Skip to main content
The Pipefort extension brings the scanner into your editor. It flags security weaknesses in GitHub Actions and GitLab CI pipelines as you edit them — inline squiggles, a dedicated findings view with toxic-combination chains, and quick fixes — all powered by the same engine as the CLI and web app. It runs entirely locally: no Pipefort account, no cloud connection. The extension downloads and manages a pipefort CLI binary for you and calls it under the hood.

Install

VS Code

Install from the Visual Studio Marketplace, or from the command line:

Cursor, Windsurf, VSCodium, and Theia

These editors use Open VSX. Search for Pipefort in the Extensions view, or install the published .vsix manually. The extension works in VS Code and any Open VSX editor. Requires VS Code 1.85.0 or newer. On first scan the extension downloads a checksum-verified pipefort binary — see The managed CLI. The extension activates automatically when your workspace contains a .github/workflows directory or a .gitlab-ci.yml file.

What it does

  • Inline diagnostics — findings appear as squiggles on the exact YAML line and in the Problems panel, mapped to editor severities (HIGH → error, MEDIUM → warning, LOW → info). Each one links to its rule documentation.
  • Findings view — a dedicated Pipefort container in the Activity Bar lists every finding grouped by file, with a badge showing the total count.
  • Toxic combinations — correlated findings that chain into a breach are surfaced at the top of the view, broken into ordered stages with a single break-the-chain recommendation. See Attacker Mind for how chains are built.
  • Status bar — a Pipefort item shows scan state: scanning, clean, findings count, or error.
  • Quick fixes — code actions on pipeline files let you fix all auto-fixable issues or suppress a single finding with an inline comment (see Quick fixes).

Commands

Open the Command Palette (Cmd/Ctrl+Shift+P) and search for Pipefort:
CommandWhat it does
Pipefort: Scan WorkspaceScan every pipeline file in the workspace, including online pin audits.
Pipefort: Scan Current FileRe-scan the active pipeline file.
Pipefort: Fix All Auto-Fixable Issues in FileRun the CLI’s --fix on the active file.
Pipefort: Show OutputOpen the Pipefort output channel (scan logs).
Pipefort: Open SettingsJump to the Pipefort settings.
Pipefort: Update CLIForce a re-check and download of the managed CLI.

Quick fixes

Place the cursor on a finding to see the lightbulb, or open the Quick Fix menu (Cmd/Ctrl+.):
  • Fix all auto-fixable issues in file — rewrites unpinned actions, missing permissions, missing timeouts, and other fixable categories in place, using the CLI’s auto-fix.
  • Suppress <rule> with inline comment — inserts (or merges into) a # pipefort: ignore[<rule>] comment so that finding is skipped on future scans.

How scanning works

By default the extension scans pipeline files on open, on save, and once on startup. Open and save scans always run offline for instant feedback — plain YAML analysis with no network calls. Online pin audits — typosquat and vulnerable-action detection — call the GitHub API and therefore need a token. They run during a full workspace scan and, after a save, on a cooldown-gated per-file refresh. Control them with pipefort.onlineAudits (auto / on / off); auto enables them whenever a token is available. The token is resolved from GITHUB_TOKEN, GH_TOKEN, or GH_ENTERPRISE_TOKEN, falling back to VS Code’s built-in GitHub sign-in session. It is passed to the CLI only through its environment — never on the command line — and is scrubbed from the output channel.

Settings

All settings live under the pipefort.* namespace. Run Pipefort: Open Settings or edit settings.json.
SettingDefaultDescription
pipefort.rulesetallWhich ruleset to apply: all, owasp, slsa, or a specific level (slsa-build-l1l3, slsa-source-l2l4).
pipefort.personaregularScanning strictness: regular, pedantic, or auditor.
pipefort.minConfidenceLOWMinimum confidence for reported findings: LOW, MEDIUM, or HIGH.
pipefort.onlineAuditsautoOnline pin audits: auto, on, or off.
pipefort.scanOnOpentrueScan a pipeline file when it is opened.
pipefort.scanOnSavetrueScan a pipeline file when it is saved.
pipefort.scanOnStartuptrueRun a full workspace scan when the extension activates.
pipefort.cliVersionlatestCLI version to manage: latest or a pinned tag like v1.2.3.
pipefort.binaryPath""Absolute path to a pipefort binary. Overrides the managed CLI when set.
pipefort.extraArgs[]Extra arguments passed through to the pipefort CLI.
ruleset, persona, and minConfidence mirror the CLI flags — see that reference for what each value changes.

The managed CLI

The extension is a thin front-end over the pipefort CLI. On first use it downloads the matching release from GitHub Releases, verifies its SHA-256 checksum, caches it per version, and refuses to run an unverified binary. It checks for updates in the background and, on macOS, clears the download quarantine attribute automatically. To manage the CLI yourself:
  • Pin a version with pipefort.cliVersion (e.g. v1.2.3).
  • Point pipefort.binaryPath at a CLI you installed via the standard install methods to bypass the managed download.
  • Force a refresh with Pipefort: Update CLI.

See also