Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
--fix flag rewrites workflow YAML in place for the categories where a safe, deterministic fix exists. After applying fixes, the scanner re-runs so the final report shows only what’s left.
What gets fixed
| Category | Fix |
|---|---|
| CICD-SEC-5 — Missing permissions | Prepends permissions: read-all at the top of the workflow. |
CICD-SEC-1 — Dangerous pull_request_target | Rewrites the trigger to pull_request. Handles scalar, sequence, and mapping forms of on:. |
| CICD-SEC-3 — Unpinned action | Resolves the tag/branch to a commit SHA via the GitHub API and pins to owner/repo@<sha> # <original-ref>. |
| CICD-SEC-4 — Shell injection | Lifts each ${{ github.event.* }} reference out of the inline run: script into the step’s env: block, then replaces the interpolation with $VAR_NAME. |
| CICD-SEC-6 — Hardcoded secret in env | Replaces the literal value with ${{ secrets.<KEY_UPPER> }}. Skipped for run: scripts — those need human review. |
| BEST-PRAC-2 — Missing timeout | Adds timeout-minutes: 30 to the job. |
What it won’t fix
- Hardcoded secrets inside
run:scripts (CICD-SEC-6). The scanner flags them but the rewrite is too risky — you need to decide where the secret comes from. curl | shpatterns (BEST-PRAC-1). There’s no safe automatic rewrite; flagged for manual review.- Self-hosted runners (BEST-PRAC-3). Often intentional infra choice.
What you need before running
- Network access to
api.github.comfor CICD-SEC-3 — the fixer hits the GitHub API to resolve each tag to a commit SHA. If resolution fails, the action is left as-is and a warning is printed to stderr. - Write access to the workflow files — fixes are applied in place. Commit clean first so the diff is reviewable.
Recommended workflow
Commit clean
--fix mutates files. Start from a clean working tree so git diff shows only the fixer’s changes.Review the diff