> For the complete documentation index, see [llms.txt](https://docs.gomboc.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.gomboc.ai/orl/agent-skills/gomboc-enterprise-skills.md). # Gomboc Enterprise Skills The Gomboc Enterprise Skills plugin brings ORL (Open Remediation Language) workflows into your AI coding agent. Use it to scan code for security and compliance violations, deliver in-context fixes, author production-quality ORL rules, manage policy classifications, and publish rules to your organization's rule repository or the Gomboc Rules Service. The plugin supports **Claude Code**, **Gemini CLI**, **OpenAI Codex**, and **Cursor**. It is distributed as a private zip package shared during Gomboc Enterprise onboarding (not published on a public marketplace). ## Plugins | Plugin | Purpose | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `gomboc` | Core skills: classification, ORL rule creation, in-context remediation, policy enforcement, language experts, and converters | | `policy-fix-workflow` | Generate fix scenarios, run both fix modes, and evaluate accuracy and operational metrics | ## Prerequisites Before installing the plugin, make sure you have: * A valid **Gomboc Enterprise** subscription * Your target agent installed and configured (Claude Code, Gemini CLI, OpenAI Codex, or Cursor) * [Docker](https://docs.docker.com/get-docker/) installed and running — the ORL runtime uses the `gombocai/orl:latest` container image (a local `orl` binary on `PATH` is optional) * A **`GOMBOC_API_TOKEN`** for Gomboc Rules Service access — see [Generate A Personal Access Token](/getting-started/generate-a-personal-access-token.md) ## Installation The plugin is distributed as a zip package via Google Drive during onboarding. Download it from the link your Gomboc contact provides and extract it to a stable location: ```bash unzip ~/Downloads/gomboc-enterprise-skills.zip -d ~/gomboc/ ``` The same extracted folder works for all four supported agent runtimes. Installation steps differ by agent — follow the guide for yours: | Agent | Install guide | | ------------ | -------------------------------------------------------------------------------------- | | Claude Code | [Claude (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/claude-enterprise.md) | | Gemini CLI | [Gemini (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/gemini-enterprise.md) | | OpenAI Codex | [Codex (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/codex-enterprise.md) | | Cursor | [Cursor (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/cursor-enterprise.md) | After installation, configure your token in the environment your agent launches from: ```bash export GOMBOC_API_TOKEN="" ``` Verify the ORL runtime by asking the agent to run the `orl` skill with the `version` subcommand (for example, `/orl version` in Claude Code or Cursor Agent). ## Commands The `gomboc` plugin exposes slash commands as high-level entry points. Each command orchestrates one or more underlying skills. ### `/fix` — Fix a violation in code you are looking at Deliver an accurate fix for a policy violation in your code. Runs `analyze-context` → `build-fix` → `apply-fix`. ``` /fix "SQL queries must use parameterized statements" --files src/db/UserRepository.java /fix "File uploads must validate content type before saving" /fix "Controllers must not contain business logic — delegate to service layer" ``` **Workflow:** fingerprint the violation → build a targeted ORL rule from your real code → present the diff and apply on approval Fixes are saved under `.gomboc/orl-rules/`. Promote a successful fix to a persistent org rule with `/save-rule`. ### `/new-policy` — Create a classification from a policy source Create a classification YAML from a policy document or standard, then generate use cases for target languages. ``` /new-policy https://cwe.mitre.org/data/definitions/89.html --org gomboc-ai/acme --languages java,typescript /new-policy ./docs/internal-auth-policy.md --languages python,go /new-policy CKV_AWS_19 --org gomboc-ai/acme ``` **Workflow:** `manage-classifications` → review → `create-use-cases` ### `/new-rule` — Build a production-quality ORL rule Full rule creation pipeline from an existing classification: build → review → enrich. ``` /new-rule gomboc-ai/acme/cwe/cwe-89-sql-injection --language java /new-rule gomboc-ai/mitre/cwe/cwe-79-xss --language typescript ``` **Workflow:** `build-rule` → `review-rule` → `enrich-rule` Follow with `/release` to promote the rule to your org repository. ### `/new-custom-classifications` — Batch-create org classifications Interactive wizard for creating custom enterprise classifications under your organization namespace and uploading them to the Rules Service. ``` /new-custom-classifications /new-custom-classifications --org acme --file ./acme-policies.csv ``` **Workflow:** `create-custom-classifications` → write YAML → upload via `rules-service` ### `/release` — Promote a rule to the org repository Copy a reviewed, enriched rule package to your org's ORL rule repository and open a PR (or publish directly with `--push`). ``` /release ./workspace/java-spring-ensure-parameterized-sql-queries/ /release ./workspace/ts-express-ensure-helmet-middleware/ --org-rules-path ../acme-orl-rules /release ./workspace/my-rule/ --push ``` **Workflow:** `release-rule` → quality assessment → PR or `orl rules push` ### `/save-rule` — Promote an in-context fix to a persistent rule Promote one or more rules from `.gomboc/orl-rules/` to your org's rule repository. ``` /save-rule --classification gomboc-ai/mitre/cwe/cwe-89-sql-injection /save-rule --rule-path .gomboc/orl-rules/20260418-143022-ensure-parameterized-queries \ --classification gomboc-ai/mitre/cwe/cwe-89-sql-injection \ --generalize ``` **Workflow:** enrich + review in parallel → background release (PR or `--push`) ## Policy enforcement loop For scanning an entire codebase against a policy — diagnosing violations, assessing rule coverage, applying existing rules or building new ones, and verifying compliance — use the **`enforce-policy`** skill or read the full workflow guide: ➡ [Policy Enforcement Loop](/orl/agent-skills/gomboc-enterprise-skills/policy-enforcement-loop.md) ``` diagnose → assess rule coverage → apply existing rules or build new ones → verify ``` In Cursor, you can invoke `/enforce-policy` directly. In Claude Code, ask the agent to enforce a policy against a target path, or step through individual skills (`diagnose`, `orl-remediation-planner`, `orl-expert`, etc.) for finer control. ## CSPM triage loop For triaging a live cloud security alert from Wiz or another CSPM tool — fetching the observation, tracing it to IaC code, building or reusing an ORL rule, applying the fix, and posting a resolution note back — use the **`cspm-triage`** skill or read the full workflow guide: ➡ [CSPM Triage Loop](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/gomboc-enterprise-skills/cspm-triage-loop.md) ``` fetch alert → classify → diagnose code → build rule → enrich → review → release → apply → note ``` In Cursor, you can invoke `/cspm-triage` directly. In Claude Code, describe the alert and source path in natural language and the agent activates the skill automatically. ## Key skills Each command orchestrates underlying skills. The most commonly used: | Skill | Description | | ------------------------ | --------------------------------------------------------------------------------------------------------------------------- | | `diagnose` | Classification-driven analyzer — detects language, loads matching policies, walks the AST, and reports prioritized findings | | `analyze-context` | Fingerprints language, framework, and the exact AST violation pattern in code you are looking at | | `build-fix` | Writes a targeted ORL rule using your real code as the workspace | | `apply-fix` | Runs `orl remediate --dry-run`, presents the diff, and applies on approval | | `enforce-policy` | Full diagnose → cover → apply → verify loop | | `build-rule` | Creates workspace files, writes the ORL rule, and runs tests from a classification | | `review-rule` | 12-item robustness checklist and overlap check against existing released rules | | `enrich-rule` | Applies full metadata annotation with org-specific validation | | `release-rule` | Copies to org rules repo, runs quality assessment, opens a PR | | `save-as-rule` | Promotes in-context rules from `.gomboc/orl-rules/` to the org repository | | `manage-classifications` | Routes policy input to the right classification expert and writes YAML | | `rules-service` | Query or publish against the Gomboc Rules Service API | The plugin also includes **40 language expert skills** (`language-*-expert`), **classification experts** for MITRE, OWASP, Prisma Cloud, Wiz, HashiCorp Sentinel, and **converters** for Sentinel and Terraform Policy. ## Supported languages ORL supports 40+ languages across IaC, application code, and configuration formats. Language expert skills are dispatched automatically based on detected language. Common examples: | Category | Languages | | ---------------- | ------------------------------------------------------------------------------------ | | IaC | Terraform, HCL, CloudFormation (YAML/JSON), Bicep, ARM, Kubernetes, Helm, Dockerfile | | Application code | Java, TypeScript, JavaScript, Python, Go, C#, Ruby, Kotlin, Scala, Rust, and more | | Config / data | YAML, JSON, XML, TOML, SQL, Bash, Markdown | See [Languages](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/concepts/languages.md) for the full list. ## Workspace conventions Skills write outputs to `.gomboc/` in your workspace root: ``` .gomboc/ ├── orl-rules/ in-context rule packages (from /fix → /save-rule) ├── cache/ local rule and classification cache │ └── classifications/ └── audit-findings.md AUDIT_ONLY findings summary ``` Add `.gomboc/` to `.gitignore`, or selectively commit `orl-rules/` to track in-context rules. ## Remediation types When `/fix` or `apply-fix` runs a rule, the outcome depends on the rule's remediation capability: | Type | Result | | ------------------------ | -------------------------------------------------------------------------- | | `FULL_REMEDIATION` | Diff shown and applied on confirmation — all values are deterministic | | `REMEDIATION_WITH_INPUT` | Structural fix applied; you supply values for `USER_INPUT_N` placeholders | | `AUDIT_ONLY` | Violation annotated inline; summary written to `.gomboc/audit-findings.md` | | `UNREMEDIATEABLE` | Violation detected but not actionable via ORL | ## Publishing rules To publish rules directly to the Gomboc Rules Service instead of opening a PR: 1. Set `GOMBOC_API_TOKEN` in your agent environment (or plugin config for Claude Code) 2. Use `--push` with `/release` or `/save-rule` See [Publish](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/publish/README.md) for more on rule publishing, channels, and classifications. ## Rule package structure Each rule is a self-contained directory: ``` my-rule/ ├── my-rule.orl # Main rule file ├── test.orl # Test definition ├── workspace/ # Source files with violations └── workspace_expected/ # Source files after remediation ``` ## Further reading * [Claude (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/claude-enterprise.md) — install guide for Claude Code * [Gemini (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/gemini-enterprise.md) — install guide for Gemini CLI * [Codex (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/codex-enterprise.md) — install guide for OpenAI Codex * [Cursor (Enterprise)](/orl/agent-skills/gomboc-enterprise-skills/cursor-enterprise.md) — install guide for Cursor * [Policy Enforcement Loop](/orl/agent-skills/gomboc-enterprise-skills/policy-enforcement-loop.md) — full loop diagram and stage breakdown * [CSPM Triage Loop](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/gomboc-enterprise-skills/cspm-triage-loop.md) — trace a Wiz/CSPM alert to a code fix and resolution note * [ORL Quickstart](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/quickstart.md) — write your first ORL rule * [ORL Core Concepts](https://github.com/Gomboc-AI/gitbook-user-docs/blob/main/orl/agent-skills/concepts.md) — audit, remediation, workspace, rule-space, tests * Enterprise support: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.gomboc.ai/orl/agent-skills/gomboc-enterprise-skills.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.