> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Pull request checks

> Post a Pipefort Check Run on pull requests and gate merges on new findings.

For any [monitored repository](/webapp/monitored-repos), Pipefort posts a
**Check Run** named **Pipefort** on every pull request — with a pass/fail
conclusion and inline annotations on the offending workflow lines. Mark it a
required status check and it becomes a merge gate.

## How it works

On a `pull_request` event (`opened`, `synchronize`, `reopened`) for a monitored
repo, Pipefort:

1. Checks the PR's changed files. If **no workflow files** changed, it posts a
   passing check ("No workflow changes") and stops — unrelated PRs are never
   blocked.
2. Scans the PR **head** (workflow YAML, the repo's [`.pipefort.yml`](/cli/configuration),
   and the online supply-chain audits), applying your org's [rule settings](/webapp/rule-settings).
3. Diffs against the repository's latest default-branch scan by stable
   fingerprint to find **new** findings — ones this PR introduces.
4. Posts the Check Run: its conclusion follows your [gate policy](#gate-policy),
   and up to 50 findings become inline annotations (`HIGH` → failure, `MEDIUM` →
   warning, `LOW`/`INFO` → notice), most severe first.

PR scans are **not** persisted — they don't touch your scan history, trends, or
the default-branch baseline. The Check Run is the artifact.

## Gate policy

Set the policy per organization under **Settings → Pull request checks** (admin
only):

* **Fail the check on** — the severity that fails the check: `High or above`,
  `Medium or above`, `Low or above`, or `Never fail (report only)`.
* **Gate on new findings only** — when on (the default), only findings new
  versus the base branch can fail the check; pre-existing issues don't block
  unrelated work. Turn it off to hold the whole PR head to the bar.

The default is **fail on HIGH, new findings only** — a safe, low-noise start.

## Making it a merge gate

The Check Run alone reports status; to *block* merges, make it required:

1. In the repo (or a ruleset), open **Settings → Branches → Branch protection**.
2. Enable **Require status checks to pass before merging**.
3. Add **Pipefort** to the required checks.

Pipefort's own [`cicd-sec-1-bp-no-status-checks`](/rules/cicd-sec-1-bp-no-status-checks)
rule nudges you toward requiring status checks in the first place.

## Requirements

* The repository must be **monitored**.
* The GitHub App needs **Checks: Write** and **Pull requests: Read**, and its
  webhook must be subscribed to **Pull request** events — see
  [GitHub App permissions](/concepts/github-app-permissions). If the App lacks
  `Checks: Write`, Pipefort degrades gracefully (it logs and posts nothing)
  until you [re-authorize](/concepts/github-app-permissions#re-authorizing-after-pipefort-expands-its-permission-set).
