JSPM

  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 10
  • Score
    100M100P100Q37593F
  • License MIT

Security guardrails and vulnerability scanning for OpenCode

Package Exports

  • @symbioticsec/opencode-security-plugin

Readme

Symbiotic Security for OpenCode

Security guardrails and vulnerability scanning for OpenCode - automatically enforced without disrupting your workflow.

Quick Start

Install and configure the plugin with a single command:

npx @symbioticsec/opencode-security-plugin@beta init

After installation: Restart OpenCode to activate the plugin.

Your First Security Scan

Once configured, security guardrails load automatically on every session. Ask Opencode to scan your code:

You: "Scan my code for vulnerabilities"

Opencode will use the scanner tool to run SAST analysis and report any security issues found.

Available Security Tools

Opencode can invoke these tools during your session:

loadguardrails - Manually refresh security policies from the Symbiotic API

securitycheck - Validate a task against OWASP Top 10 categories before implementation

scanner - Run SAST analysis on code files to detect vulnerabilities

You don't need to call these tools directly - just ask Opencode in natural language:

  • "Scan this file for security issues"
  • "Check if this implementation is secure"
  • "Reload the security guardrails"

Slash Commands

The plugin installs three convenient slash commands:

/symbiotic-scan [path] - Run vulnerability scan on specified path (defaults to current directory)

/symbiotic-guardrails - Load and display current security guardrails from Symbiotic API

/symbiotic-owasp-check [task] - Perform OWASP Top 10 security checkpoint on recent changes

Configuration

API Token

The plugin requires a Symbiotic API token for authentication. The token is resolved with the following priority:

  1. Environment variable (highest priority): SYMBIOTIC_API_TOKEN
  2. Config file: ~/.config/opencode/symbioticsec/config.json

During installation, the init command prompts for your token and saves it securely to the config file with restricted permissions (0600).

To override the saved token, set the environment variable:

export SYMBIOTIC_API_TOKEN=your_token_here

Other Environment Variables

Optional overrides for custom environments:

export SYMBIOTIC_API_URL=https://api.symbioticsec.ai
export SYMBIOTIC_LLM_PROXY_URL=https://llm-proxy.symbioticsec.ai
export SYMBIOTIC_APP_URL=https://app.symbioticsec.ai
export SYMBIOTIC_CLI_VERSION=v0.16.2

Default Configuration

If environment variables are not set, the plugin uses these defaults:

Option Default
API URL https://api.staging2.symbioticsec.ai
LLM Proxy https://llm-proxy.staging2.symbioticsec.ai
App URL https://app.staging2.symbioticsec.ai
CLI Version v0.16.2

Uninstalling

Remove the plugin configuration:

npx @symbioticsec/opencode-security-plugin@beta uninstall

This removes:

  • Plugin entry from opencode.json
  • Symbiotic provider configuration
  • Agent definition file
  • Security slash commands
  • API token config file (~/.config/opencode/symbioticsec/config.json)

License

MIT