Code Remediation with Gomboc.ai Community Edition

v0.2.5

Automatically scans and generates deterministic, merge-ready code fixes for infrastructure, app code, and configs using Gomboc.ai's Open Remediation Language.

⭐ 0· 95·0 current·0 all-time

byGomboc AI@gomboc-ai·duplicate of @iiamit/gomboc-remediation

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for gomboc-ai/gomboc-security-community.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Code Remediation with Gomboc.ai Community Edition" (gomboc-ai/gomboc-security-community) from ClawHub.
Skill page: https://clawhub.ai/gomboc-ai/gomboc-security-community
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gomboc-security-community

ClawHub CLI

Package manager switcher

npx clawhub@latest install gomboc-security-community

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md, README, and CLI wrapper consistently describe a remediation tool that calls https://api.app.gomboc.ai/graphql using a GOMBOC_PAT token — this is coherent with the stated purpose. However, the top-level registry metadata in the provided bundle listed 'Required env vars: none' and 'Primary credential: none', while .clawhub.yml and the code require GOMBOC_PAT. That metadata mismatch is unexpected and should be resolved (the runtime clearly needs a token).

✓

Instruction Scope

Runtime instructions and the CLI wrapper focus on scanning, requesting fixes, and (optionally) remediating code via the Gomboc API. The scripts read repository files under the provided path and make HTTPS requests to the documented Gomboc GraphQL endpoint. There are no instructions to read unrelated system files or to exfiltrate arbitrary data beyond what the Gomboc API calls would transmit (account and scan/fix info).

ℹ

Install Mechanism

This is an instruction-only skill (no install spec). It includes code files and a docker-compose that references the Docker image gombocai/mcp:latest. There is no automatic installer, but running the docker-compose will pull a container image from a public registry — validate that image and its provenance before running. No other unusual download URLs or obfuscated installers were found.

Credentials

The actual runtime requires a single sensitive env var (GOMBOC_PAT) used for Bearer authentication to the remote API — appropriate and proportionate for this service. However, the provided registry metadata incorrectly indicates no required env vars; this inconsistency could mislead users and policy engines. Ensure you only provide a dedicated, least-privilege token and do not reuse broader credentials.

✓

Persistence & Privilege

The skill does not request 'always: true' and does not modify other skills or global agent config. It can be invoked by agents (normal default). The code does not contain autonomous installation or privilege-escalation behavior.

What to consider before installing

This skill appears to be a legitimate wrapper around the Gomboc.ai remediation API and requires a personal access token (GOMBOC_PAT). Before installing: (1) verify the skill's origin/repository and that the package you received actually comes from the official Gomboc project; (2) confirm the .clawhub.yml requirement for GOMBOC_PAT (the registry metadata in the bundle is inconsistent); (3) only provide a dedicated, least-privilege token (do not reuse org-wide or cloud credentials) and store it in your CI secrets manager; (4) inspect and vet the Docker image gombocai/mcp:latest before running docker-compose; (5) run the CLI and any setup scripts in a sandbox or isolated test repo first to confirm behavior; (6) require human review of auto-generated fixes / PRs before merging or enabling auto-commit/push in CI. These checks will reduce risk from misconfiguration or a malicious/compromised upstream image.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760mcw6etm6gbn50bv6pmtpd83me8m

95downloads

0stars

4versions

Updated 1mo ago

v0.2.5

MIT-0

Gomboc Code Remediation Skill

Deterministic, merge-ready code fixes powered by ORL (Open Remediation Language).

Provenance & External Dependencies

Source: This skill wraps the official Gomboc.ai Community Edition code remediation engine.

