# Pipefort > Scan GitHub Actions workflows for the OWASP Top 10 CI/CD risks — via CLI or a multi-tenant web dashboard. ## Docs - [Architecture](https://docs.pipefort.com/architecture.md): One scan engine, two callers, two independent auth concerns. - [Auto-fix](https://docs.pipefort.com/cli/auto-fix.md): What --fix can safely rewrite, and what it intentionally won't touch. - [CI integration](https://docs.pipefort.com/cli/ci-integration.md): Use pipefort as a self-scanning step in GitHub Actions. - [Flags](https://docs.pipefort.com/cli/flags.md): Every CLI flag, its default, and what it does. - [GitLab CLI usage](https://docs.pipefort.com/cli/gitlab.md): Scan GitLab projects and open Merge Requests from pipefort. - [Installation](https://docs.pipefort.com/cli/installation.md): Install the pipefort binary. - [Overview](https://docs.pipefort.com/cli/overview.md): pipefort is a single Go binary that scans GitHub Actions workflows for CI/CD risks. - [Usage](https://docs.pipefort.com/cli/usage.md): Scan local directories, single files, or remote GitHub repos. - [Attacker Mind & toxic combinations](https://docs.pipefort.com/concepts/attacker-mind.md): How Pipefort correlates individual findings into higher-impact attack chains. - [Introduction](https://docs.pipefort.com/introduction.md): Pipefort scans GitHub Actions workflows for the OWASP Top 10 CI/CD security risks. - [Quickstart](https://docs.pipefort.com/quickstart.md): Run your first scan from the CLI, then connect a GitHub account to the web dashboard. - [BEST-PRAC-1 — Command piped directly to shell](https://docs.pipefort.com/rules/best-prac-1.md): curl | sh and wget | bash patterns are vulnerable to MITM and supply-chain compromise. - [BEST-PRAC-2 — Job timeout not configured](https://docs.pipefort.com/rules/best-prac-2.md): Without timeout-minutes, GitHub Actions jobs can run for up to 6 hours. - [BEST-PRAC-3 — Self-hosted runner usage](https://docs.pipefort.com/rules/best-prac-3.md): Self-hosted runners executing untrusted code can pivot into your internal infrastructure. - [CICD-SEC-1 — Dangerous pull_request_target checkout](https://docs.pipefort.com/rules/cicd-sec-1.md): Checking out untrusted PR head code in a pull_request_target workflow exposes repository secrets. - [CICD-SEC-1 — Admins can bypass branch protection](https://docs.pipefort.com/rules/cicd-sec-1-bp-admin-bypass.md): Branch protection is not enforced for administrators. Any admin (or compromised admin token) can push directly. - [CICD-SEC-1 — Default branch can be deleted](https://docs.pipefort.com/rules/cicd-sec-1-bp-deletion.md): Branch protection permits deletion of the default branch. - [CICD-SEC-1 — Default branch requires fewer than 2 approving reviews](https://docs.pipefort.com/rules/cicd-sec-1-bp-few-reviewers.md): One approval is enough to merge. A single compromised or coerced reviewer defeats the gate. - [CICD-SEC-1 — Default branch allows force pushes](https://docs.pipefort.com/rules/cicd-sec-1-bp-force-push.md): Branch protection exists but force-pushes are still permitted — history can be rewritten. - [CICD-SEC-1 — Default branch has no branch protection rule](https://docs.pipefort.com/rules/cicd-sec-1-bp-missing.md): The default branch is unprotected. Anyone with write access can push directly, force-push history, or delete it. - [CICD-SEC-1 — CODEOWNERS exists but their review is not required](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-codeowners-review.md): A CODEOWNERS file is defined but branch protection treats it as advisory only. - [CICD-SEC-1 — Default branch does not require pull request reviews](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-review.md): Branch protection is on, but reviews aren't required. Direct pushes still merge without approval. - [CICD-SEC-1 — Default branch does not require signed commits](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-signed-commits.md): Commits on the default branch are not required to be GPG/SSH-signed. - [CICD-SEC-1 — Default