AI Workflow
Integrations
The AI Security Workflow
If you build with AI, your security loop should live where you build. BoringSec closes the loop in three stages: find (scans), fix (AI fix prompts + autofix templates), prevent (generated workspace rules that make your AI assistant security-aware from the first token).
1. Fix prompts — per finding, per platform
Every finding in your report ships with a fix prompt tailored to your tool. Supported targets: Cursor, Lovable, Bolt, Claude Code, Replit, v0, Windsurf.
- API:
GET /api/v1/fix-suggestions/{issueCode}(scope:scan:read) - Returns built-in templates plus community-submitted templates (verified and upvoted), with estimated minutes and difficulty.
- Paste the prompt into your assistant; it carries the finding’s context, the target stack, and the acceptance criteria for the fix.
2. Autofix — deterministic templates
For issues with a known-safe mechanical fix (headers, config flags, cookie attributes), autofix returns the exact change rather than a prompt:
- API:
GET /api/v1/autofix/{issueCode}(scope:scan:read), optionally scoped to a file path. - Templates are deterministic and reviewed — no generation, no surprises. Path handling is traversal-hardened.
- Use fix prompts for judgment calls; use autofix for the boring, well-defined changes. Boring is good.
3. Generated workspace rules — prevention
POST /api/v1/generate-rules turns a scan into standing instructions for your AI assistant. It generates .cursorrules and/or AGENTS.md containing:
- Security best-practice rules derived from your actual findings (auth boundaries, secrets hygiene, database/RLS, API hardening, XSS defense, Next.js specifics)
- Stack-specific rule packs (nextjs-supabase, nextjs-firebase, nextjs-clerk, nextjs-stripe)
- Your organization’s policy packs, if configured. Every generation is audit-logged.
Drop the file in your repo root. From then on, every AI coding session starts with your security rules already in context — the assistant stops suggesting service_role in client components before you ever have to review it.
4. MCP — the whole loop inside your editor
The BoringSec MCP server brings all of the above into Claude Code and Cursor directly:
npx -y @boringsec/claude-code login # device auth — no raw API keys to copy
npx -y @boringsec/claude-code init # wires the MCP server into your editor
npx -y @boringsec/claude-code doctor # verifies the setupThen, in your editor: “Run a BoringSec review of this project and fix the criticals.” The assistant can trigger scans, read findings, pull fix prompts, apply autofixes and regenerate workspace rules — without leaving the session. MCP access is available on paid plans. See the MCP guide for the full install walkthrough and troubleshooting.
Recommended loop
- Scan (dashboard, API, or MCP).
- Fix criticals and highs with fix prompts / autofix.
- Rescan to verify — findings close only with evidence.
- Regenerate workspace rules so the class of bug doesn’t come back.
- On a paid plan, let Care re-scan weekly and alert on regressions.
FAQ
Are fix prompts safe to paste blindly?
They’re written to be reviewed like any diff. Autofix templates are deterministic; fix prompts instruct the assistant to explain the change. Either way — read the diff before you ship it. Rule generation exists so there are fewer diffs to read.
Do community templates run any code?
No. They’re text templates, reviewed and verification-gated before they appear, and clearly separated from built-ins in the API response.