> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How Pipefort compares

> Pipefort vs zizmor, StepSecurity, and GitHub-native CI/CD security tooling.

CI/CD security has a crowded low end. This page is an honest map of where
Pipefort fits against the tools you're most likely to already be considering.
Where a competitor is stronger, we say so.

## At a glance

|                                                                     | Pipefort                       | zizmor              | StepSecurity                       | GitHub native (CodeQL + policies)       |
| ------------------------------------------------------------------- | ------------------------------ | ------------------- | ---------------------------------- | --------------------------------------- |
| Platforms                                                           | GitHub Actions **+ GitLab CI** | GitHub Actions only | GitHub Actions (GitLab nascent)    | GitHub Actions only                     |
| Workflow rules                                                      | 60+                            | \~38                | knowledge-base checks              | \~18 CodeQL queries                     |
| Repo/branch-protection audit                                        | ✓                              | ✗                   | ✓                                  | partial (platform settings)             |
| Online supply-chain audits (impostor commit, known-vuln, typosquat) | ✓                              | ✓                   | ✓                                  | Dependabot (pin updates)                |
| SLSA build-track mapping                                            | ✓                              | ✗                   | ✗                                  | ✗                                       |
| OWASP CI/CD Top 10 framing                                          | ✓                              | partial             | partial                            | ✗                                       |
| Confidence + persona noise control                                  | ✓                              | ✓                   | —                                  | —                                       |
| Auto-fix                                                            | in-place, fix PRs, GitLab MRs  | in-place            | fix PRs                            | ✗                                       |
| Cross-finding attack chains ("Attacker Mind")                       | ✓                              | ✗                   | ✗                                  | ✗                                       |
| Multi-tenant SaaS dashboard (history, trends, triage)               | ✓                              | ✗                   | ✓                                  | partial                                 |
| Runtime egress monitoring (EDR)                                     | ✗                              | ✗                   | **✓**                              | ✗                                       |
| Price                                                               | free CLI; SaaS tiers           | free (MIT)          | free public repos; paid enterprise | free public repos; paid (Code Security) |

## Where each tool wins

**zizmor** is the OSS mindshare leader for GitHub Actions static analysis —
fast, free, and trusted by major projects. If you only run GitHub Actions and
only want a CLI, it's an excellent choice. Pipefort's edge over it is breadth:
**GitLab CI**, a repository-settings/branch-protection audit, SLSA mapping,
toxic-combination detection, and the SaaS layer (cross-repo history, trends,
triage, org dashboards). Pipefort matches zizmor on the things that made it
popular — SARIF, auto-fix, online pin audits, and a confidence/persona noise
model.

**StepSecurity** is the strongest commercial competitor. Its Harden-Runner
gives **runtime egress monitoring** — an EDR for CI runners — which caught the
tj-actions/changed-files compromise live. No static scanner, Pipefort included,
can match that; it's a fundamentally different capability. If runtime detection
is your priority, StepSecurity leads. Pipefort competes on the static + posture
side (broader rule set, GitLab, SLSA/OWASP framing, Attacker Mind) rather than
runtime.

**GitHub native** (CodeQL's Actions queries, Dependabot, and platform-level
policies) is free for public repos and enforces some controls — like failing
runs that use unpinned actions — at a layer no third party can reach. If you're
already paying for GitHub Code Security, you get overlapping coverage in the
box. Pipefort's value on top is the cross-repo posture view, OWASP/SLSA
compliance framing, GitLab, and the broader, CI/CD-specific rule set.

## Honest limitations

* **No runtime monitoring.** Pipefort is static analysis + posture. For
  run-time egress detection, pair it with StepSecurity Harden-Runner or a
  build-time eBPF agent.
* **GitLab is younger than the GitHub surface.** GitLab CI rules, MR-based
  fixes, and project-settings auditing ship today; GitLab online supply-chain
  (action-pin) audits and SLSA mapping remain GitHub-only. See
  [GitLab support](/cli/gitlab).
* **Injection detection is pattern/position based**, not full taint tracking —
  it flags reachable sinks, it does not prove a specific secret is exfiltrable.

## When Pipefort is the right pick

* You run **both GitHub Actions and GitLab CI** and want one tool.
* You need **OWASP CI/CD Top 10 or SLSA** framing for compliance.
* You want a **posture dashboard** across many repositories, with trends and
  triage, not just a per-repo CLI run.
* You value **remediation** (auto-fix in-place, fix PRs/MRs) and cross-finding
  **attack-chain** analysis over a longer flat list.
