> For the complete documentation index, see [llms.txt](https://docs.gomboc.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.gomboc.ai/orl/agent-skills/gomboc-community-skills.md).
# Gomboc Community Skills
The [Gomboc Community Skills](https://github.com/Gomboc-AI/gomboc-community-skills) plugin brings ORL (Open Remediation Language) workflows into [Claude Code](https://claude.com/claude-code). Use it to scan source code for security and compliance issues, apply deterministic fixes, and create reusable ORL rules — all from your terminal.
Supported languages include Terraform, HCL/Terragrunt, CloudFormation (YAML and JSON), Bicep, Dockerfile, Kubernetes, and Python.
## Prerequisites
Before installing the plugin, make sure you have:
* [Claude Code](https://claude.com/claude-code) CLI installed
* [Docker](https://docs.docker.com/get-docker/) installed and running
* The ORL Docker image pulled locally:
```bash
docker pull gombocai/orl
```
* (Optional) A [Gomboc Personal Access Token](/getting-started/generate-a-personal-access-token.md) if you plan to push rules to the Gomboc Rules Service
## Installation
You can install the plugin from the terminal or through the Claude Code plugin browser.
### CLI
```bash
claude plugin marketplace add https://github.com/Gomboc-AI/gomboc-community-skills.git
claude plugin install gomboc-community@gomboc-community-marketplace
```
### Claude Code plugin browser
1. Start Claude Code
2. Run the `/plugin` command
3. Select **Add Marketplace**
4. Enter the URL for [gomboc-community-skills](https://github.com/Gomboc-AI/gomboc-community-skills):
```
https://github.com/Gomboc-AI/gomboc-community-skills
```
5. Select the **gomboc-community-marketplace**
6. Select **Browse Plugins**
7. Select the **Gomboc Community** plugin
### Plugin updates
If you have already installed the plugin, turn on auto-updates or manually update the marketplace to get the latest version.
## Commands
The plugin exposes three slash commands for common workflows.
### `/fix` — Scan and fix code
Scan source code for security anti-patterns and compliance gaps using the ORL classification policy corpus, then apply fixes using existing rules or by generating new ones on the fly.
```
/gomboc-community:fix main.tf — check encryption
/gomboc-community:fix ./infrastructure/ — security review
/gomboc-community:fix Dockerfile
/gomboc-community:fix k8s/ — least privilege
/gomboc-community:fix src/api/ — prevent code injection
/gomboc-community:fix . — CIS compliance check
```
**Workflow:** diagnose → select issues → apply fixes → optionally save as rules
### `/create-rule` — Create a rule from scratch
Define a security or compliance policy and build a complete ORL rule package with tests.
```
/gomboc-community:create-rule Ensure all AWS S3 buckets have server-side encryption enabled using Terraform
/gomboc-community:create-rule Ensure Dockerfiles use pinned image digests instead of mutable tags
/gomboc-community:create-rule Ensure Kubernetes Deployments set runAsNonRoot in securityContext
```
**Workflow:** plan → build → add metadata → optionally push
### `/convert-sentinel` — Convert a Sentinel policy to ORL
Convert a HashiCorp Sentinel policy (from a URL or local file path) into one or more tested ORL rule packages.
```
/gomboc-community:convert-sentinel https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/aws/restrict-ec2-instance-type.sentinel
/gomboc-community:convert-sentinel ./policies/require-most-recent-ami-version.sentinel
```
**Workflow:** analyze → build rules → add metadata → optionally push
## Skills
Each command orchestrates one or more underlying skills:
| Skill | Description |
| ------------------ | --------------------------------------------------------------------------------------------------------------------------- |
| `diagnose` | Classification-driven analyzer — detects language, loads matching policies, walks the AST, and reports prioritized findings |
| `apply-fix` | Applies a fix using an existing ORL rule or generates a new one, with optional save-as-rule |
| `plan-rule` | Analyzes requirements, identifies test cases, and creates a plan for an ORL rule |
| `build-rule` | Creates workspace files, writes the ORL rule, and runs tests |
| `add-metadata` | Adds metadata (name, description, classifications, provider) to a rule |
| `push-rule` | Pushes a completed rule to the Gomboc Rules Service |
| `cleanup-rule` | Evaluates a rule package against release standards and produces a remediation checklist |
| `convert-sentinel` | Converts a HashiCorp Sentinel policy into tested ORL rule packages |
## Supported languages
| Language | ORL language ID | Use case |
| ------------------- | --------------------- | ------------------------------------------------- |
| Terraform | `terraform` | AWS, Azure, GCP infrastructure |
| HCL | `hcl` | Terragrunt, Packer, Consul, Vault configs |
| CloudFormation YAML | `cloudformation-yaml` | AWS infrastructure (YAML format) |
| CloudFormation JSON | `cloudformation-json` | AWS infrastructure (JSON format) |
| Bicep | `bicep` | Azure infrastructure |
| Dockerfile | `docker` | Container image definitions |
| Kubernetes | `kubernetes` | K8s manifests (Deployments, Pods, Services, etc.) |
| Python | `python` | Application code, AWS CDK, Pulumi, SDK usage |
## Publishing rules
To push rules to your Gomboc Community Edition account:
1. Set your Personal Access Token: `export RULE_SERVICE_TOKEN=your-pat-here`
2. Run `/gomboc-community:push-rule` from your rule directory, or use the ORL CLI directly:
See [Publish](/orl/publish.md) for more on rule publishing, channels, and classifications.
## Rule package structure
Each rule is a self-contained directory:
```
my-rule/
├── my-rule.orl # Main rule file
├── test.orl # Test definition
├── workspace/ # Source files with violations
└── workspace_expected/ # Source files after remediation
```
## Classification-driven analysis
The `/fix` command uses the ORL classification policy corpus as its knowledge base. Each classification YAML defines what security or compliance policy to enforce, which languages and resource types it applies to, impact and risk scores for prioritization, and compliance framework mappings (CIS, NIST CSF, PCI-DSS, AWS Well-Architected, etc.).
Adding new classification YAMLs automatically extends what `/fix` can detect — no plugin changes needed.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.gomboc.ai/orl/agent-skills/gomboc-community-skills.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.