Skip to main content

Remote Code Analysis

For more detailed guides, see the basic and advanced guides.

Scan a Repo

rafter run --format md

# `scan` is an alias for `run`
rafter scan --format md

Scan Modes

# Fast scan (default)
rafter run --format md --mode fast

# Plus scan (agentic deep-dive — audits code like a professional cybersecurity analyst)
rafter run --format md --mode plus
rafter run --format md -m plus

Scan a Private Repo

# Pass a GitHub PAT directly
rafter run --github-token ghp_... --format md

# Or use an environment variable
export RAFTER_GITHUB_TOKEN=ghp_...
rafter run --format md

Scan a Specific Repo and Branch

rafter run --repo myorg/myrepo --branch main --format md

Scan in the Background

rafter run --skip-interactive

Save Report to File

rafter run --format md > security-report-$(date +%Y-%m-%d-%H-%M-%S).md

Count Vulnerabilities

rafter run | jq -r '.vulnerabilities | length // 0'

# Count critical vulnerabilities
rafter run | jq '[.vulnerabilities[] | select(.level == "error")] | length'

Check Quota

rafter usage

Local Security Toolkit

Local security features. No API key required.

Initialize

rafter agent init                          # config only, detect agents
rafter agent init --risk-level aggressive  # set risk level
rafter agent init --with-claude-code       # install Claude Code integration
rafter agent init --all                    # install all detected integrations
rafter agent init --interactive            # guided setup with prompts

Project Setup

rafter agent init-project                  # generate instruction files for all platforms
rafter agent init-project --only claude-code,cursor  # specific platforms only
rafter agent init-project --list           # preview without writing

Secret Scanning

rafter secrets .              # scan current directory
rafter secrets --staged       # scan git staged files only
rafter secrets --json         # output as JSON
rafter secrets --engine gitleaks  # use Gitleaks engine
rafter secrets --watch        # watch for changes and re-scan

Command Execution

rafter agent exec "git push"         # execute with risk assessment
rafter agent exec "rm -rf /" --force # bypass approval (not recommended)

Skill Auditing

rafter agent audit-skill path/to/skill.md

Pre-Commit Hook

rafter agent install-hook           # current repo only
rafter agent install-hook --global  # all repos

Audit Logs

rafter agent audit                       # view recent events
rafter agent audit --last 50             # last 50 events
rafter agent audit --event secret_detected  # filter by event type
rafter agent audit --agent claude-code   # filter by agent
rafter agent audit --since 2026-02-01    # filter by date

Security Briefings

rafter brief                     # list available topics
rafter brief security            # local security briefing
rafter brief setup/claude-code   # platform-specific setup guide
rafter brief commands            # condensed command reference
rafter brief all                 # everything

Configuration

rafter agent config show                              # view all config
rafter agent config get agent.riskLevel               # get a value
rafter agent config set agent.riskLevel aggressive    # set a value

Exit Codes

Rafter Code Analysis (rafter run, rafter get, rafter usage)

CodeMeaning
0Success
1General error
2Scan not found (HTTP 404)
3Quota exhausted (HTTP 429 or 403 scan-mode limit)
4Insufficient scope / forbidden (HTTP 403)

Local Security (rafter secrets)

CodeMeaning
0No secrets found
1Secrets detected
2Runtime error (path not found, not a git repo, invalid ref)