Skip to main content

Codex CLI Integration

Rafter provides two skills for Codex CLI that add remote code analysis and local security.

Skills Architecture

Backend Skill (rafter)

API-based security scanning
  • Trigger remote SAST/SCA scans
  • Retrieve scan results
  • Check usage quota
  • Read-only operations

Local Security Toolkit (rafter-agent-security)

Local security operations
  • Secret scanning in files
  • Policy enforcement
  • Extension auditing
  • Audit logging

Setup

1. Install Rafter CLI

npm install -g @rafter-security/cli

2. Initialize Local Security

rafter agent init --with-codex
Rafter detects Codex CLI via ~/.codex and installs skills to ~/.agents/skills/rafter/. To install all detected integrations at once: 
rafter agent init --all

3. Restart Codex CLI

Restart Codex CLI to load the newly installed skills.

Skill Location

After initialization: 
~/.agents/skills/
├── rafter/
│   └── SKILL.md              # Remote code analysis skill
└── rafter-agent-security/
    └── SKILL.md              # Local security skill

Usage

Backend Scanning

Trigger a security scan of your repository: 
rafter run --format md
Or use the rafter scan alias: 
rafter scan --repo myorg/myrepo --branch main
Backend scanning requires a Rafter API key. Set it via export RAFTER_API_KEY="your-key" or pass --api-key.

Local Security

These commands work locally without an API key: 
# Scan files for secrets
rafter scan local .

# Scan only staged files
rafter scan local --staged

# Execute a command with risk assessment
rafter agent exec "git push --force"

# Audit a third-party skill for malware
rafter agent audit-skill path/to/untrusted-skill.md

# View security event log
rafter agent audit
Note: rafter agent scan still works but is deprecated — it will be removed in a future major version.

Skill Auditing

Treat third-party extension ecosystems as hostile by default. There have been reports of malware distributed via skill marketplaces, using social-engineering instructions to run obfuscated shell commands.
Before installing any third-party skill, audit it: 
rafter agent audit-skill path/to/untrusted-skill.md
This analyzes 12 security dimensions: trust/attribution, network security, command execution, file system access, credential handling, input validation, data exfiltration, obfuscation, scope alignment, error handling, dependencies, and environment manipulation.

Configuration

Risk Levels

# Set during init
rafter agent init --risk-level moderate

# Change later
rafter agent config set agent.riskLevel aggressive
LevelBehavior
MinimalBasic guidance, most commands allowed
ModerateApproval for high-risk commands, secrets always blocked (default)
AggressiveApproval for most operations, maximum security

View Configuration

rafter agent config show

Monitoring

View Agent Activity

# Recent events (last 10)
rafter agent audit

# Last 50 events
rafter agent audit --last 50

# Filter by event type
rafter agent audit --event secret_detected

# Filter by agent platform
rafter agent audit --agent claude-code

Troubleshooting

  1. Verify skills are installed: ls ~/.agents/skills/rafter/
  2. Re-run: rafter agent init --with-codex
  3. Restart Codex CLI
Ensure ~/.codex exists, then run: rafter agent init --with-codex

What’s Next?

Secret Scanning

21+ secret patterns detected

Command Execution

Risk-assessed command validation

Command Reference

Full CLI reference