GitHub Action
The quickest path is the official Pipefort Action, which runs the scanner in a container — no install step:| Input | Default | Description |
|---|---|---|
path | . | Path to scan for workflow files. |
ruleset | all | all, owasp, slsa, or a specific level (e.g. slsa-build-l3). |
fail-on | MEDIUM | Fail the job at or above this severity: HIGH/MEDIUM/LOW/INFO/NONE. |
output | sarif | sarif, json, or console. |
sarif-file | pipefort.sarif | Where the SARIF report is written (when output: sarif). |
github-token | the workflow token | Token for the online supply-chain pin audits (known-vulnerable, impostor-commit, ref/version-mismatch, typosquat). They run automatically with the default token; set github-token: '' for a fully offline scan. |
output at its
sarif default and add an upload step — see
SARIF for GitHub code scanning below.
Manual install (without the Action)
If you’d rather not use a container action, install the released binary directly:-s HIGH— only fail the build on HIGH findings. Start strict-but-quiet, then tighten toMEDIUMonce the baseline is clean.-r owasp— keep the gate focused on the five OWASP categories; treat the three best-practice checks as advisory until you’re ready to enforce them.permissions: contents: read— this scanner job itself follows CICD-SEC-5. It only reads code.timeout-minutes: 5— follows BEST-PRAC-2.
SARIF for GitHub code scanning
Emit SARIF 2.1.0 with-o sarif and upload it with github/codeql-action/upload-sarif.
Findings then show up in the repo’s Security → Code scanning tab and as inline
annotations on pull requests — the same surface zizmor, poutine, and OpenSSF
Scorecard integrate with.
Each result carries a stable partialFingerprints entry (pipefort/v1) built
from the rule, file, and finding content — not line numbers — so code scanning
tracks a finding across commits instead of closing and reopening it whenever
unrelated edits shift it down the file. It’s the same identity the
web app’s triage uses.
Use
-s NONE on the scan step so a finding doesn’t fail the job before the SARIF
is uploaded — let the Code scanning alerts (or a separate gating step) enforce
policy. Severities map to SARIF levels as HIGH→error, MEDIUM→warning, and
LOW/INFO→note, and each result carries a security-severity score so GitHub
sorts them correctly. Toxic combinations (“Attacker Mind”) have no SARIF analog and
are omitted from this format — use -o json for the complete envelope.JSON output for downstream tooling
Pipe tojq for custom policy:
-s NONE keeps the step from failing so the artifact is always uploaded; gate separately on the JSON content with jq if you want richer policy.
Pre-commit hook
Pipefort ships a pre-commit hook. Add it to your.pre-commit-config.yaml: