Skip to main content
The landing page at pipefort.com lets anyone scan a public GitHub repository without signing in: type owner/repo (or paste a GitHub URL) and get an instant partial report.

What the teaser scans

The anonymous scan runs the same engine as the rest of Pipefort, with a deliberately reduced scope:
  • Workflow files only (.github/workflows/*.yml|yaml), fetched over the GitHub API at the repository’s default branch — no clone.
  • No repository-settings audit (branch protection, secret scanning, Actions permissions) — those checks need permissions an anonymous scan doesn’t have. Sign in and install the GitHub App to get them.
  • No online supply-chain pin audit — also sign-in-only.
  • Hard caps: at most 60 workflow files per repo (the report is marked truncated past that) and workflow files over 512 KB are skipped.

What you see vs. what’s withheld

The teaser shows the full severity counts and the top 3 findings (severity, rule, OWASP category, title), chosen worst-severity-first with high-confidence findings preferred and at most one finding per rule. Withheld until you sign in: every finding’s file, line, description, and fix recommendation, and the rest of the findings list. The gate is enforced server-side — the withheld fields are never present in the API response. Each scan gets a stable share URL, pipefort.com/scan/{slug}, that replays the stored result. Results are cached for one hour per repository — repeat scans (and everyone opening a shared link) get the cached report instantly.

Privacy

Anonymous scans store aggregates only: severity and rule counts plus the top-3 teaser snapshot (severity, rule, category, title). No file paths, line numbers, or workflow contents are persisted — the “we never store your source code” promise holds for anonymous scans too. The landing page also shows aggregated, anonymized statistics across all Pipefort scans (“what we’re finding in the wild”): total repos scanned, findings, and the ten most-firing rules. The aggregate is computed over each repository’s latest scan and contains rule identifiers and counts only — customer repositories, organizations, and users are never identified. The “recently scanned” ticker lists anonymous public teaser scans exclusively (public repositories by definition), never customer repos.

Self-hosting: configuration

The endpoint is off (returns 503) until you set:
GITHUB_PUBLIC_SCAN_TOKEN=<fine-grained PAT>
Use a fine-grained personal access token with no repository access grants — public, read-only API access is all the teaser needs, and it keeps the token useless against private repositories even if leaked. (The endpoint additionally refuses any repository GitHub reports as private.) Rate limits protect the token’s 5,000 req/hr GitHub quota: 5 scans per minute per client IP and 30 scans per minute total (per serverless instance), plus the 1-hour per-repo result cache.