How it works
On apull_request event (opened, synchronize, reopened) for a monitored
repo, Pipefort:
- Checks the PR’s changed files. If no workflow files changed, it posts a passing check (“No workflow changes”) and stops — unrelated PRs are never blocked.
- Scans the PR head (workflow YAML, the repo’s
.pipefort.yml, and the online supply-chain audits), applying your org’s rule settings. - Diffs against the repository’s latest default-branch scan by stable fingerprint to find new findings — ones this PR introduces.
- Posts the Check Run: its conclusion follows your gate policy,
and up to 50 findings become inline annotations (
HIGH→ failure,MEDIUM→ warning,LOW/INFO→ notice), most severe first.
Gate policy
Set the policy per organization under Settings → Pull request checks (admin only):- Fail the check on — the severity that fails the check:
High or above,Medium or above,Low or above, orNever fail (report only). - Gate on new findings only — when on (the default), only findings new versus the base branch can fail the check; pre-existing issues don’t block unrelated work. Turn it off to hold the whole PR head to the bar.
Making it a merge gate
The Check Run alone reports status; to block merges, make it required:- In the repo (or a ruleset), open Settings → Branches → Branch protection.
- Enable Require status checks to pass before merging.
- Add Pipefort to the required checks.
cicd-sec-1-bp-no-status-checks
rule nudges you toward requiring status checks in the first place.
Requirements
- The repository must be monitored.
- The GitHub App needs Checks: Write and Pull requests: Read, and its
webhook must be subscribed to Pull request events — see
GitHub App permissions. If the App lacks
Checks: Write, Pipefort degrades gracefully (it logs and posts nothing) until you re-authorize.