Documentation Index
Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
Use this file to discover all available pages before exploring further.
Pipefort runs 25 deterministic checks per scan, split across two surfaces:
- 8 workflow checks parse
.github/workflows/*.yml and inspect the YAML.
- 17 repository-configuration checks call the GitHub API and inspect branch protection, default workflow permissions, secret scanning, and Dependabot status.
Most map to the OWASP Top 10 CI/CD Security Risks; three are workflow best-practice checks.
Workflow file checks
| Category | Title | Severity | Auto-fix |
|---|
| CICD-SEC-1 | Dangerous checkout in pull_request_target | HIGH | ✓ |
| CICD-SEC-3 | Unpinned third-party action | MEDIUM | ✓ |
| CICD-SEC-4 | Poisoned Pipeline Execution (shell injection) | HIGH | ✓ |
| CICD-SEC-5 | Missing permissions specification | MEDIUM | ✓ |
| CICD-SEC-6 | Hardcoded credentials | HIGH | partial |
| BEST-PRAC-1 | Command piped directly to shell | HIGH | ✗ |
| BEST-PRAC-2 | Job timeout not configured | LOW | ✓ |
| BEST-PRAC-3 | Self-hosted runner usage | LOW | ✗ |
Repository configuration checks
These read GitHub-side settings and surface under a “Repository configuration” group in the UI (CLI: <repository settings> file label). They need the expanded GitHub App permissions described in GitHub App permissions; the CLI needs --github-token (or $GITHUB_TOKEN, or gh auth token).
Branch protection (CICD-SEC-1)
| Rule | Title | Severity |
|---|
| BP-MISSING | Default branch has no branch protection rule | HIGH |
| BP-FORCE-PUSH | Default branch allows force pushes | HIGH |
| BP-DELETION | Default branch can be deleted | HIGH |
| BP-NO-REVIEW | Default branch does not require pull request reviews | HIGH |
| BP-FEW-REVIEWERS | Default branch requires fewer than 2 approving reviews | MEDIUM |
| BP-STALE-REVIEWS | Default branch does not dismiss stale reviews on new commits | MEDIUM |
| BP-NO-STATUS-CHECKS | Default branch does not require status checks to pass | MEDIUM |
| BP-ADMIN-BYPASS | Admins can bypass branch protection | HIGH |
| BP-NO-CODEOWNERS-REVIEW | CODEOWNERS exists but their review is not required | LOW |
| BP-NO-SIGNED-COMMITS | Default branch does not require signed commits | LOW |
Actions runtime (CICD-SEC-4, CICD-SEC-5)
| Rule | Title | Severity |
|---|
| WPERM-WRITE | Default GITHUB_TOKEN permissions are read-write | HIGH |
| WPERM-PR-APPROVE | GitHub Actions can approve pull requests | HIGH |
| ACTIONS-ALL-ALLOWED | All GitHub Actions and reusable workflows are allowed | MEDIUM |
Dependency hygiene (CICD-SEC-3)
| Rule | Title | Severity |
|---|
| DEPENDABOT-ALERTS-OFF | Dependabot alerts are disabled | MEDIUM |
| DEPENDABOT-FIXES-OFF | Dependabot security updates are disabled | LOW |
Credential hygiene (CICD-SEC-6)
| Rule | Title | Severity |
|---|
| SECRET-SCANNING-OFF | Secret scanning is disabled | MEDIUM |
| SECRET-PUSH-PROTECTION-OFF | Secret-scanning push protection is disabled | HIGH |
Rulesets
The CLI’s --ruleset flag (and the web app’s ruleset selector) controls which checks contribute to the final list:
all (default) — every check listed above.owasp — only the CICD-SEC-* checks. The five workflow checks plus all 17 repository-configuration checks all carry CICD-SEC-* categories and flow into this ruleset together.
Enabling and disabling individual rules
The web app lets you toggle any individual rule on or off without changing the
ruleset — per user, with optional per-repository overrides. See
Rule settings for the model and the UI. The CLI’s
filtering is limited to the coarser --ruleset choice above; multi-tenant
preferences depend on the database and are web-only.
How the checks run
Each workflow check is a function that takes the parsed workflow YAML AST and returns a list of findings. The CLI and the web app both invoke the same ScanBytes(name, content) entrypoint.
Repository-configuration checks are a separate pass: the API client first fetches the relevant GitHub settings (FetchRepositorySettings) and then runs ScanRepositorySettings(context) to produce findings. These findings carry a synthetic file path (<repository settings>) and a zero line/column so consumers can render them apart from per-file findings.
See Auto-fix for which workflow categories the CLI’s --fix flag rewrites. Repository-configuration findings have no auto-fix — they’re flagged for manual remediation via GitHub’s UI.