Working with Requirements
This guide covers how to respond to security requirements Oplane raises on your pull requests (GitHub) or merge requests (GitLab), and how to run threat modeling locally before pushing.
Responding to Requirements
When Oplane reviews your PR/MR, it posts a comment with security requirements. You have several ways to respond:
Fix the Issue
Implement the security requirement in your code and push a new commit. Oplane will re-analyse the PR/MR automatically and update the requirement status.
Use MCP Tools in Your IDE
If you have Oplane connected via MCP, you can interact with requirements directly from your editor:
| Action | MCP Tool | When to Use |
|---|---|---|
| Get implementation guidance | request_implementation_advice | You want specific advice on how to address a requirement |
| Mark as implemented | update_implementation_state | You've fixed the issue and want to record it |
| Accept the risk | update_implementation_state | The risk is acknowledged but won't be mitigated |
| Mark as out of scope | update_implementation_state | Handled at infrastructure or another layer |
| Adjust severity | update_requirement_severity | Actual exploitability differs from the initial assessment |
Re-trigger a Review
After making changes, you can re-trigger Oplane's analysis by commenting on the PR or MR:
@oplane reviewoplane review
Alternatively, pushing a new commit triggers a review automatically (if your workspace is configured for automatic reviews).
Note: Assessments you've manually set (via MCP or the dashboard) are preserved across re-analyses unless the underlying code contradicts them.
Running Local Checks
You can run threat modeling locally before pushing, catching issues early in your development workflow.
Using MCP in Your IDE
With Oplane connected via MCP (in Cursor, Claude Code, or another MCP-compatible tool), you can create a threat model for your current changes:
- Describe your changes — Tell your AI assistant what you're working on and ask it to use Oplane to create a threat model.
- Review requirements — Oplane generates security requirements specific to your described changes.
- Get implementation advice — For each requirement, ask for guidance on how to implement it in your codebase.
- Record your assessment — Mark each requirement as implemented, accepted risk, or not applicable.
Quick Reference: Local MCP Workflow
| Step | Tool | What It Does |
|---|---|---|
| 1. Create threat model | new_threatmodel | Analyses your description and generates security requirements |
| 2. Get guidance | request_implementation_advice | Returns specific implementation steps and verification tests |
| 3. Record state | update_implementation_state | Marks requirements as implemented, out of scope, etc. |
| 4. Refine | add_threatmodel_comment | Adds context to improve the threat model if needed |
Tip: Use the guided prompt autonomous_threat_modeling to have your AI assistant run the entire workflow end-to-end automatically.
Using the CLI
Oplane also provides a CLI for running threat models from the terminal:
# Analyse current project
oplane-cli analyze .
# Focus on a specific area
oplane-cli analyze . --focus "authentication"
# Analyse a PR locally
oplane-cli analyze-pr . --base main
# Output as markdown
oplane-cli analyze . -o markdown --output-file report.mdSee also: Statuses & Severity for a reference on what each status icon, severity level, and check status means.