> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Flags

> Every CLI flag, its default, and what it does.

## All flags

| Flag               | Short | Default   | Description                                                                                                                                                                                                                                                                                                         |
| ------------------ | ----- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `--path`           | `-p`  | `.`       | Path to the local repository or directory to scan.                                                                                                                                                                                                                                                                  |
| `--file`           | `-f`  | *unset*   | Scan a single specific workflow file. Overrides `--path`.                                                                                                                                                                                                                                                           |
| `--git`            | `-g`  | *unset*   | GitHub repository to scan. Accepts `owner/repo` or a full URL. Triggers a `git clone --depth 1` into a temp directory.                                                                                                                                                                                              |
| `--org`            |       | *unset*   | Scan every repository owned by a GitHub org or user, fetching workflows over the API (no cloning). Requires a token. `--fail-on` applies to the aggregate. See [Scan an entire organization](/cli/usage#scan-an-entire-organization).                                                                               |
| `--output`         | `-o`  | `console` | Output format. One of `console`, `json`, or `sarif` (SARIF 2.1.0 for [GitHub code scanning](/cli/ci-integration#sarif-for-github-code-scanning)).                                                                                                                                                                   |
| `--fail-on`        | `-s`  | `MEDIUM`  | Severity threshold for exit code 1. One of `HIGH`, `MEDIUM`, `LOW`, `INFO`, or `NONE`. See [exit codes](#exit-codes).                                                                                                                                                                                               |
| `--ruleset`        | `-r`  | `all`     | Which rules to apply. `all` includes best-practice checks; `owasp` keeps only `CICD-SEC-*`.                                                                                                                                                                                                                         |
| `--min-confidence` |       | `LOW`     | Drop findings below this confidence: `HIGH`, `MEDIUM`, or `LOW`. Confidence is how sure the check is the finding is *real* (heuristic checks like typosquat matching or secret-name patterns are `MEDIUM`), orthogonal to severity (how bad it would be). The default keeps everything.                             |
| `--persona`        |       | `regular` | Noise tier. `regular` runs the high-signal security checks; `pedantic` adds hygiene nits (missing timeouts, job-level `continue-on-error`); `auditor` adds everything, including checks that are informational on their own (self-hosted runner usage).                                                             |
| `--keep-temp`      |       | `false`   | When using `-g`, keep the temporary clone directory after the scan. Useful for inspecting what was scanned.                                                                                                                                                                                                         |
| `--fix`            |       | `false`   | Attempt to automatically fix detected issues in place. See [Auto-fix](/cli/auto-fix). Not supported with `-g`.                                                                                                                                                                                                      |
| `--audit-pins`     |       | `false`   | Force the online supply-chain audits of pinned actions (known-vulnerable, impostor-commit, ref/version-mismatch, typosquat) even when no token is available, accepting GitHub's 60-requests/hour anonymous limit. You rarely need this: the audits [run automatically](#online-audits) whenever a token is present. |
| `--offline`        |       | `false`   | Disable every network-backed audit — online pin audits and repository-settings checks — guaranteeing no API traffic. Only the `git clone` for `-g` targets remains.                                                                                                                                                 |

## Online audits

The online supply-chain audits of pinned actions (known-vulnerable via GHSA, impostor-commit, ref/version-mismatch, typosquat) run automatically when you supply a GitHub token via `--github-token`, `$GITHUB_TOKEN`, or `$GH_TOKEN` — including inside GitHub Actions, where the [Pipefort action](/cli/ci-integration) passes the workflow token for you. Without a token a scan stays fully offline unless you force the audits with `--audit-pins`. `--offline` disables them (and the repository-settings audit) unconditionally.

A token that `gh auth token` would return does **not** auto-enable the audits — a plain local scan never makes API calls just because the GitHub CLI happens to be logged in. It is still used to authenticate audits you enable explicitly. When a `gh` login is detected and the scanned workflows pin third-party actions, Pipefort prints a one-line hint that the online audits are available (run `--audit-pins` or set `$GITHUB_TOKEN` to turn them on); it never makes the calls unprompted.

## Target selection

The CLI picks a target in this order:

1. `--git owner/repo` — shallow-clone, then scan the temp directory.
2. `--file path/to/workflow.yml` — scan a single file.
3. `--path .` — scan the directory's `.github/workflows/`, falling back to walking the whole tree if missing.

## Exit codes

| Code | Meaning                                                                                                      |
| ---- | ------------------------------------------------------------------------------------------------------------ |
| `0`  | No findings at or above `--fail-on` severity.                                                                |
| `1`  | At least one finding meets the threshold, **or** a runtime error (clone failed, parse error, etc.) occurred. |

Severity weighting (lowest to highest): `INFO` \< `LOW` \< `MEDIUM` \< `HIGH`. `--fail-on NONE` always exits `0` on a clean run, regardless of findings — useful when you want a report without gating.
