Skip to main content
Pipefort runs deterministic checks per scan across three surfaces:
  • 23 GitHub Actions workflow checks parse .github/workflows/*.yml.
  • 17 GitHub repository-configuration checks call the GitHub API for branch protection, default workflow permissions, secret scanning, and Dependabot.
  • 10 GitLab CI workflow checks parse .gitlab-ci.yml and .gitlab-ci/**/*.yml.
Workflow checks cover all ten OWASP CI/CD Top 10 categories (CICD-SEC-1 through CICD-SEC-10) on both platforms.

GitLab CI workflow checks

The GitLab rule IDs are parallel to the GitHub ones — same OWASP category, different IDs (e.g. cicd-sec-1-gl-mr-target for the merge-request-target analog of cicd-sec-1-ppe-checkout). Findings tagged -gl- only fire on .gitlab-ci.yml / .gitlab-ci/*.yml. The two structural rules best-prac-1-pipe-to-shell and cicd-sec-9-download-without-checksum share their ID across both platforms.
CategoryGitLab rule IDSeverityAuto-fix
CICD-SEC-1cicd-sec-1-gl-mr-targetHIGH
CICD-SEC-2cicd-sec-2-gl-pat-secretMEDIUM
CICD-SEC-3cicd-sec-3-gl-unpinned-includeMEDIUM
CICD-SEC-4cicd-sec-4-gl-shell-injectionHIGH
CICD-SEC-6cicd-sec-6-gl-hardcoded-secretsHIGH
CICD-SEC-7cicd-sec-7-gl-debug-traceHIGH
CICD-SEC-8cicd-sec-8-gl-trigger-unfilteredMEDIUM
CICD-SEC-10cicd-sec-10-gl-allow-failureLOW
BEST-PRAC-2best-prac-2-gl-missing-timeoutLOW
BEST-PRAC-3best-prac-3-gl-self-hosted-tagsLOW

v1 limitations

  • include: graph traversal is not performed — the scanner inspects only the literal .gitlab-ci.yml and .gitlab-ci/*.yml contents, not files referenced from another project or URL.
  • Project-side settings (Protected Branches, Push rules, Secret Detection) are not audited yet. The GitHub equivalent of these audits is shipped; GitLab project settings are on the roadmap.
Rules carry framework tags so they can be filtered by the standard they serve: OWASP Top 10 CI/CD Security Risks and the SLSA v1.2 specification (Build and Source tracks). A single rule can belong to multiple frameworks.

Workflow file checks

CategoryTitleSeverityAuto-fix
CICD-SEC-1Dangerous checkout in pull_request_target / workflow_runHIGH
CICD-SEC-1workflow_run downloads artifacts from the triggering runHIGH
CICD-SEC-1Checkout persists credentials under a privileged triggerMEDIUM
CICD-SEC-2Long-lived personal access tokenMEDIUM
CICD-SEC-3Unpinned third-party actionMEDIUM
CICD-SEC-4Poisoned Pipeline Execution (shell injection)HIGH
CICD-SEC-4Reusable workflow called with secrets: inherit under a privileged triggerHIGH
CICD-SEC-5Missing permissions specificationMEDIUM
CICD-SEC-6Hardcoded credentialsHIGH
CICD-SEC-6Secret printed to logs or written to step outputHIGH
CICD-SEC-7Actions debug logging enabled in workflowHIGH
CICD-SEC-8repository_dispatch trigger without types: allowlistMEDIUM
CICD-SEC-9Downloaded artifact has no integrity checkMEDIUM
CICD-SEC-10Job-level continue-on-error suppresses failure visibilityLOW
BEST-PRAC-1Command piped directly to shellHIGH
BEST-PRAC-2Job timeout not configuredLOW
BEST-PRAC-3Self-hosted runner usageLOW
SLSA-BUILD-L2Build provenance is not generatedHIGH
SLSA-BUILD-L2Provenance/signing step missing id-token: writeMEDIUM
SLSA-BUILD-L2Permissions block overly broadHIGHpartial
SLSA-BUILD-L2Workflow consumes artifacts without verifying provenanceINFO
SLSA-BUILD-L3Provenance generated in-job (not isolated)MEDIUM
SLSA-BUILD-L3Cache key in pull_request_target from PR-controlled inputHIGH

Repository configuration checks

These read GitHub-side settings and surface under a “Repository configuration” group in the UI (CLI: <repository settings> file label). They need the expanded GitHub App permissions described in GitHub App permissions; the CLI needs --github-token (or $GITHUB_TOKEN, or gh auth token).

