.pipefort.yml at the
root (or .github/pipefort.yml). It is the CLI-friendly counterpart to the web
app’s rule settings: no external state, versioned with
your code, and honored by every pipefort run. This is the direct analog of
zizmor’s zizmor.yml.
The CLI discovers it automatically in the scan root. Point at a specific file
with --config <path>, or ignore any config for a run with --no-config.
Schema
Precedence
- CLI flags win over the config. An explicit
-r,--persona, or--min-confidenceoverrides the file’sruleset/persona/min-confidence; otherwise the file value applies, otherwise the flag’s default. - On the web, the org’s rule settings are authoritative. A repo’s
.pipefort.ymlcan only further restrict — it can disable a rule, tune a severity, or add ignores, but it can never re-enable a rule your organization turned off. A repository write must not override an org security decision. (Severity tuning and ignores are honored because they’re noise-control, not policy.)
Inline suppression comments
For one-off exceptions you don’t want to centralize, drop a comment right where the finding is — on the same line, or the line above:# pipefort: ignore (no brackets) suppresses every rule at that
location; brackets scope it to specific rule IDs (comma-separated). A trailing
comment only affects its own line; a standalone comment line affects the line
below it. Inline ignores work in both GitHub Actions and GitLab CI files and
are honored by the CLI and the web scanner (they’re applied inside the scan
engine, so every surface inherits them).
Parse errors (SYSTEM findings) can never be silenced by an ignore comment.