pipefort mcp runs Pipefort as a Model Context Protocol
server over stdio, so an AI coding assistant can scan CI workflows as it
writes them — catching an injection sink or an unpinned action before the code
is ever committed. It wraps the same engine as the CLI and web app.
Register it
Point your assistant at thepipefort mcp command. For Claude Code:
Tools
| Tool | Arguments | Returns |
|---|---|---|
scan_workflow | content (required), filename, ruleset, persona, min_confidence | Findings for a single in-memory workflow file. Set filename to .gitlab-ci.yml to scan GitLab CI; defaults to GitHub Actions. |
scan_directory | path (required), ruleset, persona, min_confidence | Findings for a local directory’s .github/workflows/* and .gitlab-ci.yml, plus detected toxic combinations. |
explain_rule | rule_id (required) | The catalog entry (title, severity, confidence, description, docs URL) for a rule. |
ruleset,
persona, and min_confidence mirror the CLI flags: omit them for
the permissive defaults (all / regular / keep everything).
Example
An assistant editing a workflow can callscan_workflow with the buffer
contents and surface findings inline:
-o json:
each finding carries its rule_id, severity, confidence, file, line, and
recommendation.