Gomboc Community Skills

The Gomboc Community Skills plugin brings ORL (Open Remediation Language) workflows into Claude Code. Use it to scan source code for security and compliance issues, apply deterministic fixes, and create reusable ORL rules — all from your terminal.

Supported languages include Terraform, HCL/Terragrunt, CloudFormation (YAML and JSON), Bicep, Dockerfile, Kubernetes, and Python.

Prerequisites

Before installing the plugin, make sure you have:

Claude Code CLI installed
Docker installed and running
The ORL Docker image pulled locally:

docker pull gombocai/orl

(Optional) A Gomboc Personal Access Token if you plan to push rules to the Gomboc Rules Service

Installation

You can install the plugin from the terminal or through the Claude Code plugin browser.

CLI

claude plugin marketplace add https://github.com/Gomboc-AI/gomboc-community-skills.git
claude plugin install gomboc-community@gomboc-community-marketplace

Claude Code plugin browser

Start Claude Code
Run the /plugin command
Select Add Marketplace

Enter the URL for gomboc-community-skills:

https://github.com/Gomboc-AI/gomboc-community-skills

Select the gomboc-community-marketplace
Select Browse Plugins
Select the Gomboc Community plugin

Plugin updates

If you have already installed the plugin, turn on auto-updates or manually update the marketplace to get the latest version.

Commands

The plugin exposes three slash commands for common workflows.

`/fix` — Scan and fix code

Scan source code for security anti-patterns and compliance gaps using the ORL classification policy corpus, then apply fixes using existing rules or by generating new ones on the fly.

/gomboc-community:fix main.tf — check encryption
/gomboc-community:fix ./infrastructure/ — security review
/gomboc-community:fix Dockerfile
/gomboc-community:fix k8s/ — least privilege
/gomboc-community:fix src/api/ — prevent code injection
/gomboc-community:fix . — CIS compliance check

Workflow: diagnose → select issues → apply fixes → optionally save as rules

`/create-rule` — Create a rule from scratch

Define a security or compliance policy and build a complete ORL rule package with tests.

/gomboc-community:create-rule Ensure all AWS S3 buckets have server-side encryption enabled using Terraform
/gomboc-community:create-rule Ensure Dockerfiles use pinned image digests instead of mutable tags
/gomboc-community:create-rule Ensure Kubernetes Deployments set runAsNonRoot in securityContext

Workflow: plan → build → add metadata → optionally push

`/convert-sentinel` — Convert a Sentinel policy to ORL

Convert a HashiCorp Sentinel policy (from a URL or local file path) into one or more tested ORL rule packages.

/gomboc-community:convert-sentinel https://raw.githubusercontent.com/hashicorp/terraform-sentinel-policies/main/aws/restrict-ec2-instance-type.sentinel
/gomboc-community:convert-sentinel ./policies/require-most-recent-ami-version.sentinel

Workflow: analyze → build rules → add metadata → optionally push

Skills

Each command orchestrates one or more underlying skills:

Skill

Description

diagnose

Classification-driven analyzer — detects language, loads matching policies, walks the AST, and reports prioritized findings

apply-fix

Applies a fix using an existing ORL rule or generates a new one, with optional save-as-rule

plan-rule

Analyzes requirements, identifies test cases, and creates a plan for an ORL rule

build-rule

Creates workspace files, writes the ORL rule, and runs tests

add-metadata

Adds metadata (name, description, classifications, provider) to a rule

push-rule

Pushes a completed rule to the Gomboc Rules Service

cleanup-rule

Evaluates a rule package against release standards and produces a remediation checklist

convert-sentinel

Converts a HashiCorp Sentinel policy into tested ORL rule packages

Supported languages

Language

ORL language ID

Use case

Terraform

terraform

AWS, Azure, GCP infrastructure

HCL

hcl

Terragrunt, Packer, Consul, Vault configs

CloudFormation YAML

cloudformation-yaml

AWS infrastructure (YAML format)

CloudFormation JSON

cloudformation-json

AWS infrastructure (JSON format)

Bicep

bicep

Azure infrastructure

Dockerfile

docker

Container image definitions

Kubernetes

kubernetes

K8s manifests (Deployments, Pods, Services, etc.)

Python

python

Application code, AWS CDK, Pulumi, SDK usage

Publishing rules

To push rules to your Gomboc Community Edition account:

Set your Personal Access Token: export RULE_SERVICE_TOKEN=your-pat-here
Run /gomboc-community:push-rule from your rule directory, or use the ORL CLI directly:

See Publish for more on rule publishing, channels, and classifications.

Rule package structure

Each rule is a self-contained directory:

my-rule/
├── my-rule.orl            # Main rule file
├── test.orl               # Test definition
├── workspace/             # Source files with violations
└── workspace_expected/    # Source files after remediation

Classification-driven analysis

The /fix command uses the ORL classification policy corpus as its knowledge base. Each classification YAML defines what security or compliance policy to enforce, which languages and resource types it applies to, impact and risk scores for prioritization, and compliance framework mappings (CIS, NIST CSF, PCI-DSS, AWS Well-Architected, etc.).

Adding new classification YAMLs automatically extends what /fix can detect — no plugin changes needed.

PreviousUser Variables NextGomboc Enterprise Skills

Last updated 3 days ago