> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Public repo scanner

> The anonymous scan-a-repo teaser on pipefort.com — what it scans, what's withheld, and how to configure it.

The landing page at [pipefort.com](https://pipefort.com) lets anyone scan a
**public GitHub repository** without signing in: type `owner/repo` (or paste a
GitHub URL) and get an instant partial report.

## What the teaser scans

The anonymous scan runs the same engine as the rest of Pipefort, with a
deliberately reduced scope:

* **Workflow files only** (`.github/workflows/*.yml|yaml`), fetched over the
  GitHub API at the repository's default branch — no clone.
* **No repository-settings audit** (branch protection, secret scanning,
  Actions permissions) — those checks need permissions an anonymous scan
  doesn't have. Sign in and install the GitHub App to get them.
* **No online supply-chain pin audit** — also sign-in-only.
* Hard caps: at most 60 workflow files per repo (the report is marked
  `truncated` past that) and workflow files over 512 KB are skipped.

## What you see vs. what's withheld

The teaser shows the **full severity counts** and the **top 3 findings**
(severity, rule, OWASP category, title), chosen worst-severity-first with
high-confidence findings preferred and at most one finding per rule. Withheld
until you sign in: every finding's **file, line, description, and fix
recommendation**, and the rest of the findings list. The gate is enforced
server-side — the withheld fields are never present in the API response.

## Share links

Each scan gets a stable share URL, `pipefort.com/scan/{slug}`, that replays
the stored result. Results are cached for one hour per repository — repeat
scans (and everyone opening a shared link) get the cached report instantly.

## Privacy

Anonymous scans store **aggregates only**: severity and rule counts plus the
top-3 teaser snapshot (severity, rule, category, title). No file paths, line
numbers, or workflow contents are persisted — the "we never store your source
code" promise holds for anonymous scans too.

The landing page also shows **aggregated, anonymized statistics across all
Pipefort scans** ("what we're finding in the wild"): total repos scanned,
findings, and the ten most-firing rules. The aggregate is computed over each
repository's latest scan and contains rule identifiers and counts only —
customer repositories, organizations, and users are never identified. The
"recently scanned" ticker lists anonymous public teaser scans exclusively
(public repositories by definition), never customer repos.

## Self-hosting: configuration

The endpoint is off (returns `503`) until you set:

```
GITHUB_PUBLIC_SCAN_TOKEN=<fine-grained PAT>
```

Use a **fine-grained personal access token with no repository access
grants** — public, read-only API access is all the teaser needs, and it keeps
the token useless against private repositories even if leaked. (The endpoint
additionally refuses any repository GitHub reports as private.)

Rate limits protect the token's 5,000 req/hr GitHub quota: **5 scans per
minute per client IP** and **30 scans per minute total** (per serverless
instance), plus the 1-hour per-repo result cache.
