This page is for users of a Pipefort deployment. If you’re standing up your
own deployment and need to register the GitHub App itself, see
Create your GitHub App.
1. Sign in
Open your Pipefort dashboard and click Sign in with GitHub. Identity is established via GitHub OAuth. Pipefort receives only your username and avatar — no repo access yet.2. Install the GitHub App
After signing in, the dashboard prompts you to Connect. This opens GitHub’s app-install flow for the Pipefort GitHub App. You choose:- Account or organization. Install on your personal account, or on any org you have admin rights to.
- All repositories or a specific selection. Pipefort scans only the repos the App is installed on.
| Permission | Scope | Why |
|---|---|---|
| Metadata | Read-only | Mandatory for any GitHub App. |
| Contents | Read + Write | Read .github/workflows/*.yml to scan. Write is used only by the Open fix PR button to commit the fixed YAML to a new branch. |
| Workflows | Write | Also required by Open fix PR — GitHub blocks commits to .github/workflows/* unless the App holds this scope on top of Contents. |
| Pull requests | Write | Used only by Open fix PR to open (and reuse) the pull request. |
| Administration / Actions | Read + Write | Read branch-protection and Actions policy to scan; write is used only by the per-finding Auto-fix button for repository-configuration findings. |
Scanning is entirely read-only. The write scopes are used only when you click Auto-fix or Open fix PR on a finding — Pipefort never pushes commits, opens PRs, or changes settings on its own. Nothing lands on your default branch without a PR you merge. Prefer to grant nothing extra? Set the write rows to Read-only at install time; scanning still works and the fix buttons simply stay hidden. See GitHub App permissions for the full breakdown.
/connect/callback, which links the installation to your signed-in account. You’ll see the connected installation appear on the dashboard.
3. Connect more accounts (optional)
Click Connect again to install the App on another account or org. Pipefort aggregates posture across every installation linked to your user.Verify it works
Scan runs
Click Scan all on the dashboard. You should see live progress, the severity donut populate, and the trend chart fill in.
Revoking access
To remove Pipefort from a repo or organization, uninstall the GitHub App from GitHub itself:- Personal account: https://github.com/settings/installations
- Organization:
https://github.com/organizations/<org>/settings/installations