Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

The CLI is a single static binary and exits non-zero on findings above a threshold, so it drops straight into any CI step.

GitHub Actions

A minimal job that scans the repo’s own workflows on every PR: 
name: ci-cd-security-scan

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4

      - name: Install scanner
        env:
          PIPEFORT_TOKEN: ${{ secrets.PIPEFORT_TOKEN }}
        run: |
          curl -sSL -H "Authorization: Bearer $PIPEFORT_TOKEN" \
            https://<your-pipefort-host>/downloads/ci-cd-security-scanner-linux-amd64 \
            -o /usr/local/bin/ci-cd-security-scanner
          chmod +x /usr/local/bin/ci-cd-security-scanner

      - name: Scan workflows
        run: ci-cd-security-scanner -p . -s HIGH -r owasp
A few things worth calling out in this snippet:
  • -s HIGH — only fail the build on HIGH findings. Start strict-but-quiet, then tighten to MEDIUM once the baseline is clean.
  • -r owasp — keep the gate focused on the five OWASP categories; treat the three best-practice checks as advisory until you’re ready to enforce them.
  • permissions: contents: read — this scanner job itself follows CICD-SEC-5. It only reads code.
  • timeout-minutes: 5 — follows BEST-PRAC-2.
  • PIPEFORT_TOKEN — store your Pipefort binary-download token as a repository secret.
For reproducible builds, pin a specific binary version in the download URL rather than latest.

JSON output for downstream tooling

Pipe to jq or a SARIF converter: 
      - name: Scan workflows (JSON)
        run: ci-cd-security-scanner -p . -o json -s NONE > findings.json

      - uses: actions/upload-artifact@v4
        with:
          name: pipefort-findings
          path: findings.json
-s NONE keeps the step from failing so the artifact is always uploaded; gate separately on the JSON content with jq if you want richer policy.

Pre-commit hook

# .git/hooks/pre-commit
#!/usr/bin/env bash
set -e
ci-cd-security-scanner -p . -s HIGH -r owasp
Or wire it through pre-commit with a local hook. The scanner is fast enough (sub-second on most repos) to run on every commit.