> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Introduction

> Pipefort scans GitHub Actions workflows for the OWASP Top 10 CI/CD security risks.

Pipefort is **two surfaces over one engine**. The same Go scanner (`pkg/scanner`) powers:

<CardGroup cols={2}>
  <Card title="CLI" icon="terminal" href="/cli/overview">
    `pipefort` — scan a local directory or a remote GitHub repo from the command line. Supports `--fix` for in-place YAML rewrites.
  </Card>

  <Card title="Web dashboard" icon="browser" href="/webapp/overview">
    Multi-tenant React + Go app backed by Supabase. Connect a GitHub account or org and get continuous OWASP posture across every repo's workflows.
  </Card>
</CardGroup>

## What it detects

Pipefort implements eight checks against `.github/workflows/*.yml`, covering five OWASP Top 10 CI/CD risk categories and three workflow best practices:

| Category                          | Title                                                | Severity |
| --------------------------------- | ---------------------------------------------------- | -------- |
| [CICD-SEC-1](/rules/cicd-sec-1)   | Dangerous checkout in `pull_request_target` workflow | HIGH     |
| [CICD-SEC-3](/rules/cicd-sec-3)   | Unpinned third-party action                          | MEDIUM   |
| [CICD-SEC-4](/rules/cicd-sec-4)   | Poisoned Pipeline Execution (shell injection)        | HIGH     |
| [CICD-SEC-5](/rules/cicd-sec-5)   | Missing permissions specification                    | MEDIUM   |
| [CICD-SEC-6](/rules/cicd-sec-6)   | Hardcoded credentials                                | HIGH     |
| [BEST-PRAC-1](/rules/best-prac-1) | Command piped directly to shell                      | HIGH     |
| [BEST-PRAC-2](/rules/best-prac-2) | Job timeout not configured                           | LOW      |
| [BEST-PRAC-3](/rules/best-prac-3) | Self-hosted runner usage                             | LOW      |

Filter to OWASP-only with `--ruleset owasp` (CLI) or the ruleset selector in the dashboard.

## How it works

The scanner parses each workflow's YAML AST and runs deterministic checks against it — no LLMs, no external services. Detection logic lives entirely in `pkg/scanner`, so the CLI and the web app always produce identical findings for the same file.

The web app pulls workflow YAML through the GitHub Git Trees/Blobs API and scans the bytes **in memory** (`scanner.ScanBytes`) — there's no `git clone`, so each per-repo scan fits well within a serverless request budget.

## Next steps

<CardGroup cols={2}>
  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Run your first scan in 60 seconds.
  </Card>

  <Card title="Architecture" icon="diagram-project" href="/architecture">
    How the engine, the CLI, the API, and Supabase fit together.
  </Card>
</CardGroup>
