Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

Pipefort scores every scanned repository against the SLSA v1.2 specification. Two tracks are covered:
  • Build track — how artifacts are produced (Levels 1–3). Workflow-YAML checks live here.
  • Source track — how source code is managed (Levels 1–4). Repository- settings checks (branch protection, etc.) live here.
The dedicated SLSA dashboard renders both tracks side-by-side with per-control pass/fail heatmaps and a “lowest-scoring repositories” list.

Build track

Run pipefort -r slsa-build-l2 (or any level) to filter the CLI to just these rules. The web app’s /slsa page exposes the same filter on the API call.
RuleLevelSeverityAuto-fix
Command piped to shellL1HIGH
Self-hosted runnerL2LOW
Missing permissions:L2MEDIUM
Permissions overly broadL2HIGH
Build provenance missingL2HIGH
Provenance signing scope missingL2MEDIUM
Verify step missingL2INFO
Pinned actionsL3MEDIUM
pull_request_target checkoutL3HIGH
Provenance not isolatedL3MEDIUM
Cache poisoning in PRL3HIGH

Level definitions

LevelSummary
L1Build process is consistent; provenance distributed to consumers.
L2Hosted build platform; provenance is signed and verifiable.
L3Hardened builds: signing key isolated from user-defined build steps. On GitHub this requires the slsa-framework/slsa-github-generator reusable workflow — in-job signing only meets L2.

Source track

These rules need the GitHub App’s extended permissions so Pipefort can read repository settings.
RuleLevelSeverity
No force pushesL2HIGH
No deletionL2HIGH
Signed commitsL2LOW
Branch protection existsL3HIGH
Status checks requiredL3MEDIUM
Admins cannot bypassL3HIGH
Reviews requiredL4HIGH
≥ 2 reviewersL4MEDIUM
Stale reviews dismissedL4MEDIUM
CODEOWNERS reviewL4LOW
Actions cannot approve PRsL4HIGH

Level definitions

LevelSummary
L1Version controlled (any GitHub repo trivially satisfies this).
L2History preserved: no force-push, no branch deletion.
L3Continuous technical controls — branch protection, required status checks, no admin bypass.
L4Two-party review enforced (≥ 2 reviewers, dismiss stale, CODEOWNERS, no bot approvals).

How the SLSA level is computed per repo

A repo passes level L when no enabled rule tagged for that level (or any lower level) fired in its latest scan. The dashboard’s Level Ladder widget shows the score per track and the count of passing controls at each level. Repositories without a recent scan show as L0 (Build) and L1 (Source) — the latter because a GitHub-hosted repo trivially satisfies Source L1 (Version Controlled).