Official Documentation: https://docs.gomboc.ai
Community Discussions: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions
GitHub App: https://github.com/apps/gomboc-ai-community

External API Dependency:

Endpoint: https://api.app.gomboc.ai/graphql
Authentication: Bearer token (Personal Access Token from https://app.gomboc.ai)
Required: Free account at Gomboc.ai (no credit card)
Setup: Generate token in Settings → Personal Access Tokens

Token Scope & Security (Least Privilege):

Scope: Read-only API access (minimal required permissions)
Capabilities: Query account, scans, runs, and fix events only
Restrictions: Cannot modify, delete, or alter Gomboc configurations
Safe for CI/CD: No destructive capabilities, suitable for GitHub Actions and workflow secrets
Best Practice: Generate a dedicated token per environment/workflow; never commit to code
Storage: Use GitHub Secrets (Actions) or CI provider's secure secret management
Verification: Check token scope in Gomboc settings before use in production

Shipped Files:

SKILL.md — This documentation
README.md — Quick start guide
SECURITY.md — Security audit
scripts/cli-wrapper.py — Python CLI wrapper
scripts/docker-compose.yml — MCP server configuration
examples/vulnerable.tf — Example vulnerable code
references/ — Integration guides

License: MIT (see LICENSE.md)

Gomboc.ai Community Edition automatically scans and fixes code issues across your entire codebase — infrastructure, applications, configurations, and more — using a deterministic remediation engine (no hallucinations). Unlike traditional scanners that generate alerts, Gomboc delivers merge-ready pull requests that clear your code issues backlogs. This skill wraps Gomboc's power into agent workflows, CLI tools, and CI/CD pipelines, making it the perfect complement to agentic coding.

How Gomboc Works

Gomboc's Open Remediation Language (ORL) engine operates through a multi-stage deterministic process:

Policy Definition → Code Analysis → Deterministic Fix Generation → PR Delivery

Understands your environment and code context
Turns policies into executable rules using ORL
Analyzes your code with full syntax-tree precision (via Tree-sitter)
Generates deterministic fixes (same input = same output, always)
Delivers merge-ready pull requests ready to review and ship

Key difference: While generative AI is probabilistic (helpful for reasoning but unpredictable), Gomboc's ORL provides deterministic remediation — predictable, repeatable, and auditable.

What It Does

Scan any codebase for issues (infrastructure, application code, configs)
Generate deterministic, merge-ready pull requests with fixes
Remediate continuously via GitHub Actions or interactive CLI/MCP
Trust 94%+ fix acceptance rate with zero hallucinations (ORL Engine)
Pair with agents — deterministic remediation that works perfectly alongside agentic coding systems

Supported Languages & Frameworks

ORL supports remediation across multiple languages and code types via syntax-tree matching (Tree-sitter):

Infrastructure as Code
- Terraform (HCL)
- CloudFormation (YAML/JSON)
- Kubernetes manifests (YAML)
- Helm charts
Configuration Files
- JSON, YAML, HCL
- Shell scripts
- Docker files
Code Languages
- Python
- JavaScript/TypeScript
- Go, Java, C#, Rust, and 20+ more
Cloud Providers
- AWS, Azure, GCP, OCI
- Kubernetes, Helm
Policy Coverage
- CIS benchmarks
- AWS best practices
- Security hardening
- Custom org policies

Full language list: docker run --rm gombocai/orl language

Quick Start

1. Get a Token

# Sign up at https://app.gomboc.ai (free, Community Edition)
# Generate Personal Access Token in Settings
export GOMBOC_PAT="gpt_your_token"

2. Scan Code

python scripts/cli-wrapper.py scan --path ./src

3. Generate Fixes

python scripts/cli-wrapper.py fix --path ./src

4. Apply Fixes (Optional)

python scripts/cli-wrapper.py remediate --path ./src --commit

Key Features

✅ Deterministic AI — Same fix every time, no hallucinations ✅ 94%+ Accuracy — Merge-ready fixes users actually accept ✅ Free Forever — Community Edition of Gomboc.ai ✅ Production-Ready — Battle-tested implementation ✅ Secure by Design — No token leaking, proper error handling ✅ Agent-Friendly — Perfect for autonomous code improvement loops

CLI Commands

scan

Detect issues in your codebase

gomboc scan path:./terraform
gomboc scan path:./src policy:aws-cis format:markdown

fix

Generate merge-ready fixes

gomboc fix path:./terraform format:pull_request
gomboc fix path:./src format:json

remediate

Apply fixes directly to code

gomboc remediate path:./src commit:true
gomboc remediate path:./terraform commit:true push:true

config

Manage authentication

gomboc config --show-token

Why This Matters for Agents

Gomboc solves the determinism problem in AI-driven code improvement:

Deterministic Fixes — ORL ensures same code always produces same fix (no randomness)
Repeatable — Policies execute consistently across runs, repos, and teams
Trustworthy — 94%+ merge rate because fixes are syntax-aware, not brittle regex patterns
Safe for Agents — Agents can autonomously scan → generate → apply without human fear
Continuous Improvement — Perfect for agentic loops: code generation → scanning → remediation → iterate

The Agent Workflow:

Agent generates code
Gomboc scans and identifies issues
ORL generates deterministic fixes
Agent reviews and applies fixes
Repeat with next feature/iteration

This creates a feedback loop where agents learn and improve continuously.

