> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CI integration

> Use pipefort as a self-scanning step in GitHub Actions.

The CLI is a single static binary and exits non-zero on findings above a threshold, so it drops straight into any CI step.

## GitHub Actions

A minimal job that scans the repo's own workflows on every PR:

```yaml theme={null}
name: ci-cd-security-scan

on:
  pull_request:
  push:
    branches: [main]

permissions:
  contents: read

jobs:
  scan:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4

      - name: Install scanner
        run: |
          curl -sSL -o pipefort.tar.gz \
            https://github.com/raphabot/pipefort/releases/latest/download/pipefort_$(curl -s https://api.github.com/repos/raphabot/pipefort/releases/latest | grep tag_name | cut -d'"' -f4)_linux_amd64.tar.gz
          tar -xzf pipefort.tar.gz
          sudo mv pipefort /usr/local/bin/

      - name: Scan workflows
        run: pipefort -p . -s HIGH -r owasp
```

A few things worth calling out in this snippet:

* **`-s HIGH`** — only fail the build on HIGH findings. Start strict-but-quiet, then tighten to `MEDIUM` once the baseline is clean.
* **`-r owasp`** — keep the gate focused on the five OWASP categories; treat the three best-practice checks as advisory until you're ready to enforce them.
* **`permissions: contents: read`** — this scanner job itself follows [CICD-SEC-5](/rules/cicd-sec-5). It only reads code.
* **`timeout-minutes: 5`** — follows [BEST-PRAC-2](/rules/best-prac-2).

<Tip>
  For reproducible builds, pin a specific version (e.g. `download/v0.1.0/pipefort_v0.1.0_linux_amd64.tar.gz`) rather than `latest`.
</Tip>

## JSON output for downstream tooling

Pipe to `jq` or a SARIF converter:

```yaml theme={null}
      - name: Scan workflows (JSON)
        run: pipefort -p . -o json -s NONE > findings.json

      - uses: actions/upload-artifact@v4
        with:
          name: pipefort-findings
          path: findings.json
```

`-s NONE` keeps the step from failing so the artifact is always uploaded; gate separately on the JSON content with `jq` if you want richer policy.

## Pre-commit hook

```bash theme={null}
# .git/hooks/pre-commit
#!/usr/bin/env bash
set -e
pipefort -p . -s HIGH -r owasp
```

Or wire it through [pre-commit](https://pre-commit.com/) with a `local` hook. The scanner is fast enough (sub-second on most repos) to run on every commit.
