboc now connects CSPM findings directly to the code that caused them.

Here’s what’s new:

* When a CSPM alert comes in, Gomboc identifies the code location that caused it and provides a fully described pull request with the fix.
* We show full observation detail and lets you dive into context across code resources.
* You can now select policy-based remediations, preview the fix, and generate a PR, all in one click.

This dramatically reduces investigation time and makes remediating cloud infrastructure feel like a GitHub feature. [Try it from the Observations tab now.](https://meetings.hubspot.com/celsinger?uuid=007a6d36-2959-4c04-8ad5-e0c69ef11ce7&__hstc=239846108.d9abb7a6c8409d9962c467d347a3b69a.1747674668709.1752262501325.1752599560527.46&__hssc=239846108.8.1752599560527&__hsfp=1666919083)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.gomboc.ai/changelog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.