Skip to content

Providers

A provider binds a CI/CD platform to the scanner: it builds the API context (credentials, clients) and declares which check modules run against it. The scanner's core is provider-agnostic. Adding a new platform never requires editing Scanner, Reporter, or the CLI.

CI/CD platforms

GitHub Actions

Scans every workflow under .github/workflows/. Action pinning, OIDC trust, secret hygiene, runner posture.

114 checks

GitLab CI

Parses .gitlab-ci.yml with include: resolution. Image pinning, deploy gating, manual-job posture.

52 checks

Bitbucket Pipelines

Parses bitbucket-pipelines.yml. Pipe pinning, deployment posture, custom-pipe risk.

39 checks

Azure DevOps

Parses azure-pipelines.yml with template-resolution support.

38 checks

Jenkins

Lexes Declarative + Scripted Jenkinsfiles. Credential exposure, agent pinning, sandbox bypass.

42 checks

CircleCI

Parses .circleci/config.yml with orb-mapping support.

38 checks

Google Cloud Build

Parses cloudbuild.yaml. Substitution injection, secret retrieval, signing posture.

28 checks

Buildkite

Parses .buildkite/pipeline.yml. Plugin pinning, agent-tag injection, command-step posture, TLS bypass.

18 checks

Drone CI

Parses .drone.yml / .drone.yaml. Image and plugin pinning, privileged steps, template-variable injection, literal secrets, TLS bypass.

22 checks

Harness CI/CD

Parses Harness pipeline YAML (stages / steps / stepGroups). Image digest pinning, <+codebase.*> / <+trigger.*> expression injection, privileged steps, literal secrets, pipe-to-shell, TLS bypass, host-path mounts, agentic-CLI prompt injection + autoland, model-load RCE.

19 checks

Tekton

Parses Task, Pipeline, and *Run CRDs. Step image pinning, parameter injection, workspace hygiene.

19 checks

Argo Workflows

Parses Workflow and WorkflowTemplate CRDs. Image pinning, parameter injection, container template posture.

20 checks

Gitea / Forgejo

Scans .gitea/workflows/ and .forgejo/workflows/. Reuses the full GitHub Actions rule pack (GHA-* IDs).

114 checks

Cloud & infrastructure as code

AWS

Live account scan via boto3. CodeBuild, CodePipeline, CodeDeploy, ECR, IAM, S3, CloudTrail, Lambda, KMS, and more.

71 checks

Azure Cloud

Live subscription scan via the azure-mgmt-* management SDKs. Entra ID, Storage, Key Vault, Container Registry, Monitor.

50 checks

GCP

Live project scan via the google-cloud-* client libraries. IAM, Cloud Storage, Cloud KMS, Artifact Registry, Cloud Logging.

50 checks

Terraform

Shift-left scan against a terraform show -json plan or raw *.tf source. AWS-rule parity so findings match the live runtime.

AWS-parity

CloudFormation

Parses YAML or JSON templates with intrinsic-function resolution (!Ref, !Sub, !GetAtt).

~65 class-based

Pulumi

Parses Pulumi.yaml + Pulumi.<stack>.yaml plus source files (Python / TypeScript / Go / C#). Secrets-provider posture, plaintext credentials, wildcard IAM policies, insecure state backend, unguarded StackReference.

14 checks

Containers & deployment

Dockerfile

Parses Dockerfile / Containerfile. Image pinning, USER hygiene, secret-in-env, RUN posture.

31 checks

Modelfile

Parses Ollama Modelfiles. Unpinned and HuggingFace base-model refs, local weight blobs, remote adapters, and custom-code model configs.

5 checks

Kubernetes

Parses manifest YAML (Deployment, Pod, Job, …). securityContext, hostPath, RBAC blast radius, Secret hygiene.

44 checks

Helm

Renders charts via helm template and runs the full K8S-* rule pack on the result, plus a chart-supply-chain pack (HELM-001..010: legacy schema, unlocked dependencies, plaintext repos) that reads Chart.yaml straight off disk.

17 checks

Argo CD

Parses Application, ApplicationSet, and AppProject CRDs plus argocd-cm / argocd-rbac-cm ConfigMaps. Source repos, destinations, RBAC, auto-sync, PR generators.

19 checks

OCI image manifest

Parses docker buildx imagetools inspect --raw JSON. Provenance annotations, build attestations (SLSA / SBOM), image.created timestamp.

16 checks

Developer environment

Scans committed developer-environment config (.vscode/, .devcontainer/, .claude/) for checkout-time auto-exec, fetch-and-run hooks, MCP command servers, and literal secrets.

8 checks

SCM posture

GitHub

Full repo-governance pack via REST API. Branch protection, rulesets, security features, environments, deploy keys, webhooks, outside collaborators, Actions permissions.

55 checks

GitLab

Seven universal rules via REST API: branch protection, required reviews, signed commits, force-push, status checks, branch deletion, CODEOWNERS.

7 checks (universal subset)

Bitbucket Cloud

Seven universal rules via REST API: branch restrictions, required approvals, force-push, passing builds, branch deletion, CODEOWNERS.

7 checks (universal subset)

GitHub org governance

Org-wide controls via REST API: 2FA requirement, default member permission, Actions allow-list + workflow-token defaults, org secret scope, runner-group exposure, webhooks, rulesets. Fans the per-repo pack out across a whole org with --scm-org.

13 checks

Actions run history

Audits recent GitHub Actions runs via API (--audit-runs): pull_request_target runs, secret-shaped log strings, OIDC minted in fork runs, fork code on self-hosted runners, compromised / unpinned actions that actually executed.

7 checks

GitLab pipeline run history

Audits recent GitLab pipeline runs via API (--audit-runs-logs): MR and fork-MR pipelines, secrets in job traces, OIDC minted in fork pipelines, fork code on self-managed runners.

5 checks

Package registries

npm / PyPI / Maven / NuGet

Static parse of package.json, requirements*.txt, pom.xml, and *.csproj. Floating versions, missing integrity hashes, plaintext-HTTP indexes, lifecycle scripts, dependency-confusion source mapping, and curated known-compromised version registries. Live OSV advisory lookup behind --resolve-remote.

77 checks (npm 20 + PyPI 20 + Maven 18 + NuGet 19)

Go modules

Parses go.mod and probes for go.sum. Replace-directive misuse (local-path, cross-module), +incompatible requires, integrity-manifest presence, missing toolchain directive, and a curated known-compromised module registry.

12 checks

Cargo (Rust)

Parses Cargo.toml via the TOML stdlib parser. Floating version specs, git deps without rev, missing Cargo.lock, path dependencies, alternate-registry sources, and a curated known-compromised crate registry.

14 checks

Composer (PHP)

Parses composer.json / composer.lock. Floating constraints, missing lock, plaintext-HTTP repositories, dependency-confusion sourcing, and a curated known-compromised package registry.

14 checks

RubyGems (Ruby)

Parses Gemfile / Gemfile.lock. Floating version specs, git / path sources, missing lock, insecure gem sources, and a curated known-compromised gem registry.

13 checks

Adding a new provider

  1. Create pipeline_check/core/providers/<name>.py subclassing BaseProvider.
  2. Set NAME, implement build_context(**kwargs) and check_classes.
  3. Register it in pipeline_check/core/providers/__init__.py.
  4. Add check modules under pipeline_check/core/checks/<name>/ and tests under tests/<name>/.
  5. (Optional) Add compliance mappings for the new check IDs in pipeline_check/core/standards/data/*.py.

The Scanner, --pipeline CLI flag, and provider registry pick it up automatically.