Skip to main content
Pipefort talks to GitHub through two surfaces. You only interact with one of them — the GitHub App that grants repo read access. The login OAuth is invisible: click “Sign in with GitHub”, approve once, done.
This page is for users of a Pipefort deployment. If you’re standing up your own deployment and need to register the GitHub App itself, see Create your GitHub App.

1. Sign in

Open your Pipefort dashboard and click Sign in with GitHub. Identity is established via GitHub OAuth. Pipefort receives only your username and avatar — no repo access yet.

2. Install the GitHub App

After signing in, the dashboard prompts you to Connect. This opens GitHub’s app-install flow for the Pipefort GitHub App. You choose:
  • Account or organization. Install on your personal account, or on any org you have admin rights to.
  • All repositories or a specific selection. Pipefort scans only the repos the App is installed on.
The App requests these permissions:
PermissionScopeWhy
MetadataRead-onlyMandatory for any GitHub App.
ContentsRead + WriteRead .github/workflows/*.yml to scan. Write is used only by the Open fix PR button to commit the fixed YAML to a new branch.
WorkflowsWriteAlso required by Open fix PR — GitHub blocks commits to .github/workflows/* unless the App holds this scope on top of Contents.
Pull requestsWriteUsed only by Open fix PR to open (and reuse) the pull request.
Administration / ActionsRead + WriteRead branch-protection and Actions policy to scan; write is used only by the per-finding Auto-fix button for repository-configuration findings.
Scanning is entirely read-only. The write scopes are used only when you click Auto-fix or Open fix PR on a finding — Pipefort never pushes commits, opens PRs, or changes settings on its own. Nothing lands on your default branch without a PR you merge. Prefer to grant nothing extra? Set the write rows to Read-only at install time; scanning still works and the fix buttons simply stay hidden. See GitHub App permissions for the full breakdown.
After you approve, GitHub redirects back to the dashboard’s /connect/callback, which links the installation to your signed-in account. You’ll see the connected installation appear on the dashboard.

3. Connect more accounts (optional)

Click Connect again to install the App on another account or org. Pipefort aggregates posture across every installation linked to your user.

Verify it works

1

Repos appear

The Repositories page lists every repo the App can read.
2

Scan runs

Click Scan all on the dashboard. You should see live progress, the severity donut populate, and the trend chart fill in.
3

Findings deep-link

Open a repo’s detail page. Each finding’s file:line link should jump to the exact location on GitHub’s default branch.

Revoking access

To remove Pipefort from a repo or organization, uninstall the GitHub App from GitHub itself: Uninstalling removes the App’s token immediately. Historical scan data in Pipefort persists until you delete it from the dashboard.