Rafter

Rafter is an AI-powered code security platform designed for developers, startups, and engineering teams who ship code on GitHub and need to catch vulnerabilities before they reach production. Founded in October 2025 and based in San Francisco, Rafter provides one-click security scanning for GitHub repositories, combining AI-driven static analysis with actionable, plain-English fix suggestions that integrate directly with AI coding assistants.

How It Works

Rafter connects to a GitHub repository with read-only permissions and runs a full security scan from its web dashboard without requiring terminal setup or configuration expertise. The scanning engine detects hardcoded secrets such as API keys, tokens, and database credentials, common web vulnerabilities including SQL injection and cross-site scripting, insecure authentication patterns, and risky dependency configurations. Each finding is tagged by severity and includes the exact file location and vulnerable line number, allowing developers to pinpoint issues instantly. Beyond static code analysis, Rafter also offers live website security flight checks that assess performance, accessibility, best practices, and SEO.

AI-Ready Fixes and Agent Integration

Rafter is built from the ground up to work alongside AI coding agents. Each vulnerability finding includes a structured remediation description in plain English, formatted as a copy-ready prompt that developers can paste directly into Claude Code, ChatGPT, Cursor, Windsurf, or any supported AI coding assistant. The tool supports nine major agent platforms including Claude Code, Codex CLI, OpenClaw, Gemini CLI, Cursor, Windsurf, Continue.dev, Aider, and Hermes. Integration methods vary by platform, with skill-based agents receiving the full Rafter skill set while MCP-based agents connect through the Rafter MCP server. The Rafter CLI is available via npm and pip, released under the MIT license.

Local Security Toolkit

Rafter ships a free, open-source CLI that works entirely offline with no account, no API key, no telemetry, and no data ever leaving the machine. Features include fast secret scanning with over 21 built-in patterns covering AWS, GitHub, Google, Slack, Stripe, Twilio, database connection strings, JWTs, private keys, and more. Pre-commit hooks block secrets before they enter version control. A command policy enforcement layer routes shell commands through a risk-assessment system with tiered approval levels. A tamper-evident audit log with SHA-256 hash chaining records every security-relevant event. Custom pattern rules can be added through a project configuration file.

CI/CD and Remote Analysis

Rafter integrates into CI/CD pipelines via GitHub Actions, GitLab CI, and CircleCI. A reusable GitHub Action provides deterministic output with stable exit codes, making it suitable for automated security gates. For deeper audits, Rafter's remote API performs agentic analysis combining a full SAST and SCA toolchain with reasoning about authentication, authorization, and business logic vulnerabilities. The engine traces data flows across files and cross-references findings with industry-standard static analysis and dependency scanning tools. Results are available as structured JSON or Markdown reports pipeable to any automation workflow.

Pricing and Privacy

Rafter is free forever for individual developers and open-source projects. The local CLI toolkit requires no account and has no usage limits. Paid plans are available through AppSumo lifetime deals starting at $39. Privacy is a core principle: no code leaves the machine during local scanning, and remote analysis deletes code immediately after processing completes. The CLI collects no telemetry and functions without network access. An affiliate program is available for partners.