The CLI is a single static binary and exits non-zero on findings above a threshold, so it drops straight into any CI step.
GitHub Actions
A minimal job that scans the repo’s own workflows on every PR:
name: ci-cd-security-scan
on:
pull_request:
push:
branches: [main]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- name: Install scanner
run: |
curl -sSL -o pipefort.tar.gz \
https://github.com/raphabot/pipefort/releases/latest/download/pipefort_$(curl -s https://api.github.com/repos/raphabot/pipefort/releases/latest | grep tag_name | cut -d'"' -f4)_linux_amd64.tar.gz
tar -xzf pipefort.tar.gz
sudo mv pipefort /usr/local/bin/
- name: Scan workflows
run: pipefort -p . -s HIGH -r owasp
A few things worth calling out in this snippet:
-s HIGH — only fail the build on HIGH findings. Start strict-but-quiet, then tighten to MEDIUM once the baseline is clean.
-r owasp — keep the gate focused on the five OWASP categories; treat the three best-practice checks as advisory until you’re ready to enforce them.
permissions: contents: read — this scanner job itself follows CICD-SEC-5. It only reads code.
timeout-minutes: 5 — follows BEST-PRAC-2.
For reproducible builds, pin a specific version (e.g. download/v0.1.0/pipefort_v0.1.0_linux_amd64.tar.gz) rather than latest.
Pipe to jq or a SARIF converter:
- name: Scan workflows (JSON)
run: pipefort -p . -o json -s NONE > findings.json
- uses: actions/upload-artifact@v4
with:
name: pipefort-findings
path: findings.json
-s NONE keeps the step from failing so the artifact is always uploaded; gate separately on the JSON content with jq if you want richer policy.
Pre-commit hook
# .git/hooks/pre-commit
#!/usr/bin/env bash
set -e
pipefort -p . -s HIGH -r owasp
Or wire it through pre-commit with a local hook. The scanner is fast enough (sub-second on most repos) to run on every commit.