Gomboc Reviewer (Webview)

Gomboc Reviewer is the global review panel inside the Gomboc VS Code extension. It gives you a single, centralized place to triage findings, preview deterministic remediations, and apply changes across multiple files.

Why use Reviewer?

Reviewer is purpose-built for workflows where you want to move fast across your organization:

• Bulk review and fixes across multiple files

• Multi-select issues (checkboxes) and apply fix pattern across all occurrences

• Preview diffs before writing the code

• Ingest external findings (e.g., Checkov) and map them to Gomboc’s deterministic fix logic

• Nondeterministic fixes with verification [Coming soon...]

  • Prove an issue is fixed, identifying false positives from third parties

  • generate a Gomboc AI-ready prompt to fix it

  • and verify the fix matches policies and rules

User Guide: Review workflow + Third party verification

This user guide shows how to turn a “looks production-ready” public IaC repo into an actionable hardening plan using Gomboc Reviewer:

1. Clone and open the repo

Clone the demo repo and open it in VS Code:

What you should see:

• A Terraform-based AWS deployment with multiple files (a realistic, multi-file scenario).

2. Run a scenario scan (get findings across the repo)

1. Open the Command Palette (Ctrl/Cmd + Shift + P)

2. Run: Gomboc: Scan current file or scenario (or scan-on-save, if enabled)

What you should see:

• A set of findings across the scenario (often dozens in a repo like this).

3. Open Reviewer (your “global panel” for fixing)

1. Open the Command Palette

1. Run: Gomboc Reviewer (webview)

What you should see:

• A webview with issues grouped by file on the left.

4. Triage and select a focused batch

In the left pane, pick a cluster to harden first, for example:

• RDS: Multi-AZ, public accessibility, deletion protection / termination protection

• EC2 / launch templates: Instance Metadata Service settings (avoid IMDSv1), detailed monitoring

1. Expand the relevant files

2. Multi-select findings using the checkboxes

What you should see:

• Selection spanning multiple files/resources (this is where Reviewer beats the Problems tab).

5. Preview the changes (diff-first, safe workflow)

1. Click Preview (magnifying glass icon)

2. Wait for the preview to compute

3. Review diffs per file in the right pane:

   • @@ ... @@ diff hunks

   • Keep / Undo per hunk

   • Optional Show full resource to see the enclosing Terraform block/YAML doc/etc.

What you should see:

• Concrete code changes for the selected resources (e.g., enabling Multi-AZ, disabling public access, enforcing metadata settings).

Tip:

• Use Open diff in editor for full side-by-side review in VS Code.

6. Apply changes (choose your review depth)

Option A: Apply kept changes (recommended)

1. Keep only the hunks you want

2. Click Apply kept changes

Guardrail:

• If a file changed after preview, apply-kept will refuse, re-run Preview. [screenshot]

Option B: Apply selected (fast bulk apply)

1. Select findings

2. Click Apply selected to apply fixes sequentially

7. Rescan to confirm fixes removed the findings

1. Click Rescan (refresh icon) inside Reviewer

What you should see:

• The issue list updates, and fixed items disappear (or reduce).

8. Verify with Third Party Compare (Checkov)

1. Click Third Party Compare (tool icon)

What you should see:

• A pass/fail summary toast/status for the targeted Checkov verification.

Note:

• Checkov favors false positives. If you’ve applied all available Gomboc fixes and a Checkov item still appears, inspect the Checkov report carefully.

9. Generate an AI prompt [Coming soon ...]

Some issues require an architectural or org-specific choice. For those:

1. Apply the remediation guidance (it may add an in-code comment telling you what to do and why)

2. Click Try AI fix to copy a structured Gomboc prompt

3. Paste into your AI tool (e.g., Cursor) and implement the change

What you should see:

• A code comment added + a copied prompt confirmation, then the issue disappears after you implement and rescan.