AI-powered security analysis for your codebase — threat modeling, implementation assessment, and PR security review.
Works with Claude Code, Cursor, and GitHub Copilot CLI.
This plugin connects your IDE to Oplane, giving you:
- Codebase analysis — Identify security threats across your entire project
- PR review — Analyze pull requests for security implications
- Implementation assessment — Check if security requirements are properly implemented
- Severity management — Adjust requirement severity based on your risk context
Results are saved to Oplane and visible in the Gravity web interface.
claude --plugin-dir /path/to/oplane-pluginInstall from the Cursor Marketplace (when available), or load via Cursor Settings > Plugins and add the repository URL.
copilot plugin install /path/to/oplane-pluginVerify with copilot plugin list (or /plugin list in an interactive session). Re-run copilot plugin install after editing the plugin.
After installing the plugin, authenticate with Oplane:
- Start Claude Code
- Run
/mcp - Select the Oplane server and click "Authenticate"
- Log in via your browser — tokens are issued and refreshed automatically
If you prefer using a Personal Access Token:
claude mcp add --transport http \
--header "Authorization: Bearer YOUR_PAT_TOKEN" \
oplane https://gravity.oplane.io/mcp/To point at a different Oplane server, set the OPLANE_BASE_URL environment variable:
export OPLANE_BASE_URL=https://your-oplane-instance.com/oplane:analyze
Performs a full security threat model analysis. Optionally focus on a specific area:
/oplane:analyze authentication and session management
/oplane:analyze-pr
Analyzes the current PR changes for security implications. Provide context:
/oplane:analyze-pr PR #123 adds OAuth login flow
The plugin also provides a security-analyzer subagent that Claude Code and Copilot CLI can invoke automatically when security analysis is needed.
The single highest-impact step is making threat modeling a standing instruction your agent
reads every session, so security-relevant changes are modeled before each commit or PR,
not just reviewed after a PR opens. Add this to your project's CLAUDE.md (and/or
AGENTS.md):
For changes that could affect security, you MUST threat-model the change using Oplane MCP
before committing. Threat-model the actual diff (e.g. the PR threat model), not a written
summary of it - a model built from your own description only re-tests risks you already
considered. Explicitly consider untrusted-input-inbound (log/audit/template/SQL injection
from external data), not only outward data leakage.
The plugin provides access to these Oplane MCP tools:
| Tool | Description |
|---|---|
new_threatmodel |
Create threat models with security requirements |
request_implementation_advice |
Get implementation guidance (supports batch) |
update_implementation_state |
Record implementation assessments |
update_requirement_severity |
Adjust severity with motivation |
my_recent_threatmodels |
List your own recent threat models |
add_threatmodel_comment |
Add context to refine threat models |
Proprietary. See Oplane for terms.