Skip to main content

Welcome to Rafter

Rafter is the way to shift security left. It moves vulnerability detection, secret scanning, dependency auditing, and policy enforcement out of post-merge review queues and into your AI coding agent’s feedback loop — where mistakes get caught while code is still being written, not after it ships. Rafter sits between your agent and your codebase, scanning for secrets, intercepting dangerous commands, evaluating extensions, and (with an API key) running deep SAST/SCA passes through the Code Security Engine. One command installs across every supported agent. Free to start, MIT-licensed, works offline.

Wire Rafter into your agent

Install Rafter and put security inside your agent’s loop in under a minute.

The Shift-Left Loop

Rafter’s job is to make security a first-class signal your agent consults at every step:

During design and planning

Your agent anticipates risks before code is written — auth, data flow, permissions, external integrations.

While writing and modifying code

Sensitive logic gets scanned the moment it appears. Secrets never reach git. Risky dependencies are flagged on install.

When reviewing changes or diffs

Your agent runs Rafter against the diff and explains tradeoffs as part of its review pass.

Before finalizing implementations

A final scan with the Code Security Engine catches anything the local pass missed — SAST, SCA, agentic deep dive.

Two Layers, One Loop

Local: Agent Security (Free, No Account)

Lives inside your agent’s session. Secret scanning, command interception, policy enforcement, extension auditing, MCP server, pre-commit hooks, and audit logging. Works offline. Supports Claude Code, Codex CLI, Gemini CLI, Cursor, Windsurf, Continue.dev, Aider, and OpenClaw.

Remote: Code Security Engine (API key)

Hand your agent an API key and it can run deep SAST, SCA, secret detection, and agentic deep-dive audits whenever it needs to — tracing data flows, reasoning about business logic, cross-referencing with static analysis. Structured reports the agent can act on directly.

Agent-First Design

Stable Output Contract

JSON to stdout, status to stderr, documented exit codes. Agents classify outcomes without parsing prose.

Deterministic Results

Same inputs produce the same findings for a given CLI version. No flaky scans, no surprises.

9 Platforms, One Command

rafter agent init --all auto-detects and installs across every supported agent and IDE.

Platform Integrations

Claude Code

PreToolUse hooks and security skills.

Codex CLI

Security skills for OpenAI Codex.

MCP Clients

Cursor, Windsurf, Gemini CLI, Continue.dev, Aider, Claude Desktop, Cline.

Quick Start

npm install -g @rafter-security/cli
rafter agent init --all
That’s it. Your agents now have secret scanning, command interception, and policy enforcement.

Full Quick Start Guide

Detailed setup including remote scanning, CI/CD, and API access.

More Resources

CLI Reference

All commands at a glance.

REST API

Programmatic scanning for custom integrations.

CI/CD

GitHub Actions, GitLab CI, CircleCI.