At a glance
| Pipefort | zizmor | StepSecurity | GitHub native (CodeQL + policies) | |
|---|---|---|---|---|
| Platforms | GitHub Actions + GitLab CI | GitHub Actions only | GitHub Actions (GitLab nascent) | GitHub Actions only |
| Workflow rules | 60+ | ~38 | knowledge-base checks | ~18 CodeQL queries |
| Repo/branch-protection audit | ✓ | ✗ | ✓ | partial (platform settings) |
| Online supply-chain audits (impostor commit, known-vuln, typosquat) | ✓ | ✓ | ✓ | Dependabot (pin updates) |
| SLSA build-track mapping | ✓ | ✗ | ✗ | ✗ |
| OWASP CI/CD Top 10 framing | ✓ | partial | partial | ✗ |
| Confidence + persona noise control | ✓ | ✓ | — | — |
| Auto-fix | in-place, fix PRs, GitLab MRs | in-place | fix PRs | ✗ |
| Cross-finding attack chains (“Attacker Mind”) | ✓ | ✗ | ✗ | ✗ |
| Multi-tenant SaaS dashboard (history, trends, triage) | ✓ | ✗ | ✓ | partial |
| Runtime egress monitoring (EDR) | ✗ | ✗ | ✓ | ✗ |
| Price | free CLI; SaaS tiers | free (MIT) | free public repos; paid enterprise | free public repos; paid (Code Security) |
Where each tool wins
zizmor is the OSS mindshare leader for GitHub Actions static analysis — fast, free, and trusted by major projects. If you only run GitHub Actions and only want a CLI, it’s an excellent choice. Pipefort’s edge over it is breadth: GitLab CI, a repository-settings/branch-protection audit, SLSA mapping, toxic-combination detection, and the SaaS layer (cross-repo history, trends, triage, org dashboards). Pipefort matches zizmor on the things that made it popular — SARIF, auto-fix, online pin audits, and a confidence/persona noise model. StepSecurity is the strongest commercial competitor. Its Harden-Runner gives runtime egress monitoring — an EDR for CI runners — which caught the tj-actions/changed-files compromise live. No static scanner, Pipefort included, can match that; it’s a fundamentally different capability. If runtime detection is your priority, StepSecurity leads. Pipefort competes on the static + posture side (broader rule set, GitLab, SLSA/OWASP framing, Attacker Mind) rather than runtime. GitHub native (CodeQL’s Actions queries, Dependabot, and platform-level policies) is free for public repos and enforces some controls — like failing runs that use unpinned actions — at a layer no third party can reach. If you’re already paying for GitHub Code Security, you get overlapping coverage in the box. Pipefort’s value on top is the cross-repo posture view, OWASP/SLSA compliance framing, GitLab, and the broader, CI/CD-specific rule set.Honest limitations
- No runtime monitoring. Pipefort is static analysis + posture. For run-time egress detection, pair it with StepSecurity Harden-Runner or a build-time eBPF agent.
- GitLab is younger than the GitHub surface. GitLab CI rules, MR-based fixes, and project-settings auditing ship today; GitLab online supply-chain (action-pin) audits and SLSA mapping remain GitHub-only. See GitLab support.
- Injection detection is pattern/position based, not full taint tracking — it flags reachable sinks, it does not prove a specific secret is exfiltrable.
When Pipefort is the right pick
- You run both GitHub Actions and GitLab CI and want one tool.
- You need OWASP CI/CD Top 10 or SLSA framing for compliance.
- You want a posture dashboard across many repositories, with trends and triage, not just a per-repo CLI run.
- You value remediation (auto-fix in-place, fix PRs/MRs) and cross-finding attack-chain analysis over a longer flat list.