Handbook

This is the place to learn how to use Rafter. Rafter is the easiest way to scan your GitHub repositories for security vulnerabilities. One-click and AI-ready.

The Beauty of Simplicity

The beauty of Rafter is that you can choose no code, low code, vibe code, or all code—whatever you need. Everything can be run in the browser from the Dashboard, run rafter run from the terminal, or build a custom API interface using our docs ↗.

This handbook is a quick overview how we scan, what we scan for, and how to get scanning ASP.

Scanning

Rafter uses a combination of open source and proprietary methods to scan your code and detect a wide range of vulnerabilities, including:

Exposed API keys and secrets
SQL injection vulnerabilities
Cross-site scripting (XSS) attacks
Insecure dependencies and outdated packages
Hardcoded credentials and passwords
Insecure authentication mechanisms
Code injection and command execution risks
Insecure data transmission and storage

Our toolkit is constantly evolving, but right now we are best suited to find vulnerabilities in JavaScript/Typescript and Python. Unfortunately, we can't guarantee that your code is secure, or that we will find all vulnerabilities even in the categories listed above.

How to Scan

Simply visit the dashboard, select a GitHub repository and branch, then click scan. Your scan will be added to the queue, and when it's ready you can see the results.

Understanding Results

Rafter categorizes findings into three severity levels:

Error

Critical security vulnerabilities that should be addressed immediately.

Warning

Potential security issues that should be reviewed and addressed.

Improvements

Best practice recommendations to consider.

Each issue includes information about the problem: the cause, the fix, and exactly where in the code it is. They are compiled in an easy-to-read table format.

Example VulnerabilityError

Rule ID:hardcoded-credentials

File / Line:config/database.js Line 15

Description:Database password is hardcoded in source code. High risk: credentials could be exposed if repository is public. Fix: Move to environment variables or secure secret management.

Our scanner may flag more issues than you need to address. Some findings might be intentional design choices or acceptable risks for your specific use case. Always review each finding in context of your application's requirements.

Using the Results

You can copy all the errors of a particular category at once or go one-by-one. And what you copy is not just the errors it is formatted with best-practice prompt engineering for you to drop into your favorite AI Agent tool, whether IDE or web agent.

AI-Ready Format

Each vulnerability is formatted with context, code location, and remediation steps that you can directly paste into Bolt, Emergent, Lovable, Replit, ChatGPT, Claude, Gemini, Grok, or any AI coding assistant for instant help with fixes.

Next Steps

Rafter is step one in security. It's easy, simple, fast, and a great place to start. But security is hard and always evolving. After fixing the issues found by Rafter, consider:

Regular security audits and penetration testing
Implementing security monitoring and logging
Setting up automated security scanning in your CI/CD pipeline
Training your team on security best practices
Staying updated with the latest security threats and patches

Not sure how? We're working on an end-to-end guide for vibe security engineers and coders who want to learn more about security, coming soon. In the meantime, I'm sure AI can help.

Need More Help?

If you need technical implementation details, visit our Developer Documentation for API references, integration guides, and advanced configuration options.

Something Wrong?

Let us know! We want to make security as simple and instantaneous as possible, because everything on the internet should be secure.