> ## Documentation Index
> Fetch the complete documentation index at: https://www.oplane.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Working with Requirements
> How to respond to security requirements Oplane raises on your pull requests or merge requests, and how to run threat modeling locally before pushing.
This guide covers how to respond to security requirements Oplane raises on your pull requests (GitHub) or merge requests (GitLab), and how to run threat modeling locally before pushing.
## Responding to Requirements
When Oplane reviews your PR/MR, it posts a comment with security requirements. You have several ways to respond:
### Fix the Issue
Implement the security requirement in your code and push a new commit. Oplane will re-analyse the PR/MR automatically and update the requirement status.
### Use MCP Tools in Your IDE
If you have Oplane connected via [MCP](/mcp-agent), you can interact with requirements directly from your editor:
| Action | MCP Tool | When to Use |
| --------------------------- | ------------------------------- | --------------------------------------------------------- |
| Get implementation guidance | `request_implementation_advice` | You want specific advice on how to address a requirement |
| Mark as implemented | `update_implementation_state` | You've fixed the issue and want to record it |
| Accept the risk | `update_implementation_state` | The risk is acknowledged but won't be mitigated |
| Mark as out of scope | `update_implementation_state` | Handled at infrastructure or another layer |
| Adjust severity | `update_requirement_severity` | Actual exploitability differs from the initial assessment |
### Re-trigger a Review
After making changes, you can re-trigger Oplane's analysis by commenting on the PR or MR:
* `@oplane review`
* `oplane review`
Alternatively, pushing a new commit triggers a review automatically (if your workspace is configured for automatic reviews).
Assessments you've manually set (via MCP or the dashboard) are preserved across re-analyses unless the underlying code contradicts them.
## Running Local Checks
You can run threat modeling locally before pushing, catching issues early in your development workflow.
### Using MCP in Your IDE
With Oplane connected via MCP (in Cursor, GitHub Copilot, Claude Code, or another MCP-compatible tool), you can create a threat model for your current changes:
1. **Describe your changes** — Tell your AI assistant what you're working on and ask it to use Oplane to create a threat model.
2. **Review requirements** — Oplane generates security requirements specific to your described changes.
3. **Get implementation advice** — For each requirement, ask for guidance on how to implement it in your codebase.
4. **Record your assessment** — Mark each requirement as implemented, accepted risk, or not applicable.
### Quick Reference: Local MCP Workflow
| Step | Tool | What It Does |
| ---------------------- | ------------------------------- | ------------------------------------------------------------- |
| 1. Create threat model | `new_threatmodel` | Analyses your description and generates security requirements |
| 2. Get guidance | `request_implementation_advice` | Returns specific implementation steps and verification tests |
| 3. Record state | `update_implementation_state` | Marks requirements as implemented, out of scope, etc. |
| 4. Refine | `add_threatmodel_comment` | Adds context to improve the threat model if needed |
Use the guided prompt `autonomous_threat_modeling` to have your AI assistant run the entire workflow end-to-end automatically.
Reference for what each status icon, severity level, and check status means.