Pipefort is two surfaces over one engine. The same Go scanner (Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
pkg/scanner) powers:
CLI
ci-cd-security-scanner — scan a local directory or a remote GitHub repo from the command line. Supports --fix for in-place YAML rewrites.Web dashboard
Multi-tenant React + Go app backed by Supabase. Connect a GitHub account or org and get continuous OWASP posture across every repo’s workflows.
What it detects
Pipefort implements eight checks against.github/workflows/*.yml, covering five OWASP Top 10 CI/CD risk categories and three workflow best practices:
| Category | Title | Severity |
|---|---|---|
| CICD-SEC-1 | Dangerous checkout in pull_request_target workflow | HIGH |
| CICD-SEC-3 | Unpinned third-party action | MEDIUM |
| CICD-SEC-4 | Poisoned Pipeline Execution (shell injection) | HIGH |
| CICD-SEC-5 | Missing permissions specification | MEDIUM |
| CICD-SEC-6 | Hardcoded credentials | HIGH |
| BEST-PRAC-1 | Command piped directly to shell | HIGH |
| BEST-PRAC-2 | Job timeout not configured | LOW |
| BEST-PRAC-3 | Self-hosted runner usage | LOW |
--ruleset owasp (CLI) or the ruleset selector in the dashboard.
How it works
The scanner parses each workflow’s YAML AST and runs deterministic checks against it — no LLMs, no external services. Detection logic lives entirely inpkg/scanner, so the CLI and the web app always produce identical findings for the same file.
The web app pulls workflow YAML through the GitHub Git Trees/Blobs API and scans the bytes in memory (scanner.ScanBytes) — there’s no git clone, so each per-repo scan fits well within a serverless request budget.
Next steps
Quickstart
Run your first scan in 60 seconds.
Architecture
How the engine, the CLI, the API, and Supabase fit together.