Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

The /slsa page scores every connected repository against SLSA v1.2. Build-track results come from the workflow YAML scan; Source-track results come from the repository-settings audit (branch protection, required reviews, etc.).

Page structure

  1. Stat row — four cards summarising attainment across all repos: Build L3, Build L2+, Source L4, Source L3+.
  2. Level distribution — one horizontal stacked bar per track showing how many repos sit at each level.
  3. Controls heatmaps — two grids, one per track. Rows are SLSA controls grouped by level; columns are repositories. Cells show pass / fail / not scanned for that (repo, rule) pair and link to the repo’s detail page.
  4. Lowest-scoring repositories — a per-repo card list with two per-track progress bars (controls passing at each level).

”Scan all (SLSA ruleset)” button

Top-right of the page. Runs a scan across every repository with ruleset=slsa — only SLSA-tagged rules contribute to the resulting findings. The default ruleset for ad-hoc scans elsewhere in the app is still all; this view is the only place that defaults to slsa.

Level computation

A repository “passes” SLSA Build level L when no enabled SLSA-Build rule tagged for level L (or below) has fired. The Source track works the same way.
  • A scan that has never run shows the repo at Build L0 / Source L1 (Source L1 is “Version Controlled” — trivially satisfied by any GitHub repository).
  • An L2 finding drops the Build level to L1; an L1 finding drops it to L0. Build levels rise from there as more rules pass.
  • Source L4 (“Two-Party Review”) needs the GitHub App’s extended permissions enabled. If the settings audit is skipped (e.g. missing scopes), the repo shows at Source L1.

Filtering by level

The Rule Settings page lets you disable any individual rule globally or per repo. The SLSA dashboard respects those toggles — a disabled rule never counts as a fail.