# Gomboc Reviewer (Webview)

Gomboc Reviewer is the global review panel inside the Gomboc VS Code extension. It gives you a single, centralized place to triage findings, preview deterministic remediations, and apply changes across multiple files.

***

### Why use Reviewer?

Reviewer is purpose-built for workflows where you want to move fast across your organization:

* Bulk review and fixes across multiple files
* Multi-select issues (checkboxes) and apply fix pattern across all occurrences
* Preview diffs before writing the code
* Ingest external findings (e.g., Checkov) and map them to Gomboc’s deterministic fix logic
* Fixes with verification 
  * Prove an issue is fixed, identifying false positives from third parties
  * Generate a Gomboc AI-ready prompt to fix issues found
  * Verify the fix matches policies and rules

{% hint style="info" %}
If you want end-to-end guided scenarios, start with [**Gomboc Demo Cases.**](/getting-started-ce/gomboc-demo-cases.md)
{% endhint %}

***

### User Guide: 

This user guide shows how to turn a “looks production-ready” public IaC repo into an actionable hardening plan using Gomboc Reviewer:

#### 1. Clone and open the repo

Clone the demo repo and open it in VS Code:

```bash
git clone https://github.com/iac-playground/dolphinscheduler.git
```

What you should see:

* A Terraform-based AWS deployment with multiple files (a realistic, multi-file scenario).

***

#### 2. Run a scenario scan (get findings across the repo)

1. Open the Command Palette (`Ctrl/Cmd + Shift + P`)
2. Run: **Gomboc: Scan current file or scenario**\
   (or scan-on-save, if enabled)

What you should see:

* A set of findings across the scenario (often dozens in a repo like this).

<div align="left"><figure><img src="/files/DwUSmux8cnc8CvwmfgbG" alt="" width="563"><figcaption></figcaption></figure></div>

***

#### 3. Open Reviewer (your “global panel” for fixing)

1. Open the Command Palette

<div align="left"><figure><img src="/files/mTjOKx9x9b1oCOpioT5L" alt="" width="563"><figcaption></figcaption></figure></div>

2. Run: **Gomboc Reviewer (webview)**

What you should see:

* A webview with issues grouped by file on the left.

<div align="left"><figure><img src="/files/zBA1IrkZZGZTFo9yXWS7" alt="" width="563"><figcaption></figcaption></figure></div>

***

#### 4. Triage and select a focused batch

In the left pane, pick a cluster to harden first, for example:

* **RDS**: Multi-AZ, public accessibility, deletion protection / termination protection
* **EC2 / launch templates**: Instance Metadata Service settings (avoid IMDSv1), detailed monitoring

1. Expand the relevant files
2. **Multi-select** findings using the checkboxes

What you should see:

* Selection spanning multiple files/resources (this is where Reviewer beats the Problems tab).

<div align="left"><figure><img src="/files/evnJtY81tdzPyKiklYcm" alt="" width="563"><figcaption></figcaption></figure></div>

***

#### 5. Preview the changes (diff-first, safe workflow)

1. Click **Preview** (magnifying glass icon)
2. Wait for the preview to compute
3. Review diffs **per file** in the right pane:
   * `@@ ... @@` diff hunks
   * **Keep** / **Undo** per hunk
   * Optional **Show full resource** to see the enclosing Terraform block/YAML doc/etc.

What you should see:

* Concrete code changes for the selected resources (e.g., enabling Multi-AZ, disabling public access, enforcing metadata settings).

<div align="left"><figure><img src="/files/gbss5JJAw0MDwv8KOMc7" alt="" width="375"><figcaption></figcaption></figure></div>

Tip:

* Use **Open diff in editor** for full side-by-side review in VS Code.

<div align="left"><figure><img src="/files/qGhnioWp3vi8D42iMnMj" alt="" width="563"><figcaption></figcaption></figure></div>

***

#### 6. Apply changes (choose your review depth)

**Option A: Apply kept changes (recommended)**

1. Keep only the hunks you want
2. Click **Apply kept changes**

Guardrail:

* If a file changed after preview, apply-kept will refuse, re-run **Preview**.

**Option B: Apply selected (fast bulk apply)**

1. Select findings
2. Click **Apply selected** to apply fixes sequentially

***

#### 7. Rescan to confirm fixes removed the findings

Click **Rescan** (refresh icon) inside Reviewer

What you should see:

* The issue list updates, and fixed items disappear (or reduce).

***

#### 8. Verify with Third Party Compare (Checkov)

Click **Third Party Compare** (tool icon)

What you should see:

* A pass/fail summary toast/status for the targeted Checkov verification.

Note:

* Checkov favors false positives. If you’ve applied all available Gomboc fixes and a Checkov item still appears, inspect the Checkov report carefully.

***

#### 9. Generate an AI prompt

Some issues require an architectural or org-specific choice. For those:

1. Apply the remediation guidance (it may add an in-code comment telling you what to do and why)
2. Click Try AI fix to copy a structured Gomboc prompt
3. Paste into your AI tool (e.g., Cursor) and implement the change

What you should see:

* A code comment added + a copied prompt confirmation, then the issue disappears after you implement and rescan.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.gomboc.ai/integrations/vscode-plugin/gomboc-reviewer-webview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.