Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
All flags
| Flag | Short | Default | Description |
|---|---|---|---|
--path | -p | . | Path to the local repository or directory to scan. |
--file | -f | unset | Scan a single specific workflow file. Overrides --path. |
--git | -g | unset | GitHub repository to scan. Accepts owner/repo or a full URL. Triggers a git clone --depth 1 into a temp directory. |
--output | -o | console | Output format. One of console or json. |
--fail-on | -s | MEDIUM | Severity threshold for exit code 1. One of HIGH, MEDIUM, LOW, INFO, or NONE. See exit codes. |
--ruleset | -r | all | Which rules to apply. all includes best-practice checks; owasp keeps only CICD-SEC-*. |
--keep-temp | false | When using -g, keep the temporary clone directory after the scan. Useful for inspecting what was scanned. | |
--fix | false | Attempt to automatically fix detected issues in place. See Auto-fix. Not supported with -g. |
Target selection
The CLI picks a target in this order:--git owner/repo— shallow-clone, then scan the temp directory.--file path/to/workflow.yml— scan a single file.--path .— scan the directory’s.github/workflows/, falling back to walking the whole tree if missing.
Exit codes
| Code | Meaning |
|---|---|
0 | No findings at or above --fail-on severity. |
1 | At least one finding meets the threshold, or a runtime error (clone failed, parse error, etc.) occurred. |
INFO < LOW < MEDIUM < HIGH. --fail-on NONE always exits 0 on a clean run, regardless of findings — useful when you want a report without gating.