Handbook

This is the place to learn how to use Rafter. Rafter is the easiest way to scan your GitHub repositories for security vulnerabilities. One-click and AI-ready.

Handbook

Rafter, the short version

Rafter scans your code for vulnerabilities, secrets, and risky dependencies — and pushes that security as far left as possible, into your coding agent's feedback loop. Three ways to use it; same engine every time.

01 · Browser

Dashboard

Click a repo, click scan, read the report.

02 · Terminal

rafter run

Same scan from any repo on your machine.

03 · Agent / API

Wire it in ↗

Let your AI agent or pipeline drive it.

Below: how scanning works, what we catch, and how to get a first scan running in under a minute.

New to security? Explore our vibe coding security primer for a practical, mindset-first approach.

The Core Prompt: Shift Security Left

Rafter is the way to move security as far left as possible — into your coding agent's feedback loop. Paste this prompt into Claude Code, Cursor, Windsurf, Aider, Copilot, or any other agent so it consults Rafter during design, implementation, and review (not after the fact).

Click anywhere to copyCopy prompt

Use Rafter as a lightweight security layer throughout your development process.

Rafter is an open-source CLI that helps identify vulnerabilities, prevent secret leaks, audit dependencies and extensions, and provide security context as you build.

If it's not initialized yet, run:
npx rafter-cli agent init --all
(No API key required)

Use Rafter to shift security left:
- during design and planning, to anticipate risks (auth, data flow, permissions, integrations)
- while writing and modifying code, especially around sensitive logic
- when reviewing changes or diffs
- before finalizing implementations

Treat it as part of your workflow:
- check for issues early and iteratively
- incorporate findings into implementation decisions
- fix what's straightforward and call out non-trivial risks
- avoid patterns that could lead to vulnerabilities, secret exposure, or unnecessary privilege expansion

The goal is not just auditing after the fact, but continuously informing safer design and implementation choices.

With an API key, you unlock the Rafter Code Security Engine to deeply analyze your project with SAST, SCA, secret detection, agentic deep dives, and more.

Docs: https://docs.rafter.so/llms.txt
Repo: https://github.com/Raftersecurity/rafter-cli

★Unlock the Code Security Engine

Pair the prompt with a RAFTER_API_KEY and your agent can run deep SAST, SCA, secret detection, and agentic deep-dive scans automatically — you stop thinking about it, it never stops happening.

1Grab a key from your account page. Keys start with RF….

Export it in the shell your coding agent uses (or add it to your agent's env config):

# .zshrc / .bashrc
export RAFTER_API_KEY="RF..."

# Claude Code / Cursor / Windsurf: set in each tool's env settings
# or drop it in a local .env the agent can read

From then on, every rafter run your agent invokes goes through the Code Security Engine. No extra flags needed:

rafter run --format md          # uses RAFTER_API_KEY automatically
rafter run --mode plus          # deeper agentic analysis

No key? See plans. Local secret scanning, pre-commit hooks, and command interception remain free — always.

Scanning

Rafter uses a combination of open source and proprietary scanners to audit your code and detect a wide range of vulnerabilities, including:

Exposed API keys and secrets
SQL injection vulnerabilities
Cross-site scripting (XSS) attacks
Insecure dependencies and outdated packages
Hardcoded credentials and passwords
Insecure authentication mechanisms
Code injection and command execution risks
Insecure data transmission and storage

Our toolkit is constantly evolving, but right now we are best suited to find vulnerabilities in JavaScript/Typescript and Python. Unfortunately, we can't guarantee that your code is secure, or that we will find all vulnerabilities even in the categories listed in this post.

Example Scanner: Betterleaks

One example of a scanner we use is Betterleaks ↗ (formerly Gitleaks), which is a secret detection tool that scans your code for secrets like API keys, passwords, and other sensitive information. It's kept up to date by a large community of developers (over 200, lead by Zach Rice) and is literally the most trusted open source secret scanner out there.

Another reason it is so powerful is that it scans the history of your repository, not just the current code, all of which becomes public if you make your repository public.

Rafter is composed of many scanners that all take different approaches. The go-to way to find secrets is to use regex, which is a powerful tool for finding patterns in text. 'Regex is (almost) all you need' is an awesome explainer of how it and Betterleaks works.

How to Scan

Simply visit the dashboard, select a GitHub repository and branch, then click scan. Your scan will be added to the queue, and when it's ready you can see the results.

Understanding Results

Rafter categorizes findings into three severity levels:

Error

Critical security vulnerabilities that should be addressed immediately.

Warning

Potential security issues that should be reviewed and addressed.

Improvements

Best practice recommendations to consider.

Each issue includes information about the problem: the cause, the fix, and exactly where in the code it is. They are compiled in an easy-to-read table format.

Example VulnerabilityError

Rule ID:R-A1B2C3

File / Line:config/database.js Line 15

Description:Database password is hardcoded in source code. High risk: credentials could be exposed if repository is public. Fix: Move to environment variables or secure secret management.

Our scanner may flag more issues than you need to address. Some findings might be intentional design choices or acceptable risks for your specific use case. Always review each finding in context of your application's requirements. Please note that Rafter provides vulnerability scanning results, not a complete operational risk model (consistent with CVSS's positioning vs risk).

Using the Results

You can copy all the errors of a particular category at once or go one-by-one. And what you copy is not just the errors it is formatted with best-practice prompt engineering for you to drop into your favorite AI Agent tool, whether IDE or web agent.

