Skip to main content
For any monitored repository, Pipefort posts a Check Run named Pipefort on every pull request — with a pass/fail conclusion and inline annotations on the offending workflow lines. Mark it a required status check and it becomes a merge gate.

How it works

On a pull_request event (opened, synchronize, reopened) for a monitored repo, Pipefort:
  1. Checks the PR’s changed files. If no workflow files changed, it posts a passing check (“No workflow changes”) and stops — unrelated PRs are never blocked.
  2. Scans the PR head (workflow YAML, the repo’s .pipefort.yml, and the online supply-chain audits), applying your org’s rule settings.
  3. Diffs against the repository’s latest default-branch scan by stable fingerprint to find new findings — ones this PR introduces.
  4. Posts the Check Run: its conclusion follows your gate policy, and up to 50 findings become inline annotations (HIGH → failure, MEDIUM → warning, LOW/INFO → notice), most severe first.
PR scans are not persisted — they don’t touch your scan history, trends, or the default-branch baseline. The Check Run is the artifact.

Gate policy

Set the policy per organization under Settings → Pull request checks (admin only):
  • Fail the check on — the severity that fails the check: High or above, Medium or above, Low or above, or Never fail (report only).
  • Gate on new findings only — when on (the default), only findings new versus the base branch can fail the check; pre-existing issues don’t block unrelated work. Turn it off to hold the whole PR head to the bar.
The default is fail on HIGH, new findings only — a safe, low-noise start.

Making it a merge gate

The Check Run alone reports status; to block merges, make it required:
  1. In the repo (or a ruleset), open Settings → Branches → Branch protection.
  2. Enable Require status checks to pass before merging.
  3. Add Pipefort to the required checks.
Pipefort’s own cicd-sec-1-bp-no-status-checks rule nudges you toward requiring status checks in the first place.

Requirements

  • The repository must be monitored.
  • The GitHub App needs Checks: Write and Pull requests: Read, and its webhook must be subscribed to Pull request events — see GitHub App permissions. If the App lacks Checks: Write, Pipefort degrades gracefully (it logs and posts nothing) until you re-authorize.