Skip to content

Gomboc-AI/gomboc-community-skills

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
.claude-plugin
.claude-plugin
 
 
assets/templates
assets/templates
 
 
commands
commands
 
 
references
references
 
 
scripts
scripts
 
 
skills
skills
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Gomboc ORL Community Skills

A Claude Code plugin for scanning, fixing, and creating ORL (Open Remediation Language) rules across Infrastructure as Code, containers, orchestration, and application code. Supports Terraform, HCL/Terragrunt, CloudFormation (YAML + JSON), Bicep, Dockerfile, Kubernetes, and Python.

Prerequisites

  • Claude Code CLI installed
  • Docker installed and running
  • ORL Docker image: docker pull gombocai/orl (Docker Hub)
  • A Gomboc Personal Access Token (PAT) for pushing rules (optional)

ORL via Docker

All ORL commands run via the gombocai/orl Docker image. The current directory is mounted into the container at /workspace:

docker run -v "${PWD}:/workspace" gombocai/orl <command>

Examples:

docker run -v "${PWD}:/workspace" gombocai/orl test .
docker run -v "${PWD}:/workspace" gombocai/orl walk workspace --language terraform ./workspace
docker run -v "${PWD}:/workspace" gombocai/orl remediate -d --language terraform -r . ./workspace

To push rules, pass your token via the -e flag:

docker run -v "${PWD}:/workspace" -e RULE_SERVICE_TOKEN gombocai/orl rules push .

Installation

From the marketplace

claude plugin marketplace add Gomboc-AI/gomboc-community-skills
claude plugin install gomboc-community@gomboc-community-marketplace

From local path

claude plugin install /path/to/community-skills

Commands

/fix — Scan and Fix Code

Scan source code for security anti-patterns and compliance gaps using the ORL classification policy corpus, then apply fixes — using existing rules or generating new ones on the fly. Optionally save fixes as reusable rules.

/gomboc-community:fix main.tf — check encryption
/gomboc-community:fix ./infrastructure/ — security review
/gomboc-community:fix Dockerfile
/gomboc-community:fix k8s/ — least privilege
/gomboc-community:fix src/api/ — prevent code injection
/gomboc-community:fix . — CIS compliance check

Workflow: diagnose → select issues → apply fixes → optionally save as rules

/create-rule — Create a Rule from Scratch

Define a security or compliance policy and build a complete ORL rule package with tests.

/gomboc-community:create-rule Ensure all AWS S3 buckets have server-side encryption enabled using Terraform
/gomboc-community:create-rule Ensure Dockerfiles use pinned image digests instead of mutable tags
/gomboc-community:create-rule Ensure Kubernetes Deployments set runAsNonRoot in securityContext

Workflow: plan → build → add metadata → optionally push

Skills

Skill Description
diagnose Classification-driven analyzer — detects language, loads matching policies, walks the AST, reports prioritized findings
apply-fix Applies a fix using an existing ORL rule or generates a new one, with optional save-as-rule
plan-rule Analyze requirements, identify test cases, and create a plan for an ORL rule
build-rule Create workspace files, write the ORL rule, and test it
add-metadata Add basic metadata (name, description, classifications, provider) to a rule
push-rule Push a completed rule to the Gomboc Rules Service
cleanup-rule Evaluate a rule package against release standards and produce a detailed remediation checklist

Supported Languages

Language ORL Language ID Use Case
Terraform terraform AWS, Azure, GCP infrastructure
HCL hcl Terragrunt, Packer, Consul, Vault configs
CloudFormation YAML cloudformation-yaml AWS infrastructure (YAML format)
CloudFormation JSON cloudformation-json AWS infrastructure (JSON format)
Bicep bicep Azure infrastructure
Dockerfile docker Container image definitions
Kubernetes kubernetes K8s manifests (Deployments, Pods, Services, etc.)
Python python Application code, AWS CDK, Pulumi, SDK usage

Classification-Driven Analysis

The /fix command uses the ORL classification policy corpus (/orl-rules/final/classifications/policies/) as its knowledge base. Each classification YAML defines:

  • What security or compliance policy to enforce
  • Which languages and resource types it applies to
  • Impact and risk scores for prioritization
  • Compliance framework mappings (CIS, NIST CSF, PCI-DSS, AWS Well-Architected, etc.)

Adding new classification YAMLs automatically extends what /fix can detect — no plugin changes needed.

Publishing Rules

To push rules to your Gomboc Community Edition account:

  1. Set your Personal Access Token: export RULE_SERVICE_TOKEN=your-pat-here
  2. Run /gomboc-community:push-rule from your rule directory

Rule Package Structure

Each rule is a self-contained directory:

my-rule/
├── my-rule.orl            # Main rule file
├── test.orl               # Test definition
├── workspace/             # Source files with violations
└── workspace_expected/    # Source files after remediation

License

MIT

About

Agent skills for using Gomboc Community Edition (managed by tfc-github)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages