Documentation
How to install, configure, and use Barracade.
Installation
Grab the installer for your platform from the download page after you've purchased a license. Works on Windows 10+, macOS 12+, and most Linux distributions.
macOS users can also install via Homebrew. On Linux, .deb and .rpm packages are available. The installer puts the barracade command on your PATH.
# Download and install Barracade
# Windows (installer)
barracade-setup.exe
# macOS
brew install barracade
# Linux (Debian/Ubuntu)
sudo dpkg -i barracade_1.2_amd64.deb
# Linux (Fedora/Arch)
sudo rpm -i barracade-1.2.x86_64.rpmLicense activation
After installing, activate your license key. You'll find it on the purchase confirmation page and in your email. The license is tied to your email, not a machine. Use it wherever you work.
It's a one-time purchase. Every update after that is free.
# Activate your license
barracade activate BRCD-XXXX-XXXX-XXXX-XXXX
# Check license status
barracade license status
# Deactivate (for transferring to another machine)
barracade license deactivateWebsite scanner
Runs a full security audit against a target URL. Checks DNS, TLS configuration, response headers, cookie flags, exposed endpoints, and platform-specific issues.
You get a letter grade from A to F. Each finding includes severity, a description, and what to do about it.
Checks include:
- Security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policy)
- TLS version and cipher strength
- Cookie flags (Secure, HttpOnly, SameSite)
- Exposed server signatures and version strings
- Directory listings and backup files
- CMS-specific vulnerabilities (WordPress, Drupal, Shopify, etc.)
# Scan a single URL
barracade scan https://example.com
# Scan with JSON output
barracade scan https://example.com --format json
# Scan multiple domains from a file
barracade scan --list domains.txt
# Scan and export PDF report
barracade scan https://example.com --export report.pdfRASP engine
The RASP engine hooks into your app and inspects incoming HTTP requests. It checks payloads, query strings, headers, and bodies for known attack patterns.
Monitor mode logs threats without blocking, which is useful when you're first rolling it out. Block mode rejects bad requests with a 403. Learn mode profiles normal traffic and auto-tunes sensitivity. You can tune per vector and per route.
Covered vectors: SQL injection, XSS, SSRF, command injection, path traversal, prototype pollution, NoSQL injection, header injection, and open redirects.
# barracade.rasp.yml
engine:
mode: block # monitor | block | learn
logging: verbose
vectors:
sql-injection:
enabled: true
sensitivity: high
xss:
enabled: true
contexts: [html, attribute, javascript, url]
ssrf:
enabled: true
blocked_ranges:
- 10.0.0.0/8
- 172.16.0.0/12
- 169.254.0.0/16
command-injection:
enabled: true
path-traversal:
enabled: true
prototype-pollution:
enabled: true
nosql-injection:
enabled: true
header-injection:
enabled: true
open-redirect:
enabled: true
allowed_domains:
- yourdomain.com
exclusions:
paths: [/health, /metrics]
methods: [OPTIONS]Defense engine
Sits on top of RASP and handles the response logic. RASP catches the attack; the defense engine decides what to do about it. Map threat types, severity, and source info to specific actions.
Four actions: block (403), throttle (rate limit), isolate (sandbox), and alert (log and notify). You can layer policies so the response escalates with repeat offenses.
Everything gets logged: timestamp, source IP, matched rule, action, and the raw payload.
Security headers
Generates the right header config for your platform. Pick the headers, pick the target, and you get config you can drop straight into your project.
Covers Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin headers.
The CSP builder lets you set allowed sources per directive and flags policies that are too permissive.
# Generate security headers for Next.js
barracade headers --platform nextjs
# Generate for Nginx with strict CSP
barracade headers --platform nginx --csp strict
# Generate for Vercel with all headers
barracade headers --platform vercel --all
# Supported platforms:
# nextjs, vercel, netlify, express,
# nginx, apache, caddy, cloudflareStatic analysis
Scans your source code for security problems across JavaScript, TypeScript, Python, Go, Rust, Java, C#, and PHP. Each language has its own rules for the things that commonly go wrong.
Findings come with file paths, line numbers, severity (High, Medium, Low), and what to do about it. Exports as SARIF for GitHub Advanced Security or other compatible tools.
Typical catches: hardcoded credentials, SQL concatenation, weak crypto, missing input validation, unrestricted uploads, insecure deserialization.
# Scan current directory
barracade sast scan ./src
# Scan specific languages
barracade sast scan ./src --languages js,ts,py
# Export as SARIF for GitHub Advanced Security
barracade sast scan ./src --format sarif --output results.sarif
# Scan with custom rules
barracade sast scan ./src --rules ./custom-rules.ymlCompliance reporting
Maps your scan results, RASP config, SAST output, and dependency status to SOC 2, ISO 27001, GDPR, HIPAA, PCI-DSS, NIST 800-53, CIS, CCPA, and FedRAMP controls. Each control shows as met, partially met, or unmet.
Numbers update as you fix things and re-scan. Export as PDF for auditors or JSON to process however you want.
# Generate SOC 2 compliance report
barracade compliance report --framework soc2
# Generate PCI-DSS report
barracade compliance report --framework pci-dss
# Export audit-ready PDF
barracade compliance report --framework hipaa --export audit.pdf
# Check coverage against all frameworks
barracade compliance statusDependencies and SBOM
Reads your lock files and builds a full dependency tree, including transitive deps. Each package gets checked against the NVD and GitHub Security Advisories.
Also does typosquat detection and license auditing against your allowed list.
Supports package-lock.json, yarn.lock, pnpm-lock.yaml, Pipfile.lock, go.sum, Cargo.lock. Exports as CycloneDX or SPDX.
# Scan dependencies for vulnerabilities
barracade deps scan
# Generate SBOM in CycloneDX format
barracade deps sbom --format cyclonedx
# Generate SBOM in SPDX format
barracade deps sbom --format spdx
# Check for typosquat packages
barracade deps audit --typosquat
# License compliance check
barracade deps licenses --allowed MIT,Apache-2.0,BSD-3-ClauseSite health monitoring
Add your domains and Barracade re-scans them periodically, keeping track of the security grade. Set a threshold per domain and get alerted if something regresses after a deploy.
Grade history for each domain is tracked over time. Check trends over days, weeks, or months.
Secrets vault
Encrypted storage for API keys, credentials, and tokens (AES-256-GCM). Secrets are grouped by project with creation date and rotation tracking. Flags anything that hasn't been rotated within your configured window.
Hooks into SAST: when a hardcoded secret is found in your code, Barracade can move it to the vault and swap in an env var reference.
Export entries as .env files or import from existing ones.
Configuration reference
Barracade looks for a barracade.yml file in your project root. You can also pass everything as CLI flags.
RASP operation mode. Values: monitor, block, learn. Default: monitor.
Log verbosity. Values: quiet, normal, verbose. Default: normal.
Detection sensitivity per vector. Values: low, medium, high. Default: high.
Array of URL paths excluded from RASP inspection.
Maximum seconds per URL scan. Default: 30.
Comma-separated list of languages to analyze. Default: auto-detect.
Array of frameworks to map against. Values: soc2, iso-27001, gdpr, hipaa, pci-dss, nist-800-53, cis, ccpa, fedramp.