Get started with Gomboc Community Edition

Introduction

This guide will help you quickly get started with Gomboc Community Edition to fix IaC issues directly in your favorite development workflows.

New 🎉: Community Edition now includes Gomboc’s latest remediation engine powered by Open Remediation Language (ORL), which generates deterministic, merge-ready fixes. In the VS Code workflow, ORL runs locally via Docker, so you’ll want Docker installed and running before your first scan.

🚀 Quick Start

1. Get Started in VS Code

1.0 Prerequisites

Before you start, make sure you have:

VS Code version 1.63.0 or greater https://code.visualstudio.com/download
Docker installed and running (Docker Desktop or Docker Engine) https://www.docker.com/products/docker-desktop/

Why Docker? The VS Code extension runs the ORL remediation engine locally inside a Docker container when you scan. If Docker isn’t running, scans/fixes won’t start.

Go to Gomboc portal and create a Community account (GitHub SSO or email) by clicking "Sign Up".
You can choose to sign up with username and password or with GitHub SSO.
- For username and password, fill out your email, name, and organization
- For GitHub SSO, click on the "GitHub" option and follow the oauth process to authorize access by selecting "Authorized Gomboc-AI".
In the Portal, select the account drop-down from the upper right and click "Settings".
Select "Personal Access Tokens" in the account menu.
Click Generate Token, name it (e.g., vscode), choose an expiration timeframe, and click "Create".
Copy the token to a secure location for safe keeping to finish IDE plugin setup, then click "Done".

1.2 Set up the VSCode plugin

Install a VSCode version 1.63.0 or greater. See https://code.visualstudio.com/download.
Install the Gomboc Plugin via the marketplace or direct in the IDE:
- VS Code Marketplace (click "Install") gomboc-vscode-extension
- VSCode Extensions tab. Search for "Gomboc" and click "Install":
- When you install the extension, be sure to enable "Auto Update".
Once installed, open the product settings by doing one of the following:
- click the gear icon and select "Settings":
- Open Settings > Extensions and search for "Gomboc."

Paste your Personal Access Token into the Api Key field. Run Gomboc: Test Api Key from the command and enable "Scan on File Save".\

1.3 Run your first scan & apply fixes

Create a project with a Terraform file.

In your IDE, create a new folder called "gomboc-quickstart" and create a new file, main.tf

Populate that file with the following content:

provider "aws" {
  region = "us-east-2"
}

data "aws_region" "current" {}

resource "aws_dynamodb_table" "test_table_a" {
}

resource "aws_lambda_function" "myfunction" {
}

resource "aws_appsync_graphql_api" "test_api" {
  authentication_type = "API_KEY"
}

resource "aws_keyspaces_table" "mykeyspacestable" {
}

Alternatively, check out https://github.com/Gomboc-AI/rattleback with the following command
```
git clone [email protected]:Gomboc-AI/rattleback.git
```

Save the file, triggering Gomboc to scan it
- Alternatively, click on the search bar and select "Show and Run Commands":
- Type "Gomboc" into the search and select "Gomboc: Scan current file or scenario":
Review the Problems panel → click Apply Fix (or Apply All).
Save, test, and commit your changes.

Don’t have a Terraform file handy? go to the dedicated VS Code user docs page get an example code.

2. Automate PR Fixes in GitHub

2.1 Install the Gomboc GitHub App

Click here to Install.
Select the repos you’d like us to monitor (your own or Gomboc demo example).

2.2 Scan & Generate Fixes

Edit one of your Terraform files and create a pull request in your selected repo.
Gomboc will:
- Automatically scan your Terraform code
- Open a new PR with:
  - A clear summary of what was fixed
  - Suggested secure code fixes

Head to the PR created by Gomboc, review the description, accept the fixes, and merge.
Leave feedback via our GitHub discussions channel.

3. [Advanced] Gomboc MCP Server (Beta)

Use your own AI tool like Cursor to interact with Gomboc.
Pull the Docker image here
Generate/reuse your Personal Access Token
Once you have the image and token you can run the following command to run the MCP server

docker run -p 3100:3100\
-e GOMBOC_PAT='GENERATED_GOMBOC_PAT' \
gombocai/mcp:latest

For examples and details go to the dedicated MCP user docs page.

Need help? Leave feedback via our GitHub discussions channel.

PreviousIntroduction NextGomboc Portal

Last updated 4 hours ago

hashtagIntroduction

hashtag🚀 Quick Start

hashtag1. Get Started in VS Code

hashtag1.0 Prerequisites

hashtag1.1 Sign up in the Portal & create a personal token

hashtag1.2 Set up the VSCode plugin

hashtag1.3 Run your first scan & apply fixes

hashtag2. Automate PR Fixes in GitHub

hashtag2.1 Install the Gomboc GitHub App

hashtag2.2 Scan & Generate Fixes

hashtag2.3 Review Fixes & Share Feedback

hashtag3. [Advanced] Gomboc MCP Server (Beta)