Symbiotic Security for OpenCode

Security guardrails and vulnerability scanning for OpenCode - automatically enforced without disrupting your workflow.

Quick Start

Install and configure the plugin with a single command:

npx @symbioticsec/opencode-security-plugin@beta init

This command will:

• Add the plugin to your OpenCode configuration
• Configure the Symbiotic provider for LLM access
• Prompt for your Symbiotic API token (if not already set in SYMBIOTIC_API_TOKEN)
• Create the agent definition for automatic security enforcement

After installation: Restart OpenCode to activate the plugin.

Your First Security Scan

Once configured, security guardrails load automatically on every session. Ask Opencode to scan your code:

You: "Scan my code for vulnerabilities"

Opencode will use the scanner tool to run SAST analysis and report any security issues found.

How It Works

Automatic Security Enforcement

When you start a new OpenCode session, the plugin:

1. Fetches organization and repository-specific security policies from the Symbiotic API
2. Injects them into Opencode's context (invisible to you, but Opencode follows them)
3. Shows a toast notification: "🛡️ Security guardrails active"

No explicit commands needed - security is automatic.

Available Security Tools

Opencode can invoke these tools during your session:

loadguardrails - Manually refresh security policies from the Symbiotic API

securitycheck - Validate a task against OWASP Top 10 categories before implementation

scanner - Run SAST analysis on code files to detect vulnerabilities

You don't need to call these tools directly - just ask Opencode in natural language:

• "Scan this file for security issues"
• "Check if this implementation is secure"
• "Reload the security guardrails"

Graceful Degradation

If SYMBIOTIC_API_TOKEN is not set or the API is unavailable:

• Plugin loads without errors
• Security tools show warnings instead of failing
• OpenCode session continues normally
• You'll see: "⚠️ Security guardrails unavailable"

Your workflow isn't blocked - you just won't have active security enforcement.

Configuration

Environment Variables

Set your Symbiotic API token:

export SYMBIOTIC_API_TOKEN=your_token_here  # Required

Optional overrides for custom environments:

export SYMBIOTIC_API_URL=https://api.symbioticsec.ai
export SYMBIOTIC_LLM_PROXY_URL=https://llm-proxy.symbioticsec.ai
export SYMBIOTIC_APP_URL=https://app.symbioticsec.ai
export SYMBIOTIC_CLI_VERSION=v0.16.2

Default Configuration

If environment variables are not set, the plugin uses these defaults:

Troubleshooting

Missing API Token

Problem: Plugin shows "⚠️ Security guardrails unavailable"

Solution: Export your API token before starting OpenCode:

export SYMBIOTIC_API_TOKEN=your_token_here

Init Command Fails

Problem: npx @symbioticsec/opencode-security-plugin@beta init fails with config errors

Solution:

• Verify OpenCode is installed: opencode --version
• Check that ~/.config/opencode/opencode.json exists
• If config is corrupted, back it up and let init create a new one

Plugin Doesn't Load

Problem: Security tools not available in Claude session

Solution:

• Restart OpenCode after running init
• Check ~/.config/opencode/opencode.json includes @symbioticsec/opencode-security-plugin in the plugin array
• Verify the plugin was installed to OpenCode's plugin directory

Scanner Tool Fails

Problem: scanner tool returns errors about missing CLI

Solution:

• The scanner automatically downloads the Symbiotic CLI on first use
• Check you have write permissions in ~/.symbiotic/cli/
• Verify SYMBIOTIC_API_TOKEN is set correctly

Uninstalling

Remove the plugin configuration:

npx @symbioticsec/opencode-security-plugin@beta uninstall

This removes:

• Plugin entry from opencode.json
• Symbiotic provider configuration
• Agent definition file

License

MIT