branch does not require status checks to pass](https://docs.pipefort.com/rules/cicd-sec-1-bp-no-status-checks.md): No CI gate is enforced. Broken builds, failing tests, or unfinished security scans can land on main. - [CICD-SEC-1 — Default branch does not dismiss stale reviews on new commits](https://docs.pipefort.com/rules/cicd-sec-1-bp-stale-reviews.md): Approvals survive new pushes. An attacker can land a clean review then sneak commits in before merge. - [CICD-SEC-1 — Checkout persists credentials under a privileged trigger](https://docs.pipefort.com/rules/cicd-sec-1-checkout-persist-credentials.md): actions/checkout under pull_request_target / workflow_run without persist-credentials: false leaves the job token in .git/config. - [CICD-SEC-1 — workflow_run downloads artifacts from the triggering run](https://docs.pipefort.com/rules/cicd-sec-1-workflow-run-artifact-poisoning.md): A workflow_run workflow downloads and trusts artifacts produced by the untrusted run that triggered it. - [CICD-SEC-10 — Job-level continue-on-error suppresses failure visibility](https://docs.pipefort.com/rules/cicd-sec-10.md): A job declaring continue-on-error: true reports success even when its steps fail, hiding failures from required-check gates and audit dashboards. - [CICD-SEC-2 — Long-lived personal access token in workflow](https://docs.pipefort.com/rules/cicd-sec-2.md): Workflows authenticating with a PAT secret instead of GITHUB_TOKEN or OIDC use static, long-lived identities. - [CICD-SEC-3 — Unpinned third-party action](https://docs.pipefort.com/rules/cicd-sec-3.md): Tag and branch references are mutable. Pin third-party actions to a full commit SHA. - [CICD-SEC-3 — Dependabot alerts are disabled](https://docs.pipefort.com/rules/cicd-sec-3-dependabot-alerts-off.md): Known-vulnerable dependencies will not be surfaced. - [CICD-SEC-3 — Dependabot security updates are disabled](https://docs.pipefort.com/rules/cicd-sec-3-dependabot-fixes-off.md): Vulnerable dependencies don't get an automatic fix PR. Humans have to write each bump by hand. - [CICD-SEC-4 — Poisoned Pipeline Execution (shell injection)](https://docs.pipefort.com/rules/cicd-sec-4.md): Interpolating untrusted github.event data into an inline run script lets attackers execute arbitrary code. - [CICD-SEC-4 — Reusable workflow called with secrets: inherit under a privileged trigger](https://docs.pipefort.com/rules/cicd-sec-4-secrets-inherit-pr-target.md): A pull_request_target / workflow_run job calls a reusable workflow with secrets: inherit, handing it every repository secret. - [CICD-SEC-4 — GitHub Actions can approve pull requests](https://docs.pipefort.com/rules/cicd-sec-4-wperm-pr-approve.md): Actions are allowed to submit approving reviews — an attacker who controls a workflow can self-approve a malicious PR. - [CICD-SEC-4 — Default GITHUB_TOKEN permissions are read-write](https://docs.pipefort.com/rules/cicd-sec-4-wperm-write.md): Every workflow without an explicit `permissions:` block gets a write-capable token. Massively widens PPE blast radius. - [CICD-SEC-5 — Missing permissions specification](https://docs.pipefort.com/rules/cicd-sec-5.md): Workflows without explicit permissions inherit the repo's default GITHUB_TOKEN scope, which is often broader than needed. - [CICD-SEC-5 — All GitHub Actions and reusable workflows are allowed](https://docs.pipefort.com/rules/cicd-sec-5-actions-all-allowed.md): No allowlist on third-party actions. Maximises supply-chain blast radius. - [CICD-SEC-6 — Hardcoded credentials](https://docs.pipefort.com/rules/cicd-sec-6.md): Tokens and secrets embedded in workflow files end up in git history and audit logs. - [CICD-SEC-6 — Secret printed to logs or written to step output](https://docs.pipefort.com/rules/cicd-sec-6-secret-in-run-output.md): An inline script echoes a ${{ secrets.