Features

Built for the shape of security consulting.

Every surface — MCP, scans, findings, reports, Hermes — is designed for consultants and Lovable developers who need real security work without the ceremony.

Lovable AI chat panel showing Hermes streaming three security findings with copy-ready remediation snippets.
Lovable-native workflow

Scan from a prompt. Fix from a prompt.

Ask Hermes for a scan from inside your Lovable editor and receive prioritized findings with remediation snippets you can drop straight into the next prompt. No detours to another dashboard, no losing the thread of what you were building.

Get the MCP endpoint

MCP for Lovable

Plug RASS into your Lovable project as a custom MCP server and scan from a prompt. Hermes streams structured findings and copy-ready remediation blocks back into the chat — no context switch, no manual triage. OAuth 2.1 with PKCE, short-lived project-scoped tokens, and every tool call audit-logged.

  • Prompt-driven scans
  • Hermes in the chat
  • OAuth 2.1 + PKCE
  • Full audit trail
Prompt-driven scans
Hermes in the chat
OAuth 2.1 + PKCE
Full audit trail

Scan automation

Manual or scheduled runs against staging or production. Saved auth profiles, scope rules, and per-run authorization confirmation. Real-time timeline, logs, and normalized findings.

  • Manual + scheduled
  • Auth profiles
  • Scope rules
  • Live timeline
Manual + scheduled
Auth profiles
Scope rules
Live timeline

Framework packs

First-class packs for OWASP Top 10, Supabase RLS, OWASP API Top 10, Stripe webhooks, React, CIS Terraform / CloudFormation / Kubernetes / Helm / Docker, and Sentinel/OPA. The scanner auto-detects the right packs for your target and suggests new ones as your stack changes.

  • OWASP + API Top 10
  • CIS IaC packs
  • Per-project toggles
  • Auto-detect & suggest
OWASP + API Top 10
CIS IaC packs
Per-project toggles
Auto-detect & suggest

IaC configuration scanning

Static analysis across Terraform, CloudFormation, Kubernetes YAML, Helm charts, and Dockerfiles. Ships deterministic fix snippets and supports custom OPA / Sentinel-style rules with per-project overrides.

  • Terraform + CFN
  • K8s + Helm + Docker
  • Deterministic fix snippets
  • Custom rules & overrides
Terraform + CFN
K8s + Helm + Docker
Deterministic fix snippets
Custom rules & overrides

Cloud integrations

Read-only validation for AWS, Azure, and GCP accounts. Credentials are stored encrypted and scoped to describe-only permissions — no workload access, no mutations.

  • AWS + Azure + GCP
  • Read-only credentials
  • Encrypted at rest
  • Posture snapshots
AWS + Azure + GCP
Read-only credentials
Encrypted at rest
Posture snapshots

GitLab integration

Connect repos to scan on push, merge request, and pipeline events. Advisory MR comments or hard status-check gating. Auto-PR for low-severity deterministic fixes. Webhook signatures verified with replay protection.

  • Push / MR / pipeline
  • Advisory or gate mode
  • Signed webhooks
  • Auto-PR for low sev
Push / MR / pipeline
Advisory or gate mode
Signed webhooks
Auto-PR for low sev

Coverage & requests

Customers see current language, framework, and IaC pack coverage per project, request new packs directly in the portal, and track delivery status. Admins triage the queue with a demand leaderboard.

  • Per-project coverage
  • Self-serve requests
  • Status tracking
  • Demand leaderboard
Per-project coverage
Self-serve requests
Status tracking
Demand leaderboard

Vulnerability tracking

Every finding carries evidence, request/response snippets, screenshots, CWE / OWASP mapping, and remediation state. Assign owners, set due dates, and verify fixes.

  • Evidence + snippets
  • CWE mapping
  • Remediation tracker
  • Accept-risk workflow
Evidence + snippets
CWE mapping
Remediation tracker
Accept-risk workflow

Reporting

Executive and technical reports rendered inline and exported to PDF or CSV. Branded per organization. Hermes drafts the executive language.

  • Executive + technical
  • PDF + CSV
  • Branded
  • Hermes drafts
Executive + technical
PDF + CSV
Branded
Hermes drafts

Hermes AI

A separate analysis layer that only summarizes real scanner output. Deduplicates, correlates, prioritizes, and drafts fix guidance — clearly labeled AI-generated. Hermes checks for new compliance standards every 7 days.

  • Evidence-grounded
  • Deduplication
  • Prioritization
  • Fix drafting
  • Compliance checks (7d)
Evidence-grounded
Deduplication
Prioritization
Fix drafting
Compliance checks (7d)

Enterprise controls

RBAC (owner, admin, analyst, viewer), MFA, multi-tenant isolation, encrypted secrets, audit logging on scans / comments / syncs / remediation, and rate-limited scan and sync endpoints.

  • RBAC + MFA
  • Multi-tenant
  • Encrypted secrets
  • Full audit log
RBAC + MFA
Multi-tenant
Encrypted secrets
Full audit log