Skip to main content
The fastest path to shifting security left: install the CLI, hand your agent an API key, and let it consult Rafter on every meaningful change.

Get started in three steps

1

Install the CLI

Install the Rafter security CLI using your preferred package manager.
npm install -g @rafter-security/cli
Python 3.10+ required for pip installs. Verify your version:
python3 --version   # Must be 3.10 or higher
On Ubuntu/Debian, Python and pip may not be installed by default:
sudo apt update && sudo apt install -y python3 python3-pip python3-venv
On Fedora/RHEL: sudo dnf install python3 python3-pip. macOS: brew install python. Windows: install from python.org — pip is included.
Verify the install worked:
rafter --version
2

Get your API key

Sign up and grab your API key from your account page.
Your API key starts with RF and should be kept secure. Never commit it to version control (e.g. GitHub). Use environment variables instead.
3

Start your first scan

Navigate to a Git repository, then run:
cd /path/to/your/repo
rafter run --api-key "RFabc-your-api-key-here" --format md
Or set the key as an environment variable and skip the flag:
export RAFTER_API_KEY="RFabc-your-api-key-here"
cd /path/to/your/repo
rafter run --format md
The CLI auto-detects your repository and branch from Git, then displays scan results in your terminal.
rafter scan is an alias for rafter run — use whichever you prefer. Add --mode plus (or -m plus) for deeper analysis with additional agent passes beyond the default fast scan.

Local Security (No Account Required)

Rafter’s local features work with zero setup — no API key, no sign-up: 
# Set up agent security for all detected platforms
rafter agent init --all

# Scan for secrets locally
rafter scan local .
This gives you secret scanning, pre-commit hooks, command interception, and audit logging — all offline, all free. See the agent security guide for details.

Hand Rafter to Your Coding Agent

The whole point of Rafter is that your agent should be the one reaching for it — during design, while writing code, when reviewing diffs, before finalizing changes. Paste this prompt into Claude Code, Cursor, Codex, Windsurf, Aider, or any other agent so security becomes part of its loop instead of an afterthought: 
Use Rafter as a lightweight security layer throughout your development process.

Rafter is an open-source CLI that helps identify vulnerabilities, prevent secret
leaks, audit dependencies and extensions, and provide security context as you build.

If it's not initialized yet, run:
  npx rafter-cli agent init --all
(No API key required)

Use Rafter to shift security left:
- during design and planning, to anticipate risks (auth, data flow, permissions, integrations)
- while writing and modifying code, especially around sensitive logic
- when reviewing changes or diffs
- before finalizing implementations

Treat it as part of your workflow:
- check for issues early and iteratively
- incorporate findings into implementation decisions
- fix what's straightforward and call out non-trivial risks
- avoid patterns that could lead to vulnerabilities, secret exposure, or unnecessary privilege expansion

The goal is not just auditing after the fact, but continuously informing safer
design and implementation choices.

With an API key (RAFTER_API_KEY), unlock the Rafter Code Security Engine to deeply
analyze your project with SAST, SCA, secret detection, agentic deep dives, and more.

Docs: https://docs.rafter.so/llms.txt
Repo: https://github.com/Raftersecurity/rafter-cli
Set RAFTER_API_KEY in your shell or your agent’s environment so every scan it runs goes through the Code Security Engine — you stop thinking about security; the agent never stops doing it.

What’s happening?

When you run rafter run, the CLI will:
  1. Auto-detect your repository and branch from Git
  2. Upload your code securely to Rafter’s scanning engine from Github
  3. Scan for vulnerabilities, secrets, and security issues
  4. Delete your code from Rafter’s scanning engine
  5. Display results directly in your terminal
The CLI only scans remote repositories, not your current local branch. Make sure your changes are pushed to the remote repository before scanning.

Bonus: Saving Results to a File

To run a scan and save the results to a file, you can use the following command: 
rafter run --api-key "RFabc-your-api-key-here" --format md > security-report-$(date +%Y-%m-%d-%H-%M-%S).md

Next Steps

CLI Basics

Learn the fundamentals of using the Rafter CLI.

Advanced CLI

Master advanced CLI features and automation.

API Reference

Build custom integrations with the REST API.

CI/CD Integration

Set up automated scanning in your pipelines.
Want to know more about how we scan? See our handbook for detailed information about our scanning technology and security coverage.