Rafter CLI — the default security agent for AI workflows. Free for individuals and open source.
Project description
rafter-cli (Python)
Python CLI for Rafter — the security toolkit for developers. Full feature parity with the Node.js package.
Local security toolkit — Fast, deterministic secret scanning (21+ patterns, Gitleaks), policy enforcement with risk-tiered rules, pre-commit hooks, pretool hooks, extension auditing, custom rule authoring, and full audit logging. Works with Claude Code, Codex CLI, OpenClaw, and 5 more platforms. No API key required. No data leaves your machine.
Remote code analysis — Deep security audits that combine agentic analysis with a full SAST/SCA toolchain. The engine examines your codebase the way a professional cybersecurity auditor would — tracing data flows, reasoning about business logic, and surfacing vulnerabilities that static rules alone miss — then cross-references findings with industry-standard static analysis and dependency scanning. Structured JSON reports with documented exit codes. Your code is deleted immediately after analysis completes.
MCP server — Expose Rafter security tools to any MCP-compatible client (Cursor, Windsurf, Claude Desktop, Cline) over stdio.
Installation
pip install rafter-cli
Requires Python 3.10+.
Quick Start
Backend Code Analysis
export RAFTER_API_KEY="your-key" # or add to .env file
rafter run # scan current repo (auto-detected)
rafter scan --repo myorg/myrepo --branch main # scan specific repo
rafter get SCAN_ID # retrieve results
rafter get SCAN_ID --interactive # poll until complete
rafter usage # check quota
Important: The code analysis engine runs against the remote repository on GitHub, not your local files. Your code is deleted immediately after analysis completes.
Local Security
rafter agent init # initialize config + detect environments
rafter agent init --all # install all detected integrations
rafter agent scan . # scan for secrets
rafter agent scan --diff HEAD~1 # scan changed files
rafter agent exec "git commit" # execute with risk assessment
rafter agent audit # view security logs
rafter agent config show # view configuration
Pretool Hooks (Claude Code)
rafter agent init --with-claude-code # install PreToolUse hooks
rafter hook pretool # hook handler (reads stdin, writes decision)
rafter policy export --format claude # export hook config
MCP Server
rafter mcp serve # start MCP server over stdio
Add to any MCP client config:
{
"rafter": {
"command": "rafter",
"args": ["mcp", "serve"]
}
}
Tools: scan_secrets, evaluate_command, read_audit_log, get_config
Resources: rafter://config, rafter://policy
Commands
rafter run [options]
Alias: rafter scan
Trigger a new security scan for your repository.
-r, --repo <repo>— org/repo (default: auto-detected from git remote)-b, --branch <branch>— branch (default: current branch or 'main')-k, --api-key <key>— API key (orRAFTER_API_KEYenv var)-f, --format <format>—jsonormd(default:md)--skip-interactive— don't wait for scan completion--quiet— suppress status messages
rafter get <scan-id> [options]
Retrieve results from a scan.
-k, --api-key <key>— API key-f, --format <format>—jsonormd(default:md)--interactive— poll until scan completes--quiet— suppress status messages
rafter usage [options]
Check API quota and usage.
-k, --api-key <key>— API key
rafter mcp serve [options]
Start MCP server over stdio transport.
--transport <type>— Transport type (default:stdio)
rafter hook pretool
PreToolUse hook handler. Reads tool input JSON from stdin, writes decision to stdout.
rafter policy export [options]
Export Rafter policy for agent platforms.
--format <type>— Target format:claudeorcodex--output <path>— Write to file instead of stdout
Piping and Automation
# Filter high-severity vulnerabilities (SARIF levels: error, warning, note)
rafter get SCAN_ID --format json | jq '.vulnerabilities[] | select(.level=="error")'
# CI gate
if rafter get SCAN_ID --format json | jq -e '.vulnerabilities | length > 0'; then
echo "Vulnerabilities found!" && exit 1
fi
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error / secrets found |
| 2 | Scan not found |
| 3 | Quota exhausted |
Documentation
Full docs at docs.rafter.so.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rafter_cli-0.7.0.tar.gz.
File metadata
- Download URL: rafter_cli-0.7.0.tar.gz
- Upload date:
- Size: 79.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9e5fddd25a1585899cb21eb40dec346e6aed5bf9a63a0e6da38ad54c222d69b9
|
|
| MD5 |
426daebb14360d6c65e502c0ff3414e6
|
|
| BLAKE2b-256 |
7a80ba943101c4648744a7e4dc2cc90ac8568a4a13e4d5bb8690702abef8b290
|
File details
Details for the file rafter_cli-0.7.0-py3-none-any.whl.
File metadata
- Download URL: rafter_cli-0.7.0-py3-none-any.whl
- Upload date:
- Size: 100.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f6cd66a87233c98bea65b0a7846cc161e7766465122b4a579b374f6cbaebd8bb
|
|
| MD5 |
f2ea383305060fcbaeee3b99d5dc6ba4
|
|
| BLAKE2b-256 |
07324bd54f6c22aa294ba07f4719953dbc697d5aa2a9f74bc373c1ce16f8aa65
|