AI-Ready Format

Each vulnerability is formatted with context, code location, and remediation steps that you can directly paste into Bolt, Emergent, Lovable, Replit, ChatGPT, Claude, Gemini, Grok, or any AI coding assistant for instant help with fixes.

Next Steps

Rafter is step one in security. It's easy, simple, fast, and a great place to start. But security is hard and always evolving. After fixing the issues found by Rafter, consider:

Regular security audits and penetration testing
Implementing security monitoring and logging
Setting up automated security scanning in your CI/CD pipeline
Training your team on security best practices
Staying updated with the latest security threats and patches

Not sure how? We're working on an end-to-end guide for vibe security engineers and coders who want to learn more about security, coming soon. In the meantime, I'm sure AI can help.

Need More Help?

If you need technical implementation details, visit our Developer Documentation for API references, integration guides, and advanced configuration options.

Something Wrong?

Let us know! We want to make security as simple and instantaneous as possible, because everything on the internet should be secure.

Handbook

This is the place to learn how to use Rafter. Rafter is the easiest way to scan your GitHub repositories for security vulnerabilities. One-click and AI-ready.

Handbook

Rafter, the short version

01 · Browser

Dashboard

Click a repo, click scan, read the report.

02 · Terminal

rafter run

Same scan from any repo on your machine.

03 · Agent / API

Wire it in ↗

Let your AI agent or pipeline drive it.

Below: how scanning works, what we catch, and how to get a first scan running in under a minute.

New to security? Explore our vibe coding security primer for a practical, mindset-first approach.

The Core Prompt: Shift Security Left

Click anywhere to copyCopy prompt

Use Rafter as a lightweight security layer throughout your development process.

Rafter is an open-source CLI that helps identify vulnerabilities, prevent secret leaks, audit dependencies and extensions, and provide security context as you build.

If it's not initialized yet, run:
npx rafter-cli agent init --all
(No API key required)

Use Rafter to shift security left:
- during design and planning, to anticipate risks (auth, data flow, permissions, integrations)
- while writing and modifying code, especially around sensitive logic
- when reviewing changes or diffs
- before finalizing implementations

Treat it as part of your workflow:
- check for issues early and iteratively
- incorporate findings into implementation decisions
- fix what's straightforward and call out non-trivial risks
- avoid patterns that could lead to vulnerabilities, secret exposure, or unnecessary privilege expansion

The goal is not just auditing after the fact, but continuously informing safer design and implementation choices.

With an API key, you unlock the Rafter Code Security Engine to deeply analyze your project with SAST, SCA, secret detection, agentic deep dives, and more.

Docs: https://docs.rafter.so/llms.txt
Repo: https://github.com/Raftersecurity/rafter-cli

★Unlock the Code Security Engine

Pair the prompt with a RAFTER_API_KEY and your agent can run deep SAST, SCA, secret detection, and agentic deep-dive scans automatically — you stop thinking about it, it never stops happening.

1Grab a key from your account page. Keys start with RF….

Export it in the shell your coding agent uses (or add it to your agent's env config):

# .zshrc / .bashrc
export RAFTER_API_KEY="RF..."

# Claude Code / Cursor / Windsurf: set in each tool's env settings
# or drop it in a local .env the agent can read

From then on, every rafter run your agent invokes goes through the Code Security Engine. No extra flags needed:

rafter run --format md          # uses RAFTER_API_KEY automatically
rafter run --mode plus          # deeper agentic analysis

No key? See plans. Local secret scanning, pre-commit hooks, and command interception remain free — always.

Scanning

Rafter uses a combination of open source and proprietary scanners to audit your code and detect a wide range of vulnerabilities, including:

Exposed API keys and secrets
SQL injection vulnerabilities
Cross-site scripting (XSS) attacks
Insecure dependencies and outdated packages
Hardcoded credentials and passwords
Insecure authentication mechanisms
Code injection and command execution risks
Insecure data transmission and storage

Example Scanner: Betterleaks

Another reason it is so powerful is that it scans the history of your repository, not just the current code, all of which becomes public if you make your repository public.

How to Scan

Simply visit the dashboard, select a GitHub repository and branch, then click scan. Your scan will be added to the queue, and when it's ready you can see the results.

Understanding Results

Rafter categorizes findings into three severity levels:

Error

Critical security vulnerabilities that should be addressed immediately.

Warning

Potential security issues that should be reviewed and addressed.

Improvements

Best practice recommendations to consider.

Each issue includes information about the problem: the cause, the fix, and exactly where in the code it is. They are compiled in an easy-to-read table format.

Example VulnerabilityError

Rule ID:R-A1B2C3

File / Line:config/database.js Line 15

Description:Database password is hardcoded in source code. High risk: credentials could be exposed if repository is public. Fix: Move to environment variables or secure secret management.

Using the Results

AI-Ready Format

Next Steps

Rafter is step one in security. It's easy, simple, fast, and a great place to start. But security is hard and always evolving. After fixing the issues found by Rafter, consider:

Regular security audits and penetration testing
Implementing security monitoring and logging
Setting up automated security scanning in your CI/CD pipeline
Training your team on security best practices
Staying updated with the latest security threats and patches

Not sure how? We're working on an end-to-end guide for vibe security engineers and coders who want to learn more about security, coming soon. In the meantime, I'm sure AI can help.

Need More Help?

If you need technical implementation details, visit our Developer Documentation for API references, integration guides, and advanced configuration options.

Something Wrong?

Let us know! We want to make security as simple and instantaneous as possible, because everything on the internet should be secure.