Gomboc Enterprise Skills
The Gomboc Enterprise Skills plugin brings ORL (Open Remediation Language) workflows into your AI coding agent. Use it to scan code for security and compliance violations, deliver in-context fixes, author production-quality ORL rules, manage policy classifications, and publish rules to your organization's rule repository or the Gomboc Rules Service.
The plugin supports Claude Code, Gemini CLI, OpenAI Codex, and Cursor. It is distributed as a private zip package shared during Gomboc Enterprise onboarding (not published on a public marketplace).
Plugins
gomboc
Core skills: classification, ORL rule creation, in-context remediation, policy enforcement, language experts, and converters
policy-fix-workflow
Generate fix scenarios, run both fix modes, and evaluate accuracy and operational metrics
Prerequisites
Before installing the plugin, make sure you have:
A valid Gomboc Enterprise subscription
Your target agent installed and configured (Claude Code, Gemini CLI, OpenAI Codex, or Cursor)
Docker installed and running — the ORL runtime uses the
gombocai/orl:latestcontainer image (a localorlbinary onPATHis optional)A
GOMBOC_API_TOKENfor Gomboc Rules Service access — see Generate A Personal Access Token
Installation
The plugin is distributed as a zip package via Google Drive during onboarding. Download it from the link your Gomboc contact provides and extract it to a stable location:
unzip ~/Downloads/gomboc-enterprise-skills.zip -d ~/gomboc/The same extracted folder works for all four supported agent runtimes. Installation steps differ by agent — follow the guide for yours:
Claude Code
Gemini CLI
OpenAI Codex
Cursor
After installation, configure your token in the environment your agent launches from:
Verify the ORL runtime by asking the agent to run the orl skill with the version subcommand (for example, /orl version in Claude Code or Cursor Agent).
Commands
The gomboc plugin exposes slash commands as high-level entry points. Each command orchestrates one or more underlying skills.
/fix — Fix a violation in code you are looking at
/fix — Fix a violation in code you are looking atDeliver an accurate fix for a policy violation in your code. Runs analyze-context → build-fix → apply-fix.
Workflow: fingerprint the violation → build a targeted ORL rule from your real code → present the diff and apply on approval
Fixes are saved under .gomboc/orl-rules/. Promote a successful fix to a persistent org rule with /save-rule.
/new-policy — Create a classification from a policy source
/new-policy — Create a classification from a policy sourceCreate a classification YAML from a policy document or standard, then generate use cases for target languages.
Workflow: manage-classifications → review → create-use-cases
/new-rule — Build a production-quality ORL rule
/new-rule — Build a production-quality ORL ruleFull rule creation pipeline from an existing classification: build → review → enrich.
Workflow: build-rule → review-rule → enrich-rule
Follow with /release to promote the rule to your org repository.
/new-custom-classifications — Batch-create org classifications
/new-custom-classifications — Batch-create org classificationsInteractive wizard for creating custom enterprise classifications under your organization namespace and uploading them to the Rules Service.
Workflow: create-custom-classifications → write YAML → upload via rules-service
/release — Promote a rule to the org repository
/release — Promote a rule to the org repositoryCopy a reviewed, enriched rule package to your org's ORL rule repository and open a PR (or publish directly with --push).
Workflow: release-rule → quality assessment → PR or orl rules push
/save-rule — Promote an in-context fix to a persistent rule
/save-rule — Promote an in-context fix to a persistent rulePromote one or more rules from .gomboc/orl-rules/ to your org's rule repository.
Workflow: enrich + review in parallel → background release (PR or --push)
Policy enforcement loop
For scanning an entire codebase against a policy — diagnosing violations, assessing rule coverage, applying existing rules or building new ones, and verifying compliance — use the enforce-policy skill or read the full workflow guide:
In Cursor, you can invoke /enforce-policy directly. In Claude Code, ask the agent to enforce a policy against a target path, or step through individual skills (diagnose, orl-remediation-planner, orl-expert, etc.) for finer control.
CSPM triage loop
For triaging a live cloud security alert from Wiz or another CSPM tool — fetching the observation, tracing it to IaC code, building or reusing an ORL rule, applying the fix, and posting a resolution note back — use the cspm-triage skill or read the full workflow guide:
In Cursor, you can invoke /cspm-triage directly. In Claude Code, describe the alert and source path in natural language and the agent activates the skill automatically.
Key skills
Each command orchestrates underlying skills. The most commonly used:
diagnose
Classification-driven analyzer — detects language, loads matching policies, walks the AST, and reports prioritized findings
analyze-context
Fingerprints language, framework, and the exact AST violation pattern in code you are looking at
build-fix
Writes a targeted ORL rule using your real code as the workspace
apply-fix
Runs orl remediate --dry-run, presents the diff, and applies on approval
enforce-policy
Full diagnose → cover → apply → verify loop
build-rule
Creates workspace files, writes the ORL rule, and runs tests from a classification
review-rule
12-item robustness checklist and overlap check against existing released rules
enrich-rule
Applies full metadata annotation with org-specific validation
release-rule
Copies to org rules repo, runs quality assessment, opens a PR
save-as-rule
Promotes in-context rules from .gomboc/orl-rules/ to the org repository
manage-classifications
Routes policy input to the right classification expert and writes YAML
rules-service
Query or publish against the Gomboc Rules Service API
The plugin also includes 40 language expert skills (language-*-expert), classification experts for MITRE, OWASP, Prisma Cloud, Wiz, HashiCorp Sentinel, and converters for Sentinel and Terraform Policy.
Supported languages
ORL supports 40+ languages across IaC, application code, and configuration formats. Language expert skills are dispatched automatically based on detected language. Common examples:
IaC
Terraform, HCL, CloudFormation (YAML/JSON), Bicep, ARM, Kubernetes, Helm, Dockerfile
Application code
Java, TypeScript, JavaScript, Python, Go, C#, Ruby, Kotlin, Scala, Rust, and more
Config / data
YAML, JSON, XML, TOML, SQL, Bash, Markdown
See Languages for the full list.
Workspace conventions
Skills write outputs to .gomboc/ in your workspace root:
Add .gomboc/ to .gitignore, or selectively commit orl-rules/ to track in-context rules.
Remediation types
When /fix or apply-fix runs a rule, the outcome depends on the rule's remediation capability:
FULL_REMEDIATION
Diff shown and applied on confirmation — all values are deterministic
REMEDIATION_WITH_INPUT
Structural fix applied; you supply values for USER_INPUT_N placeholders
AUDIT_ONLY
Violation annotated inline; summary written to .gomboc/audit-findings.md
UNREMEDIATEABLE
Violation detected but not actionable via ORL
Publishing rules
To publish rules directly to the Gomboc Rules Service instead of opening a PR:
Set
GOMBOC_API_TOKENin your agent environment (or plugin config for Claude Code)Use
--pushwith/releaseor/save-rule
See Publish for more on rule publishing, channels, and classifications.
Rule package structure
Each rule is a self-contained directory:
Further reading
Claude (Enterprise) — install guide for Claude Code
Gemini (Enterprise) — install guide for Gemini CLI
Codex (Enterprise) — install guide for OpenAI Codex
Cursor (Enterprise) — install guide for Cursor
Policy Enforcement Loop — full loop diagram and stage breakdown
CSPM Triage Loop — trace a Wiz/CSPM alert to a code fix and resolution note
ORL Quickstart — write your first ORL rule
ORL Core Concepts — audit, remediation, workspace, rule-space, tests
Enterprise support: [email protected]
Last updated