Skip to content

pipeline-check · v1.0.4

Catch supply-chain risks before they ship.

A read-only scanner for 19 providers, graded against 14 compliance frameworks. 111 of the 590+ checks also emit a one-shot patch you can apply with --fix.

Get started View on GitHub
MIT licensed No telemetry No API tokens Python 3.10+
590+
Checks
19
Providers
14
Compliance standards
111
Autofixers
// capabilities

One scanner. Every pipeline you ship through.

Same severity model and report format whether you're scanning a Jenkinsfile, a Terraform plan, or a live AWS account. Findings carry control IDs for OWASP, NIST SSDF, SLSA, and the rest, so audit answers don't require leaving the tool.

OWASP 10/10 coverage

Every one of the OWASP Top 10 CI/CD Security Risks has at least one rule across the supported providers. New risks land here before they land in your pipeline. Read OWASP coverage

Live AWS + shift-left IaC

Scan a running AWS account through boto3, or scan Terraform plans and CloudFormation templates before provisioning. Same rule IDs, same severities. AWS reference

CI gate that does its job

Severity thresholds, baseline diffs against a git ref, ignore files with expiries, glob check selection, autofix emit-or-apply. Failing the build is the default; turning it off is opt-in. CI gate

Attack-chain correlation

36 multi-finding chains mapped to MITRE ATT&CK, including the cross-provider XPC-NNN family that fires when GitHub Actions, Dockerfile, Helm, and OCI findings line up in one scan. The TAINT-NNN dataflow engine follows attacker-controllable input across cross-step boundaries on five providers (GitHub Actions, GitLab CI, Buildkite, Tekton, Argo Workflows), each routed through that host's native channel: $GITHUB_OUTPUT, dotenv artifact, buildkite-agent meta-data, Tekton results, Argo outputs.parameters. Attack chains

Output that integrates

Rich terminal table for humans, JSON for scripts, HTML report (with a per-resource blast-radius heatmap and an attack-chains panel) for sharing, SARIF 2.1.0 for GitHub code scanning and Defender for DevOps, plus markdown for PR comments and JUnit XML for test-runner UIs. Output formats

Zero phone-home

Workflow files are parsed from disk. AWS uses the standard boto3 credential chain. Nothing leaves your machine. MIT licensed, no signup, no account. GitHub

// providers

Wherever your builds run.

Auto-detect picks the provider for you, or pass --pipeline <name> to force one. Counts reflect the current rule catalog.

AWS71 checks Terraformaws-parity CloudFormation~63 checks GitHub Actions50 checks GitLab CI35 checks Bitbucket29 checks Azure DevOps30 checks Jenkins32 checks CircleCI31 checks Cloud Build26 checks Buildkite16 checks Drone CI11 checks Tekton16 checks Argo Workflows16 checks Dockerfile20 checks Kubernetes40 checks Helmrenders + 40 K8S-* rules + 10 HELM-* OCI manifest15 checks SCM (GitHub)19 checks
// flow

Inputs in. Graded report out.

Hover any step for a quick description; click to jump to its reference page.

%%{init: {
  "theme": "base",
  "themeVariables": {
    "fontFamily": "Mona Sans, Inter, system-ui, -apple-system, sans-serif",
    "fontSize": "13px",
    "primaryColor": "#0e1f30",
    "primaryTextColor": "#e7eef5",
    "primaryBorderColor": "#1ba3a9",
    "lineColor": "#5a7b91",
    "secondaryColor": "#0e1f30",
    "tertiaryColor": "#0a1320",
    "tertiaryTextColor": "#e7eef5",
    "tertiaryBorderColor": "#1ba3a9",
    "edgeLabelBackground": "transparent"
  },
  "flowchart": {
    "curve": "basis",
    "padding": 16,
    "nodeSpacing": 50,
    "rankSpacing": 70,
    "useMaxWidth": true
  }
}}%%
flowchart LR
    A([Input]) -->|auto-detect| B[Adapter]
    B --> C[Rule engine]
    C --> D[Compliance map]
    D --> E[Scorer]
    E --> F1[Terminal]
    E --> F2[JSON]
    E --> F3[HTML report]
    E --> F4[SARIF 2.1.0]
    E --> G{{CI gate}}
    G -->|pass| H([Merge])
    G -->|fail| I([Block + report])

    click A "usage/" "Repo on disk or live AWS account: no API tokens, no SaaS"
    click B "providers/" "19 supported. Auto-detected from cwd; override with --pipeline NAME"
    click C "attack_chains/" "590+ checks emit findings with severity, location, fix"
    click D "standards/" "14 frameworks. OWASP, NIST SSDF, SLSA, CIS, …"
    click E "scoring_model/" "Severity-weighted 0–100 score, graded A / B / C / D"
    click F1 "output/#terminal" "Rich color table for humans"
    click F2 "output/#json" "Machine-parseable JSON for scripts"
    click F3 "output/#html" "HTML report with client-side filters"
    click F4 "output/#sarif" "SARIF 2.1.0 for GitHub code scanning, Defender for DevOps"
    click G "ci_gate/" "Severity caps, baseline diff, ignore file: pass/fail contract"
    click H "ci_gate/" "Severity below thresholds, exit 0"
    click I "ci_gate/" "Severity above threshold; non-zero exit + report (--fix patches the subset that has a fixer)"

    classDef src      fill:#0a1320,stroke:#1ba3a9,stroke-width:1px,color:#e7eef5,rx:14,ry:14;
    classDef step     fill:#0e1f30,stroke:#1ba3a9,stroke-width:1px,color:#e7eef5,rx:10,ry:10;
    classDef out      fill:#1ba3a9,stroke:#33c4ca,stroke-width:1px,color:#050a12,rx:10,ry:10;
    classDef gate     fill:#0a1320,stroke:#f4b942,stroke-width:1.5px,color:#f4b942;
    classDef pass     fill:#2a9d8f,stroke:#2a9d8f,stroke-width:1px,color:#ffffff,rx:14,ry:14;
    classDef fail     fill:#9d2755,stroke:#9d2755,stroke-width:1px,color:#ffffff,rx:14,ry:14;

    class A src;
    class B,C,D,E step;
    class F1,F2,F3,F4 out;
    class G gate;
    class H pass;
    class I fail;

    linkStyle default stroke:#5a7b91,stroke-width:1.4px,stroke-dasharray:0,fill:none;
// outputs

Same findings, four shapes.

// the patrol

Every commit walks the same rail.

Pipeline-Check goose patrolling a CI/CD pipeline rail: pauses at the SCAN node and stamps a build DENIED

Ship pipelines you trust.

Install in under 30 seconds. Scan your first repo in under a minute.

pip install pipeline-check
Read the docs Star on GitHub