> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# VS Code extension

> Scan CI/CD pipelines for OWASP CI/CD Top 10, SLSA, and supply-chain issues inline in VS Code, Cursor, and Windsurf.

The Pipefort extension brings the scanner into your editor. It flags security
weaknesses in GitHub Actions and GitLab CI pipelines as you edit them — inline
squiggles, a dedicated findings view with toxic-combination chains, and quick
fixes — all powered by the same engine as the [CLI](/cli/overview) and
[web app](/webapp/overview).

It runs entirely locally: no Pipefort account, no cloud connection. The extension
downloads and manages a `pipefort` CLI binary for you and calls it under the hood.

## Install

### VS Code

Install from the
[Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=pipefort.pipefort),
or from the command line:

```bash theme={null}
code --install-extension pipefort.pipefort
```

### Cursor, Windsurf, VSCodium, and Theia

These editors use [Open VSX](https://open-vsx.org/extension/pipefort/pipefort).
Search for **Pipefort** in the Extensions view, or install the published `.vsix`
manually. The extension works in VS Code and any Open VSX editor.

Requires VS Code `1.85.0` or newer. On first scan the extension downloads a
checksum-verified `pipefort` binary — see [The managed CLI](#the-managed-cli).

The extension activates automatically when your workspace contains a
`.github/workflows` directory or a `.gitlab-ci.yml` file.

## What it does

* **Inline diagnostics** — findings appear as squiggles on the exact YAML line
  and in the Problems panel, mapped to editor severities (HIGH → error,
  MEDIUM → warning, LOW → info). Each one links to its
  [rule documentation](/rules/overview).
* **Findings view** — a dedicated Pipefort container in the Activity Bar lists
  every finding grouped by file, with a badge showing the total count.
* **Toxic combinations** — correlated findings that chain into a breach are
  surfaced at the top of the view, broken into ordered stages with a single
  *break-the-chain* recommendation. See [Attacker Mind](/concepts/attacker-mind)
  for how chains are built.
* **Status bar** — a Pipefort item shows scan state: scanning, clean, findings
  count, or error.
* **Quick fixes** — code actions on pipeline files let you fix all auto-fixable
  issues or suppress a single finding with an inline comment (see
  [Quick fixes](#quick-fixes)).

## Commands

Open the Command Palette (`Cmd/Ctrl+Shift+P`) and search for **Pipefort**:

| Command                                         | What it does                                                            |
| ----------------------------------------------- | ----------------------------------------------------------------------- |
| `Pipefort: Scan Workspace`                      | Scan every pipeline file in the workspace, including online pin audits. |
| `Pipefort: Scan Current File`                   | Re-scan the active pipeline file.                                       |
| `Pipefort: Fix All Auto-Fixable Issues in File` | Run the CLI's `--fix` on the active file.                               |
| `Pipefort: Show Output`                         | Open the Pipefort output channel (scan logs).                           |
| `Pipefort: Open Settings`                       | Jump to the Pipefort settings.                                          |
| `Pipefort: Update CLI`                          | Force a re-check and download of the managed CLI.                       |

## Quick fixes

Place the cursor on a finding to see the lightbulb, or open the Quick Fix menu
(`Cmd/Ctrl+.`):

* **Fix all auto-fixable issues in file** — rewrites unpinned actions, missing
  permissions, missing timeouts, and other fixable categories in place, using
  the CLI's [auto-fix](/cli/auto-fix).
* **Suppress `<rule>` with inline comment** — inserts (or merges into) a
  `# pipefort: ignore[<rule>]` comment so that finding is skipped on future
  scans.

## How scanning works

By default the extension scans pipeline files on open, on save, and once on
startup. Open and save scans always run **offline** for instant feedback — plain
YAML analysis with no network calls.

**Online pin audits** — typosquat and vulnerable-action detection — call the
GitHub API and therefore need a token. They run during a full workspace scan and,
after a save, on a cooldown-gated per-file refresh. Control them with
`pipefort.onlineAudits` (`auto` / `on` / `off`); `auto` enables them whenever a
token is available.

The token is resolved from `GITHUB_TOKEN`, `GH_TOKEN`, or `GH_ENTERPRISE_TOKEN`,
falling back to VS Code's built-in GitHub sign-in session. It is passed to the CLI
only through its environment — never on the command line — and is scrubbed from
the output channel.

## Settings

All settings live under the `pipefort.*` namespace. Run
**Pipefort: Open Settings** or edit `settings.json`.

| Setting                  | Default   | Description                                                                                                        |
| ------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------ |
| `pipefort.ruleset`       | `all`     | Which ruleset to apply: `all`, `owasp`, `slsa`, or a specific level (`slsa-build-l1`–`l3`, `slsa-source-l2`–`l4`). |
| `pipefort.persona`       | `regular` | Scanning strictness: `regular`, `pedantic`, or `auditor`.                                                          |
| `pipefort.minConfidence` | `LOW`     | Minimum confidence for reported findings: `LOW`, `MEDIUM`, or `HIGH`.                                              |
| `pipefort.onlineAudits`  | `auto`    | Online pin audits: `auto`, `on`, or `off`.                                                                         |
| `pipefort.scanOnOpen`    | `true`    | Scan a pipeline file when it is opened.                                                                            |
| `pipefort.scanOnSave`    | `true`    | Scan a pipeline file when it is saved.                                                                             |
| `pipefort.scanOnStartup` | `true`    | Run a full workspace scan when the extension activates.                                                            |
| `pipefort.cliVersion`    | `latest`  | CLI version to manage: `latest` or a pinned tag like `v1.2.3`.                                                     |
| `pipefort.binaryPath`    | `""`      | Absolute path to a `pipefort` binary. Overrides the managed CLI when set.                                          |
| `pipefort.extraArgs`     | `[]`      | Extra arguments passed through to the `pipefort` CLI.                                                              |

`ruleset`, `persona`, and `minConfidence` mirror the [CLI flags](/cli/flags) —
see that reference for what each value changes.

## The managed CLI

The extension is a thin front-end over the `pipefort` CLI. On first use it
downloads the matching release from
[GitHub Releases](https://github.com/raphabot/pipefort/releases), **verifies its
SHA-256 checksum**, caches it per version, and refuses to run an unverified
binary. It checks for updates in the background and, on macOS, clears the
download quarantine attribute automatically.

To manage the CLI yourself:

* Pin a version with `pipefort.cliVersion` (e.g. `v1.2.3`).
* Point `pipefort.binaryPath` at a CLI you installed via the
  [standard install methods](/cli/installation) to bypass the managed download.
* Force a refresh with **Pipefort: Update CLI**.

## See also

* [CLI overview](/cli/overview) — the same engine on the command line and in CI
* [Auto-fix](/cli/auto-fix) — what `--fix` rewrites
* [MCP server](/cli/mcp) — expose the scanner to AI coding assistants
* [Attacker Mind](/concepts/attacker-mind) — how toxic combinations are built
* [Rules reference](/rules/overview) — every rule the scanner applies
