# Pipefort

> Scan GitHub Actions workflows for the OWASP Top 10 CI/CD risks — via CLI or a multi-tenant web dashboard.

## Docs

- [Architecture](https://docs.pipefort.com/architecture.md): One scan engine, two callers, two independent auth concerns.
- [Auto-fix](https://docs.pipefort.com/cli/auto-fix.md): What --fix can safely rewrite, and what it intentionally won't touch.
- [CI integration](https://docs.pipefort.com/cli/ci-integration.md): Use ci-cd-security-scanner as a self-scanning step in GitHub Actions.
- [Flags](https://docs.pipefort.com/cli/flags.md): Every CLI flag, its default, and what it does.
- [Installation](https://docs.pipefort.com/cli/installation.md): Install the ci-cd-security-scanner binary.
- [Overview](https://docs.pipefort.com/cli/overview.md): ci-cd-security-scanner is a single Go binary that scans GitHub Actions workflows for CI/CD risks.
- [Usage](https://docs.pipefort.com/cli/usage.md): Scan local directories, single files, or remote GitHub repos.
- [Introduction](https://docs.pipefort.com/introduction.md): Pipefort scans GitHub Actions workflows for the OWASP Top 10 CI/CD security risks.
- [Quickstart](https://docs.pipefort.com/quickstart.md): Run your first scan from the CLI, then connect a GitHub account to the web dashboard.
- [BEST-PRAC-1 — Command piped directly to shell](https://docs.pipefort.com/rules/best-prac-1.md): curl | sh and wget | bash patterns are vulnerable to MITM and supply-chain compromise.
- [BEST-PRAC-2 — Job timeout not configured](https://docs.pipefort.com/rules/best-prac-2.md): Without timeout-minutes, GitHub Actions jobs can run for up to 6 hours.
- [BEST-PRAC-3 — Self-hosted runner usage](https://docs.pipefort.com/rules/best-prac-3.md): Self-hosted runners executing untrusted code can pivot into your internal infrastructure.
- [CICD-SEC-1 — Dangerous pull_request_target checkout](https://docs.pipefort.com/rules/cicd-sec-1.md): Checking out untrusted PR head code in a pull_request_target workflow exposes repository secrets.
- [CICD-SEC-1 — Admins can bypass branch protection](https://docs.pipefort.com/rules/cicd-sec-1-bp-admin-bypass.md): Branch protection is not enforced for administrators. Any admin (or compromised admin token) can push directly.
- [CICD-SEC-1 — Default branch can be deleted](https://docs.pipefort.com/rules/cicd-sec-1-bp-deletion.md): Branch protection permits deletion of the default branch.
- [CICD-SEC-1 — Default branch requires fewer than 2 approving reviews](https://docs.pipefort.com/rules/cicd-sec-1-bp-few-reviewers.md): One approval is enough to merge. A single compromised or coerced reviewer defeats the gate.
- [CICD-SEC-1 — Default branch allows force pushes](https://docs.pipefort.com/rules/cicd-sec-1-bp-force-push.md): Branch protection exists but force-pushes are still permitted — history can be rewritten.
- [CICD-SEC-1 — Default branch has no branch protection rule](https://docs.pipefort.com/rules/cicd-sec-1-bp-missing.md): The default branch is unprotected. Anyone with write access can push directly, force-push history, or delete it.
- [CICD-SEC-1 — CODEOWNERS exists but their review is not required](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-codeowners-review.md): A CODEOWNERS file is defined but branch protection treats it as advisory only.
- [CICD-SEC-1 — Default branch does not require pull request reviews](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-review.md): Branch protection is on, but reviews aren't required. Direct pushes still merge without approval.
- [CICD-SEC-1 — Default branch does not require signed commits](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-signed-commits.md): Commits on the default branch are not required to be GPG/SSH-signed.
- [CICD-SEC-1 — Default branch does not require status checks to pass](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-status-checks.md): No CI gate is enforced. Broken builds, failing tests, or unfinished security scans can land on main.
- [CICD-SEC-1 — Default branch does not dismiss stale reviews on new commits](https://docs.pipefort.com/rules/cicd-sec-1-bp-stale-reviews.md): Approvals survive new pushes. An attacker can land a clean review then sneak commits in before merge.
- [CICD-SEC-3 — Unpinned third-party action](https://docs.pipefort.com/rules/cicd-sec-3.md): Tag and branch references are mutable. Pin third-party actions to a full commit SHA.
- [CICD-SEC-3 — Dependabot alerts are disabled](https://docs.pipefort.com/rules/cicd-sec-3-dependabot-alerts-off.md): Known-vulnerable dependencies will not be surfaced.
- [CICD-SEC-3 — Dependabot security updates are disabled](https://docs.pipefort.com/rules/cicd-sec-3-dependabot-fixes-off.md): Vulnerable dependencies don't get an automatic fix PR. Humans have to write each bump by hand.
- [CICD-SEC-4 — Poisoned Pipeline Execution (shell injection)](https://docs.pipefort.com/rules/cicd-sec-4.md): Interpolating untrusted github.event data into an inline run script lets attackers execute arbitrary code.
- [CICD-SEC-4 — GitHub Actions can approve pull requests](https://docs.pipefort.com/rules/cicd-sec-4-wperm-pr-approve.md): Actions are allowed to submit approving reviews — an attacker who controls a workflow can self-approve a malicious PR.
- [CICD-SEC-4 — Default GITHUB_TOKEN permissions are read-write](https://docs.pipefort.com/rules/cicd-sec-4-wperm-write.md): Every workflow without an explicit `permissions:` block gets a write-capable token. Massively widens PPE blast radius.
- [CICD-SEC-5 — Missing permissions specification](https://docs.pipefort.com/rules/cicd-sec-5.md): Workflows without explicit permissions inherit the repo's default GITHUB_TOKEN scope, which is often broader than needed.
- [CICD-SEC-5 — All GitHub Actions and reusable workflows are allowed](https://docs.pipefort.com/rules/cicd-sec-5-actions-all-allowed.md): No allowlist on third-party actions. Maximises supply-chain blast radius.
- [CICD-SEC-6 — Hardcoded credentials](https://docs.pipefort.com/rules/cicd-sec-6.md): Tokens and secrets embedded in workflow files end up in git history and audit logs.
- [CICD-SEC-6 — Secret-scanning push protection is disabled](https://docs.pipefort.com/rules/cicd-sec-6-secret-push-protection-off.md): Commits containing a detected secret are not blocked at push time. Leaked credentials live in history until rotated.
- [CICD-SEC-6 — Secret scanning is disabled](https://docs.pipefort.com/rules/cicd-sec-6-secret-scanning-off.md): Leaked credentials in commits and pull requests will not be detected.
- [Rules overview](https://docs.pipefort.com/rules/overview.md): Twenty-five checks across two surfaces: workflow YAML and GitHub-side repository configuration.
- [API reference](https://docs.pipefort.com/webapp/api-reference.md): The Go HTTP endpoints under /api/*.
- [GitHub setup](https://docs.pipefort.com/webapp/github-setup.md): Connect Pipefort to a GitHub account or organization.
- [Overview](https://docs.pipefort.com/webapp/overview.md): A multi-tenant React + Go dashboard for continuous OWASP CI/CD posture.
- [Rule settings](https://docs.pipefort.com/webapp/rule-settings.md): Disable rules you don't care about — globally for your account, or per repository.

## OpenAPI Specs

- [openapi](https://docs.pipefort.com/api-reference/openapi.json)