Get started with Gomboc Community Edition

0. Prerequisites

Before you start, make sure you have:

• VS Code version 1.63.0 or greater https://code.visualstudio.com/download

• Docker is installed and running (Docker Desktop or Docker Engine) https://www.docker.com/products/docker-desktop/

Why Docker? The VS Code extension runs the ORL remediation engine locally inside a Docker container when you scan. If Docker isn’t running, scans/fixes won’t start.

1. Generate a personal token

• Here's how to create a Gomboc personal access token.

2. Set up the Gomboc VSCode plugin

• Install the Gomboc Plugin via the marketplace or direct in the IDE:

  • VS Code Marketplace (click "Install") gomboc-vscode-extension

• VSCode Extensions tab. Search for "Gomboc" and click "Install":

  
• When you install the extension, be sure to enable "Auto Update".

• Once installed, open the product settings by doing one of the following:

  • click the gear icon and select "Settings":

    
  • Open Settings > Extensions and search for "Gomboc."

    

    
• Paste your Personal Access Token into the Api Key field. Run Gomboc: Test Api Key from the command and enable "Scan on File Save".

  

3. Run your first scan

Choose your path before running your scan

• Option 1 (Recommended): Checkout the Gomboc Reviewer guide

• Option 2 (Quick): Problems panel → Apply Fix

  • Create a project with a Terraform file.

    • In your IDE, create a new folder called "gomboc-quickstart" and create a new file, main.tf

      

      • Populate that file with the following content:

        Copy

        provider "aws" {
          region = "us-east-2"
        }
        
        data "aws_region" "current" {}
        
        resource "aws_dynamodb_table" "test_table_a" {
        }
        
        resource "aws_lambda_function" "myfunction" {
        }
        
        resource "aws_appsync_graphql_api" "test_api" {
          authentication_type = "API_KEY"
        }
        
        resource "aws_keyspaces_table" "mykeyspacestable" {
        }

      • Alternatively, check out https://github.com/Gomboc-AI/rattleback with the following command

        Copy

        git clone [email protected]:Gomboc-AI/rattleback.git

  • Save the file, triggering Gomboc to scan it

    • Alternatively, click on the search bar and select "Show and Run Commands":

      

      • Type "Gomboc" into the search and select "Gomboc: Scan current file or scenario":

        

4. Apply the fixes

• Review the Problems panel → click Apply Fix (or Apply All).

• Save, test, and commit your changes.

1. Install the Gomboc GitHub App

• Click here to Install.

• Select the repos you’d like us to monitor (your own or Gomboc demo example).

2. Scan & Generate Fixes

• Edit one of your Terraform files and create a pull request in your selected repo.

• Gomboc will:

  • Automatically scan your Terraform code

  • Open a new PR with:

    • A clear summary of what was fixed

    • Suggested secure code fixes

3. Review Fixes & Share Feedback

• Head to the PR created by Gomboc, review the description, accept the fixes, and merge.

• Leave feedback via our GitHub discussions channel.

With our Gomboc MCP server, you'll be able to use your own AI tool like Claude or ChatGPT and have it interact with Gomboc.

1. Pull the Docker image here

2. Generate a personal token

• Here's how to create a Gomboc personal access token.

• Once you have the image and token you can run the following command to run the MCP server:

For examples and details go to the dedicated MCP user docs page.