owner/repo (or paste a
GitHub URL) and get an instant partial report.
What the teaser scans
The anonymous scan runs the same engine as the rest of Pipefort, with a deliberately reduced scope:- Workflow files only (
.github/workflows/*.yml|yaml), fetched over the GitHub API at the repository’s default branch — no clone. - No repository-settings audit (branch protection, secret scanning, Actions permissions) — those checks need permissions an anonymous scan doesn’t have. Sign in and install the GitHub App to get them.
- No online supply-chain pin audit — also sign-in-only.
- Hard caps: at most 60 workflow files per repo (the report is marked
truncatedpast that) and workflow files over 512 KB are skipped.
What you see vs. what’s withheld
The teaser shows the full severity counts and the top 3 findings (severity, rule, OWASP category, title), chosen worst-severity-first with high-confidence findings preferred and at most one finding per rule. Withheld until you sign in: every finding’s file, line, description, and fix recommendation, and the rest of the findings list. The gate is enforced server-side — the withheld fields are never present in the API response.Share links
Each scan gets a stable share URL,pipefort.com/scan/{slug}, that replays
the stored result. Results are cached for one hour per repository — repeat
scans (and everyone opening a shared link) get the cached report instantly.
Privacy
Anonymous scans store aggregates only: severity and rule counts plus the top-3 teaser snapshot (severity, rule, category, title). No file paths, line numbers, or workflow contents are persisted — the “we never store your source code” promise holds for anonymous scans too. The landing page also shows aggregated, anonymized statistics across all Pipefort scans (“what we’re finding in the wild”): total repos scanned, findings, and the ten most-firing rules. The aggregate is computed over each repository’s latest scan and contains rule identifiers and counts only — customer repositories, organizations, and users are never identified. The “recently scanned” ticker lists anonymous public teaser scans exclusively (public repositories by definition), never customer repos.Self-hosting: configuration
The endpoint is off (returns503) until you set: