Skip to content

Documentation

Everything you need to secure your AI-built projects

AI Workflow

Integrations

The AI Security Workflow

If you build with AI, your security loop should live where you build. BoringSec closes the loop in three stages: find (scans), fix (AI fix prompts + autofix templates), prevent (generated workspace rules that make your AI assistant security-aware from the first token).

1. Fix prompts — per finding, per platform

Every finding in your report ships with a fix prompt tailored to your tool. Supported targets: Cursor, Lovable, Bolt, Claude Code, Replit, v0, Windsurf.

  • API: GET /api/v1/fix-suggestions/{issueCode} (scope: scan:read)
  • Returns built-in templates plus community-submitted templates (verified and upvoted), with estimated minutes and difficulty.
  • Paste the prompt into your assistant; it carries the finding’s context, the target stack, and the acceptance criteria for the fix.

2. Autofix — deterministic templates

For issues with a known-safe mechanical fix (headers, config flags, cookie attributes), autofix returns the exact change rather than a prompt:

  • API: GET /api/v1/autofix/{issueCode} (scope: scan:read), optionally scoped to a file path.
  • Templates are deterministic and reviewed — no generation, no surprises. Path handling is traversal-hardened.
  • Use fix prompts for judgment calls; use autofix for the boring, well-defined changes. Boring is good.

3. Generated workspace rules — prevention

POST /api/v1/generate-rules turns a scan into standing instructions for your AI assistant. It generates .cursorrules and/or AGENTS.md containing:

  • Security best-practice rules derived from your actual findings (auth boundaries, secrets hygiene, database/RLS, API hardening, XSS defense, Next.js specifics)
  • Stack-specific rule packs (nextjs-supabase, nextjs-firebase, nextjs-clerk, nextjs-stripe)
  • Your organization’s policy packs, if configured. Every generation is audit-logged.

Drop the file in your repo root. From then on, every AI coding session starts with your security rules already in context — the assistant stops suggesting service_role in client components before you ever have to review it.

4. MCP — the whole loop inside your editor

The BoringSec MCP server brings all of the above into Claude Code and Cursor directly:

npx -y @boringsec/claude-code login   # device auth — no raw API keys to copy
npx -y @boringsec/claude-code init    # wires the MCP server into your editor
npx -y @boringsec/claude-code doctor  # verifies the setup

Then, in your editor: “Run a BoringSec review of this project and fix the criticals.” The assistant can trigger scans, read findings, pull fix prompts, apply autofixes and regenerate workspace rules — without leaving the session. MCP access is available on paid plans. See the MCP guide for the full install walkthrough and troubleshooting.

Recommended loop

  1. Scan (dashboard, API, or MCP).
  2. Fix criticals and highs with fix prompts / autofix.
  3. Rescan to verify — findings close only with evidence.
  4. Regenerate workspace rules so the class of bug doesn’t come back.
  5. On a paid plan, let Care re-scan weekly and alert on regressions.

FAQ

Are fix prompts safe to paste blindly?

They’re written to be reviewed like any diff. Autofix templates are deterministic; fix prompts instruct the assistant to explain the change. Either way — read the diff before you ship it. Rule generation exists so there are fewer diffs to read.

Do community templates run any code?

No. They’re text templates, reviewed and verification-gated before they appear, and clearly separated from built-ins in the API response.