FFlowRail
Sign inGet started

Security for the
AI-native SDLC.

Threats predicted at design. Writes verified at code-gen. Findings triaged in context. One threat graph across every surface of the SDLC.

Impression, Sunrise · Claude Monet · 1872
FlowRail Components

Three surfaces, one platform, every step of the SDLC.

Hooks that run inline with Claude Code. A dashboard for guardrails and audit. A CI gate at the merge. All threaded by the same design review.

Explore all components

Hooks, thin skills, and MCP tools that run inline with Claude Code. Block insecure code, secrets, and risky dependencies before they reach disk.

Author guardrails, audit every decision the gates made, query the threat graph, and export compliance evidence.

The authoritative pre-merge enforcement surface. Catches what the agent missed and what was committed without an agent at all.

The platform

One threat graph, every surface of the SDLC. Built for how your team builds now.

From the spec your developer writes to the scanner finding triaged six weeks later, every event in the SDLC threads under the same design review. That's the moat: knowing what to scan, what to block, and what to triage, because the platform remembers what the spec said in the first place.

dr_7f3a9e2c · password-reset.spec.md
threats predicted from spec
secret_exposurehigh
input_validationmed
dependency_supply_chainmed
auth_bypasshigh
approved deps · argon2@^0.40, jose@^5.9
Code-agent integration

Design review

FlowRail reads each spec and turns it into a structured review: predicted threats mapped to OWASP, approved dependencies, an allowed-channels list, and a stable id every downstream event threads through.

$ git commit -m "wire stripe webhook"
flowrail ✓ regex layer · clean
● BLOCK Stripe live key inlined
threat secret exposure high
layer regex+LLM
+ swap to process.env.STRIPE_SECRET_KEY
✓ resolved · ready to commit
Code-agent integration

Pre-code-gen verifier

Two checks on every agent write. A fast local pattern net hard-blocks high-confidence secrets. A semantic verifier evaluates against the active review's threats. Either denies; the agent fixes itself and retries.

scanner findings · last 30d
scannertotalkeptverdict
semgrep21847in scope
sarif729in scope
codeql144in scope
custom31·filtered
335 raw → 60 in scope · contextual rules · spec-driven filter
CI gate

Scanner orchestrator

FlowRail does not run scanners. It decides which rules to apply, ingests Semgrep, SARIF, and custom outputs, and contextually filters findings against the active review so you see what matters, not what's noisy.

fnd_d4a1c8e2 · semgrepinjection
verdictfalse positiveconfidence 0.87
evidence
user_input sanitized at line 38 via zod
flagged sink at line 47 receives validated values
no taint flow from request body to query
guardrail escape · no
Code-agent integration

Triage & feedback

Every finding gets a verdict: true positive, false positive, or accepted risk. Findings that escape a guardrail auto-tighten the rule, gated by replay testing and rate-limited integrity protections.

See all components in the docs →
How it works

Three commands. No daemon. No human in the loop.

step 01
$ npx @flowrail/init-poc
Step 01

Install

One command in your repo. Wires hooks, registers skills.

step 02
$ claude "implement specs/payment.spec.md" ↳ dr_7f3a9e2c · 4 threats predicted
Step 02

Open a review

Drop a spec under specs/. The first write opens a review id.

step 03
$ git push ✓ 0 escapes · 6 findings auto-triaged
Step 03

Ship and triage

Writes verified at code-gen. Scanner findings triaged in context. All threaded by review id.

FAQ

Common questions, briefly.

Still curious? Read the docs or book a call.

FlowRail is the security decision layer for spec-driven development. It reads your spec to predict threats, blocks unsafe writes at code-gen, gates dependency installs on supply-chain signals, and triages whatever your existing scanners find. One threat graph, threaded by design intent across every surface of the SDLC.

Ship faster.
Triage less.

Free for solo devs. Pay when your team does.

Create your workspace Read the docs