Skip to main content

Claude Code Integration

Rafter provides two skills for Claude Code that separate remote code analysis from local security operations.

Why Two Skills?

Remote Code Analysis (rafter)

Auto-invocable - Claude can proactively suggest scans
  • API-based SAST/SCA scanning
  • Read-only operations
  • Safe for Claude to auto-invoke
  • rafter run / rafter scan / rafter get / rafter usage

Local Security Toolkit (rafter-agent-security)

User-only - Requires explicit invocation
  • Local secret scanning
  • Policy enforcement
  • Extension auditing
  • Side effects require permission
This architecture separates read-only remote analysis from local security operations that have side effects.

Setup

1. Install Rafter CLI

Install globally: 
npm install -g @rafter-security/cli

2. Initialize Local Security

Run initialization with Claude Code integration: 
rafter agent init --with-claude-code
Or install all detected integrations at once: 
rafter agent init --all
If Claude Code is detected (checks for ~/.claude/ directory), Rafter will:
  • Install Remote Code Analysis skill to ~/.claude/skills/rafter/SKILL.md
  • Install Local Security skill to ~/.claude/skills/rafter-agent-security/SKILL.md
  • Enable agent integration in config

3. Restart Claude Code

Restart your Claude Code session to load the skills: 
# Kill existing session
pkill -f claude

# Start new session
claude

Remote Code Analysis: Automated Scanning

The remote analysis skill allows Claude to proactively suggest security scans.

Commands

rafter run
command
Trigger a comprehensive security scan on your repositoryAuto-detects: Current repo and branch from gitExample:
rafter run
rafter scan --repo myorg/myrepo --branch feature-branch
rafter scan is an alias for rafter run.
rafter get
command
Retrieve results from a completed or in-progress scanExample:
rafter get scan_abc123xyz
rafter usage
command
View your API quota and usage statisticsExample:
rafter usage

When Claude Uses It

Claude will automatically invoke backend scanning when you:
  • Mention “security”, “vulnerabilities”, or “code analysis”
  • Start working on a new feature
  • Review a pull request
  • Update dependencies
  • Ask about security issues

Example Interactions

You: “I just updated all the npm packages”Claude: “Let me run a security scan to check for any new vulnerabilities in the updated dependencies.”[Invokes: rafter run]Claude: “Scan complete! Found 2 medium-severity issues in newly updated packages. Here’s what needs attention…”
You: “Can you review my changes before I create a PR?”Claude: “I’ll run a security scan on your feature branch first.”[Invokes: rafter run —branch feature-auth]Claude: “Security scan passed with no issues. Your changes look good from a security perspective. Ready to create the PR?”
You: “How many scans do I have left this month?”Claude: [Invokes: rafter usage]Claude: “You’ve used 45 of 100 scans this month. 55 remaining. Your quota resets on March 1st.”

Local Security Skill

The local security skill provides secret scanning, policy enforcement, and extension auditing. You must explicitly invoke these commands.

Commands

/rafter-scan
slash-command
Scan files for secrets before commitsExample:
/rafter-scan .
/rafter-scan src/config.ts
Detects: AWS keys, GitHub tokens, Stripe keys, database credentials, private keys (21+ patterns)
/rafter-bash
slash-command
Execute commands with security validationExample:
/rafter-bash "git commit -m 'Add feature'"
/rafter-bash "sudo systemctl restart nginx"
Features:
  • Blocks destructive commands (rm -rf /, fork bombs)
  • Requires approval for dangerous operations
  • Scans staged files before git commits
  • Logs all command attempts
/rafter-audit-skill
slash-command
Comprehensive security audit of a Claude Code skill before installationExample:
/rafter-audit-skill ~/.claude/skills/untrusted-skill/SKILL.md
Analyzes: 12 security dimensions including network calls, command execution, file access, credential handling, input validation, and more
/rafter-audit
slash-command
View security event logsExample:
/rafter-audit
/rafter-audit --last 20
Events: Command attempts, secret detections, policy overrides, config changes

Usage Examples

You: /rafter-scan .Output:
🔍 Scanning 47 files...

⚠️  Found 1 secret:

File: src/config.ts:12
Type: AWS Access Key
Value: AKIA...REDACTED...XYZ
Severity: HIGH

❌ Secrets detected! Do not commit.
You: /rafter-bash "git commit -m 'Add authentication'"Process:
  1. Rafter evaluates command risk level
  2. Scans staged files for secrets (for git commands)
  3. If clean: executes commit
  4. If secrets found or command blocked: alerts user
Output:
✓ No secrets detected in staged files
✓ Command approved: git commit
[main abc123d] Add authentication
You: /rafter-audit-skill ~/.claude/skills/github-integration/SKILL.mdOutput:
# Skill Audit Report

**Skill**: github-integration
**Risk Rating**: MEDIUM

## Findings

### Network Security: ⚠️ Warning
- 3 external URLs found
- https://api.github.com (HTTPS ✓)
- http://internal-api.local (HTTP ⚠️)

### Command Execution: ✓ Pass
- No dangerous commands detected

## Recommendation: ✓ YES (with modifications)

Change http://internal-api.local to HTTPS before installing.

Configuration

Risk Levels

Choose based on your security requirements:
Best for: Local development, prototyping
rafter agent config set agent.riskLevel minimal
  • Allows most commands
  • Basic secret detection
  • Minimal workflow interruption
Best for: Sensitive environments, compliance requirements
rafter agent config set agent.riskLevel aggressive
  • Maximum security checks
  • Requires approval for most operations
  • Comprehensive audit logging

View Current Config

# View all settings
rafter agent config show

# Check specific setting
rafter agent config get agent.riskLevel

Workflows

Secure Development Cycle

1

Start Feature

You: “Add user authentication”Claude: Writes code, then suggests: “Should I run a security scan?”[Invokes: rafter run]
2

Pre-Commit Check

You: /rafter-scan .Verify no secrets before committing
3

Safe Commit

You: /rafter-bash "git commit -m 'Add auth'"Rafter scans and executes if clean
4

Pre-PR Review

You: “Review my changes”Claude: [Invokes: rafter run —branch feature-auth]“Security scan passed. Ready to create PR?”

Installing Untrusted Skills

Before installing skills from unknown sources:
1

Download Skill

Save skill file to local directory
2

Audit Security

You: /rafter-audit-skill /path/to/skill.mdReview comprehensive 12-dimension security analysis
3

Make Informed Decision

Based on audit findings:
  • ✓ Install if LOW/MEDIUM risk
  • ⚠️ Modify if issues found
  • ❌ Don’t install if HIGH/CRITICAL

Monitoring

View Agent Activity

# Recent command executions
rafter agent audit --event command_intercepted

# Secret detections
rafter agent audit --event secret_detected

# Last 50 events
rafter agent audit --last 50

Audit Reports

Generate compliance reports: 
# Export as JSON
rafter agent audit --json > agent-audit.json

# Filter by date
rafter agent audit --since 2026-01-01

Troubleshooting

If Claude doesn’t recognize Rafter skills:
  1. Verify skill files exist: 
    ls ~/.claude/skills/rafter/SKILL.md
ls ~/.claude/skills/rafter-agent-security/SKILL.md
  2. Reinstall skills: 
    rafter agent init
  3. Restart Claude Code session
If Claude isn’t suggesting scans automatically:
  1. Check skill is loaded: Look for system reminders showing “rafter” skill
  2. Verify RAFTER_API_KEY is set: 
    echo $RAFTER_API_KEY
  3. Try explicit request: “Can you run a Rafter security scan?”
If backend scans fail:
  1. Set API key: 
    export RAFTER_API_KEY="your-key-here"
  2. Or use .env file: 
    echo "RAFTER_API_KEY=your-key-here" >> .env
  3. Get key from: rafter.so/dashboard
If /rafter-bash isn’t validating:
  1. Check config: 
    rafter agent config get agent.environments.claudeCode.enabled
# Should return: true
  2. Enable if disabled: 
    rafter agent config set agent.environments.claudeCode.enabled true

Best Practices

Recommended Workflow

  1. Let Claude auto-scan: Don’t disable the backend skill - proactive scans catch issues early
  2. Scan before commits: Always run /rafter-scan before committing
  3. Audit untrusted skills: Use /rafter-audit-skill for skills from unknown sources
  4. Review audit logs: Check /rafter-audit after suspicious activity
  5. Start with moderate: Adjust risk level based on your needs
  6. Keep CLI updated: npm update -g @rafter-security/cli

Advanced Usage

Pre-Commit Hooks

Automate secret scanning for all commits: 
# Install pre-commit hook
rafter agent install-hook

# Install globally (all repos)
rafter agent install-hook --global
This automatically runs /rafter-scan --staged before every commit.

Custom Blocked Patterns

Add organization-specific command patterns: Edit ~/.rafter/config.json: 
{
  "agent": {
    "commandPolicy": {
      "blockedPatterns": [
        "kubectl delete namespace production",
        "terraform destroy",
        "rm -rf /important-data"
      ]
    }
  }
}

Skill Auditing Framework

The /rafter-audit-skill command analyzes 12 security dimensions:
  1. Trust & Attribution - Source verification
  2. Network Security - External API calls
  3. Command Execution - Shell commands
  4. File System Access - Read/write operations
  5. Credential Handling - API keys, secrets
  6. Input Validation - Injection risks
  7. Data Exfiltration - Data leaving system
  8. Obfuscation - Hidden behavior
  9. Scope Alignment - Behavior vs purpose
  10. Error Handling - Info leakage
  11. Dependencies - Supply chain risks
  12. Environment Manipulation - System modifications
Each dimension gets a risk rating: ✓ Pass / ⚠️ Warning / ❌ Critical

Comparison: OpenClaw vs Claude Code

OpenClaw: Single skill with all featuresClaude Code: Two skills (remote analysis + local security)Why different? Claude Code’s auto-invocation capability allows separating safe API calls from local operations
OpenClaw: User or agent invokes all commandsClaude Code:
  • Backend skill: Auto-invoked by Claude
  • Local security: User invokes via slash commands
OpenClaw: /rafter-scan, /rafter-bash, etc.Claude Code:
  • Backend: rafter run, rafter get, rafter usage (auto)
  • Agent: /rafter-scan, /rafter-bash, etc. (manual)

Support

Documentation

Complete guides and API reference

GitHub Issues

Report bugs and request features

Dashboard

Manage API keys and view scan history

Claude Code Docs

Learn more about Claude Code

Next Steps

Command Reference

Complete CLI command documentation

Secret Scanning

Deep dive into secret detection

CI/CD Integration

Use Rafter in continuous integration

API Reference

Backend API documentation