-g / --git flag is URL-aware: GitLab URLs are detected automatically
and routed to the GitLab scanner. No new subcommand or mode is needed —
existing scripts that pass https://gitlab.com/<group>/<project> just work.
Scan a GitLab project
--depth 1 into a temp directory, scan the entire CI tree
(.gitlab-ci.yml and .gitlab-ci/**/*.yml), and emit findings tagged with
the GitLab rule IDs (cicd-sec-1-gl-mr-target, cicd-sec-7-gl-debug-trace,
etc.). The portable structural rules (best-prac-1-pipe-to-shell,
cicd-sec-9-download-without-checksum) also fire — they share their ID
across both platforms.
Token resolution
--gitlab-token mirrors --github-token:
- The explicit
--gitlab-tokenflag value. - The
$GITLAB_TOKENenv var. - The output of
glab auth tokenifglabis onPATHand authenticated.
api scope to open Merge Requests; read_api is enough
for a read-only scan.
—fix is local and platform-agnostic
--fix rewrites the YAML in place using the same conservative fixers the web
app applies — for GitLab that’s currently three rules: debug-trace,
allow-failure, missing-timeout. Run it against a local clone:
--fix doesn’t need GitLab credentials because nothing leaves the local
filesystem. This is the recommended workflow for editor / pre-commit
integrations.
—fix-mr opens Merge Requests
For workflow rules with a registered fixer,--fix-mr opens (or reuses) one
Merge Request per finding via the GitLab API:
--dry-run to print what would be opened without writing:
pipefort/fix/<rule-id>/<file-slug>) so
re-running the command after a partial merge converges on the same MR rather
than spawning duplicates.
Why a separate flag?
--fix-mr requires the api scope on your token, which is broader than the
read-only scope --fix (local) and the audit-only scope --github-token
need. We keep it behind its own flag so adding remote-write capability is
always explicit. The same convention applies to --fix-settings (GitHub
repo-settings remediation) and --fix-settings-gl (GitLab project-settings
remediation — enables ‘pipelines must succeed’ and disables public pipelines).
GitLab project-settings audit
When--git points at a GitLab host and a --gitlab-token is present,
Pipefort also audits the project configuration (see the GitLab project-settings
rules): unprotected default
branch, force-push allowed, merges without a passing pipeline, public pipelines,
and missing approvals. --fix-settings-gl remediates the two safely-automatable
ones (merge-without-pipeline, public-pipelines); pair it with --dry-run to
preview.
What’s GitHub-only in v1
| Capability | GitHub | GitLab |
|---|---|---|
| Workflow YAML scan | ✓ | ✓ |
Workflow YAML auto-fix (--fix) | ✓ | ✓ (3 rules) |
| Open PR / MR from CLI | ✗ (--fix-pr not implemented) | ✓ (--fix-mr) |
| Repository / project settings audit | ✓ | ✓ (5 rules) |
| Settings auto-fix | ✓ (--fix-settings) | ✓ (--fix-settings-gl, 2 rules) |
| Online action-pin audits / SLSA | ✓ | ✗ |