Branch protection (CICD-SEC-1)

RuleTitleSeverityAuto-fix
BP-MISSINGDefault branch has no branch protection ruleHIGH
BP-FORCE-PUSHDefault branch allows force pushesHIGH
BP-DELETIONDefault branch can be deletedHIGH
BP-NO-REVIEWDefault branch does not require pull request reviewsHIGH
BP-FEW-REVIEWERSDefault branch requires fewer than 2 approving reviewsMEDIUM
BP-STALE-REVIEWSDefault branch does not dismiss stale reviews on new commitsMEDIUM
BP-NO-STATUS-CHECKSDefault branch does not require status checks to passMEDIUM
BP-ADMIN-BYPASSAdmins can bypass branch protectionHIGH
BP-NO-CODEOWNERS-REVIEWCODEOWNERS exists but their review is not requiredLOW
BP-NO-SIGNED-COMMITSDefault branch does not require signed commitsLOW

Actions runtime (CICD-SEC-4, CICD-SEC-5)

RuleTitleSeverityAuto-fix
WPERM-WRITEDefault GITHUB_TOKEN permissions are read-writeHIGH
WPERM-PR-APPROVEGitHub Actions can approve pull requestsHIGH
ACTIONS-ALL-ALLOWEDAll GitHub Actions and reusable workflows are allowedMEDIUM

Dependency hygiene (CICD-SEC-3)

RuleTitleSeverityAuto-fix
DEPENDABOT-ALERTS-OFFDependabot alerts are disabledMEDIUM
DEPENDABOT-FIXES-OFFDependabot security updates are disabledLOW

Credential hygiene (CICD-SEC-6)

RuleTitleSeverityAuto-fix
SECRET-SCANNING-OFFSecret scanning is disabledMEDIUM
SECRET-PUSH-PROTECTION-OFFSecret-scanning push protection is disabledHIGH
Auto-fix on repo-settings rules is powered by the CLI’s --fix-settings flag and the web app’s per-finding Fix button — see Auto-fix.

Rulesets

The CLI’s --ruleset flag (and the web app’s ruleset selector) controls which checks contribute to the final list. Filtering is by framework membership, not by category prefix — see SLSA framework overview for a rule-by-rule mapping.
  • all (default) — every check listed above.
  • owasp — every rule tagged with the OWASP framework.
  • slsa — every rule tagged with any SLSA v1.2 framework (Build or Source).
  • slsa-build-l1 / slsa-build-l2 / slsa-build-l3 — rules for that specific Build level (and only that level — to find every rule a repo needs to satisfy L3, run with slsa and look at the heatmap).
  • slsa-source-l2 / slsa-source-l3 / slsa-source-l4 — rules for that specific Source level. (L1 is “Version Controlled” — trivially satisfied for any GitHub repo.)

Enabling and disabling individual rules

The web app lets you toggle any individual rule on or off without changing the ruleset — per user, with optional per-repository overrides. See Rule settings for the model and the UI. The CLI’s filtering is limited to the coarser --ruleset choice above; multi-tenant preferences depend on the database and are web-only.

How the checks run

Each workflow check is a function that takes the parsed workflow YAML AST and returns a list of findings. The CLI and the web app both invoke the same ScanBytes(name, content) entrypoint. Repository-configuration checks are a separate pass: the API client first fetches the relevant GitHub settings (FetchRepositorySettings) and then runs ScanRepositorySettings(context) to produce findings. These findings carry a synthetic file path (<repository settings>) and a zero line/column so consumers can render them apart from per-file findings. See Auto-fix for which workflow categories the CLI’s --fix flag rewrites. Repository-configuration findings have no auto-fix — they’re flagged for manual remediation via GitHub’s UI.