* }} value or writes it to $GITHUB_OUTPUT/$GITHUB_ENV, defeating log masking. - [CICD-SEC-6 — Secret-scanning push protection is disabled](https://docs.pipefort.com/rules/cicd-sec-6-secret-push-protection-off.md): Commits containing a detected secret are not blocked at push time. Leaked credentials live in history until rotated. - [CICD-SEC-6 — Secret scanning is disabled](https://docs.pipefort.com/rules/cicd-sec-6-secret-scanning-off.md): Leaked credentials in commits and pull requests will not be detected. - [CICD-SEC-7 — Actions debug logging enabled in workflow](https://docs.pipefort.com/rules/cicd-sec-7.md): ACTIONS_STEP_DEBUG / ACTIONS_RUNNER_DEBUG in env emit verbose logs that can leak secret values. - [CICD-SEC-8 — repository_dispatch trigger without event-type allowlist](https://docs.pipefort.com/rules/cicd-sec-8.md): Unfiltered repository_dispatch lets any holder of a repo-scoped token trigger arbitrary workflow runs. - [CICD-SEC-9 — Downloaded artifact has no integrity check](https://docs.pipefort.com/rules/cicd-sec-9.md): curl/wget downloads of binaries or archives without a paired checksum, signature, or attestation verification. - [Rules overview](https://docs.pipefort.com/rules/overview.md): Fifty checks across CI/CD platforms: GitHub Actions workflows, GitHub repository configuration, and GitLab CI. - [SLSA-BUILD-L2 — Provenance/signing step is missing id-token: write](https://docs.pipefort.com/rules/slsa-build-l2-oidc-token-scope.md): Keyless signing tooling (attest/cosign/slsa-generator) needs the OIDC token permission. - [SLSA-BUILD-L2 — Permissions block grants overly broad scopes](https://docs.pipefort.com/rules/slsa-build-l2-perms-overly-broad.md): An explicit permissions block that grants write-all defeats least privilege. - [SLSA-BUILD-L2 — Build provenance is not generated](https://docs.pipefort.com/rules/slsa-build-l2-provenance.md): Workflows that publish release-shaped artifacts must generate a SLSA Build provenance attestation. - [SLSA-BUILD-L2 — Workflow consumes artifacts but does not verify provenance](https://docs.pipefort.com/rules/slsa-build-l2-verify-step.md): Consumers should verify provenance before using downloaded artifacts or pulled images. - [SLSA-BUILD-L3 — Cache key in pull_request_target derived from PR input](https://docs.pipefort.com/rules/slsa-build-l3-cache-poisoning.md): An attacker can poison the cache for the base branch when keys come from PR-controlled context. - [SLSA-BUILD-L3 — Provenance is generated in-job, not isolated](https://docs.pipefort.com/rules/slsa-build-l3-provenance-isolated.md): In-job attestation steps satisfy SLSA Build L2 but not L3 — L3 requires the trusted reusable workflow. - [SLSA framework overview](https://docs.pipefort.com/rules/slsa-overview.md): Pipefort's SLSA v1.2 Build- and Source-track coverage, control by control. - [API reference](https://docs.pipefort.com/webapp/api-reference.md): The Go HTTP endpoints under /api/*. - [Attacker Mind dashboard](https://docs.pipefort.com/webapp/attacker-mind.md): Cross-repository view of toxic combinations with interactive attack chains. - [Connect GitLab](https://docs.pipefort.com/webapp/connect-gitlab.md): Authorize Pipefort to read your GitLab projects and open MRs via OAuth. - [Create your GitHub App](https://docs.pipefort.com/webapp/create-github-app.md): Register a public, publishable GitHub App for your Pipefort deployment. - [GitHub setup](https://docs.pipefort.com/webapp/github-setup.md): Connect Pipefort to a GitHub account or organization. - [Overview](https://docs.pipefort.com/webapp/overview.md): A multi-tenant React + Go dashboard for continuous OWASP CI/CD posture. - [Rule settings](https://docs.pipefort.com/webapp/rule-settings.md): Disable rules you don't care about — globally for your account, or per repository. - [Self-hosted GitLab](https://docs.pipefort.com/webapp/self-hosted-gitlab.md): Connect Pipefort to a self-hosted GitLab instance instead of gitlab.com. - [SLSA dashboard](https://docs.pipefort.com/webapp/slsa.md): Per-repository SLSA v1.2 Build- and Source-track attainment with control heatmaps. ## OpenAPI Specs - [openapi](https://docs.pipefort.com/api-reference/openapi.json)