Integration Methods

Gomboc integrates into your workflow through multiple paths:

1. VS Code / Cursor IDE (Developers)

Fastest way to try Gomboc interactively:

# Install: Gomboc VS Code Extension
# Set: GOMBOC_PAT in extension settings
# Run: Gomboc: Scan current file
# Review: Problems panel → Apply Fix

Real-time scanning as you save
Interactive fix review and apply
See: https://docs.gomboc.ai/getting-started-ce

2. MCP Server (Agents)

Run the MCP server for agent integration:

docker-compose -f scripts/docker-compose.yml up
# Server runs on http://localhost:3100

# Or: docker run -p 3100:3100 -e GOMBOC_PAT='your_token' gombocai/mcp:latest

Agents interact with Gomboc via MCP protocol:

@gomboc scan path:./src
@gomboc fix path:./src format:pull_request
@gomboc remediate path:./code commit:true

See references/mcp-integration.md for details.

3. CLI Tool (Developers & Scripts)

Use the Python CLI for local scanning:

export GOMBOC_PAT="your_token"
python scripts/cli-wrapper.py scan --path ./src --format markdown
python scripts/cli-wrapper.py fix --path ./src --format pull_request
python scripts/cli-wrapper.py remediate --path ./src --commit

See references/setup.md for detailed instructions.

4. GitHub App (Automated)

Install Gomboc GitHub App for automatic PRs:

https://github.com/apps/gomboc-ai-community
Select repos to monitor
Gomboc automatically scans on PR, generates fixes

5. GitHub Actions (CI/CD)

Automate continuous remediation in pipelines:

- uses: gomboc-action@v1
  with:
    path: ./terraform
    auto-fix: true
    policy: default

See references/github-action.md for configuration.

Configuration

All configuration is via environment variables:

Variable	Purpose	Required	Example
`GOMBOC_PAT`	Personal Access Token	Yes	`gpt_abc123...`
`GOMBOC_MCP_URL`	MCP server URL	No	`http://localhost:3100`
`GOMBOC_POLICY`	Remediation policy	No	`default` or `aws-cis`

Security & Audit

This skill has been:

✅ Security-audited for token handling
✅ Verified against live Gomboc API
✅ Tested with real vulnerabilities
✅ Confirmed production-ready

See SECURITY.md for complete audit details.

Open Remediation Language (ORL)

ORL is the deterministic execution engine that powers Gomboc fixes:

Deterministic Remediation

Same input = same output, always (no probabilistic AI)
Syntax-tree aware (via Tree-sitter) instead of brittle regex
Safe for bulk remediation across large codebases
Results are auditable and reviewable

How ORL Works

Detects policy violations by analyzing syntax trees
Evaluates context and code structure
Applies precise transformations (insert, modify, delete)
Validates fixes are safe and complete

Policy-Driven Fixes

Policies define what should be fixed (CIS, AWS best practices, custom rules)
ORL rules execute those policies to generate code changes
Policy Sets let you customize enforcement by environment/team

See: https://docs.gomboc.ai/orl

Support & Documentation

Setup Guide: references/setup.md
MCP Integration: references/mcp-integration.md
GitHub Actions: references/github-action.md
Security Audit: SECURITY.md
Changelog: CHANGELOG.md
Gomboc Official Docs: https://docs.gomboc.ai
ORL Documentation: https://docs.gomboc.ai/orl
GitHub Feedback: https://github.com/Gomboc-AI/gomboc-ai-feedback/discussions

License

MIT License — See LICENSE file

Ready to remediate? Start with the Quick Start section above, then explore integration methods that fit your workflow.

Comments

Loading comments...