Does Sparkle replace SAST?
Does Sparkle replace SAST?
No. SAST finds vulnerabilities in code that already exists. Sparkle prevents classes of issues from being written in the first place by giving agents the rules before generation, then verifies the output against those rules.Most teams run both: Sparkle reduces the volume of findings reaching SAST and review, and SAST remains the deep static-analysis backstop.
Does Sparkle store source code?
Does Sparkle store source code?
Sparkle analyzes your repositories to generate guardrails and verify changes, but it is not a code host. Your code stays in your git provider.For details on what is processed, what is retained, and for how long, contact team@sparkle.security for the current data handling documentation.
Can Sparkle work with Cursor, Windsurf, and Claude Code?
Can Sparkle work with Cursor, Windsurf, and Claude Code?
Yes. Cursor, Windsurf, and VS Code use the Sparkle Guardrails extension. Claude Code and Codex are configured through the Sparkle CLI:Any MCP-compatible agent can also use the Sparkle MCP server directly.
Are guardrails generated per repo?
Are guardrails generated per repo?
Yes. Sparkle generates rules from each repo’s actual stack, structure, and patterns, and scopes them by git remote. A rule fetched for
acme/payments-api never applies to code in another repo.Can a developer work across multiple repos when using Sparkle?
Can a developer work across multiple repos when using Sparkle?
Yes. Sparkle applies guardrails at the repo level. When you change files in more than one repository, Sparkle resolves each repo from its git remote and fetches that repo’s guardrails separately. Rules from one repo are never applied to another.
Does Sparkle work in a git worktree?
Does Sparkle work in a git worktree?
Yes. Sparkle identifies a repository by its git remote. When you code in a worktree, Sparkle resolves the same repo and applies the same guardrails as it would from the primary working tree.
Can security teams define organization-wide rules?
Can security teams define organization-wide rules?
Yes. Organization rules — for example, “never log tokens, credentials, or PII” — are defined once in the workspace and returned alongside repo-specific rules on every
get_guardrails call. Developers get one merged rule set per task and don’t manage the layering.Can developers override guardrails?
Can developers override guardrails?
Guardrails are context, not a hard block: an agent follows them during generation, and Sparkle verifies the output afterward. If a developer intentionally deviates — say, a legitimate exception to a pattern — the deviation is visible in verification and the guardrails summary rather than silently ignored.This keeps the decision with the developer while giving security teams a record of where and why rules weren’t followed.
How often should guardrails be refreshed?
How often should guardrails be refreshed?
Guardrails are fetched fresh at the start of every coding task, so day-to-day you do nothing. Regenerate a repo’s guardrails when its architecture changes meaningfully — a new framework, a new service boundary, a new auth flow. Organization policy updates apply centrally on the next task.
How is this different from manually writing rules.md?
How is this different from manually writing rules.md?
A hand-written
rules.md works until it doesn’t:- It goes stale as the codebase changes. Sparkle keeps guardrails fresh from the current code.
- It reflects what one author knew to write down. Sparkle covers security standards (OWASP, PCI-DSS) systematically.
- It’s per-repo and inconsistent across a fleet. Sparkle layers organization rules onto every repo uniformly.
- Nothing checks whether the agent followed it. Sparkle verifies output and records which rules were applied.
rules.md, that knowledge feeds into the same system — with verification and governance on top.
