Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

Scan a local repo

ci-cd-security-scanner -p /path/to/your/repo
The scanner looks for .github/workflows/*.yml and *.yaml inside the given path. If that directory doesn’t exist, it falls back to walking the whole tree for any YAML file that looks like a workflow. If you omit -p, the current working directory (.) is used.

Scan a single workflow file

ci-cd-security-scanner -f .github/workflows/deploy.yml
-f overrides -p. Useful for editor integrations or focused triage.

Scan a remote GitHub repo

ci-cd-security-scanner -g owner/repo
ci-cd-security-scanner -g https://github.com/owner/repo.git
The CLI runs git clone --depth 1 into a temp directory, scans it, and cleans up. Add --keep-temp to leave the clone on disk for inspection.

JSON output

ci-cd-security-scanner -p . -o json
Emits a JSON array of Finding objects on stdout. Each finding has: 
{
  "file": ".github/workflows/release.yml",
  "line": 12,
  "column": 5,
  "severity": "HIGH",
  "category": "CICD-SEC-4",
  "title": "Poisoned Pipeline Execution (Shell Injection)",
  "description": "...",
  "recommendation": "..."
}
Pipe to jq for filtering, or feed it into another tool. The console output (the default) is human-readable but the JSON form is the stable contract for automation.

Filter to OWASP-only

ci-cd-security-scanner -p . -r owasp
--ruleset owasp (-r owasp) keeps only findings with category prefix CICD-SEC-. The default all includes the three best-practice checks too. See Rules reference.

Apply automatic fixes

ci-cd-security-scanner -p . --fix
Rewrites workflow YAML in place for the fixable categories, then re-scans to show what’s left. See Auto-fix for the exact rewrite rules.
--fix is not supported with -g owner/repo. Clone the repo yourself if you want to fix and review the diff.