> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Flags

> Every CLI flag, its default, and what it does.

## All flags

| Flag          | Short | Default   | Description                                                                                                            |
| ------------- | ----- | --------- | ---------------------------------------------------------------------------------------------------------------------- |
| `--path`      | `-p`  | `.`       | Path to the local repository or directory to scan.                                                                     |
| `--file`      | `-f`  | *unset*   | Scan a single specific workflow file. Overrides `--path`.                                                              |
| `--git`       | `-g`  | *unset*   | GitHub repository to scan. Accepts `owner/repo` or a full URL. Triggers a `git clone --depth 1` into a temp directory. |
| `--output`    | `-o`  | `console` | Output format. One of `console` or `json`.                                                                             |
| `--fail-on`   | `-s`  | `MEDIUM`  | Severity threshold for exit code 1. One of `HIGH`, `MEDIUM`, `LOW`, `INFO`, or `NONE`. See [exit codes](#exit-codes).  |
| `--ruleset`   | `-r`  | `all`     | Which rules to apply. `all` includes best-practice checks; `owasp` keeps only `CICD-SEC-*`.                            |
| `--keep-temp` |       | `false`   | When using `-g`, keep the temporary clone directory after the scan. Useful for inspecting what was scanned.            |
| `--fix`       |       | `false`   | Attempt to automatically fix detected issues in place. See [Auto-fix](/cli/auto-fix). Not supported with `-g`.         |

## Target selection

The CLI picks a target in this order:

1. `--git owner/repo` — shallow-clone, then scan the temp directory.
2. `--file path/to/workflow.yml` — scan a single file.
3. `--path .` — scan the directory's `.github/workflows/`, falling back to walking the whole tree if missing.

## Exit codes

| Code | Meaning                                                                                                      |
| ---- | ------------------------------------------------------------------------------------------------------------ |
| `0`  | No findings at or above `--fail-on` severity.                                                                |
| `1`  | At least one finding meets the threshold, **or** a runtime error (clone failed, parse error, etc.) occurred. |

Severity weighting (lowest to highest): `INFO` \< `LOW` \< `MEDIUM` \< `HIGH`. `--fail-on NONE` always exits `0` on a clean run, regardless of findings — useful when you want a report without gating.
