Skip to content

Providers

A provider binds a CI/CD platform to the scanner: it builds the API context (credentials, clients) and declares which check modules run against it. The scanner's core is provider-agnostic, adding a new platform never requires editing Scanner, Reporter, or the CLI.

AWS

Live account scan via boto3. CodeBuild, CodePipeline, CodeDeploy, ECR, IAM, S3, CloudTrail, Lambda, KMS, and more.

Terraform

Shift-left scan against a parsed terraform show -json plan. AWS-rule parity so findings match the live runtime.

CloudFormation

Parses YAML or JSON templates with intrinsic-function resolution (!Ref, !Sub, !GetAtt).

GitHub Actions

Scans every workflow under .github/workflows/. Action pinning, OIDC trust, secret hygiene, runner posture.

GitLab CI

Parses .gitlab-ci.yml with include: resolution. Image pinning, deploy gating, manual-job posture.

Bitbucket Pipelines

Parses bitbucket-pipelines.yml. Pipe pinning, deployment posture, custom-pipe risk.

Azure DevOps

Parses azure-pipelines.yml with template-resolution support.

Jenkins

Lexes Declarative + Scripted Jenkinsfiles. Credential exposure, agent pinning, sandbox bypass.

CircleCI

Parses .circleci/config.yml with orb-mapping support.

Google Cloud Build

Parses cloudbuild.yaml. Substitution injection, secret retrieval, signing posture.

Buildkite

Parses .buildkite/pipeline.yml. Plugin pinning, agent-tag injection, command-step posture, TLS bypass.

Drone CI

Parses .drone.yml / .drone.yaml. Image / plugin pinning, privileged steps, Drone-template-variable injection, literal secrets, TLS bypass.

Tekton

Parses Task, Pipeline, and *Run CRDs. Step image pinning, parameter injection, workspace hygiene.

Argo Workflows

Parses Workflow and WorkflowTemplate CRDs. Image pinning, parameter injection, container template posture.

Dockerfile

Parses Dockerfile / Containerfile. Image pinning, USER hygiene, secret-in-env, RUN posture.

Kubernetes

Parses manifest YAML (Deployment, Pod, Job, …). securityContext, hostPath, RBAC blast radius, Secret hygiene.

Helm

Renders charts via helm template and runs the K8S-* rule pack on the result. Catches the bulk of real workloads, which ship as charts.

OCI image manifest

Parses docker buildx imagetools inspect --raw JSON. Provenance annotations, build attestations (SLSA / SBOM), image.created timestamp.

SCM (GitHub) posture

Hits the GitHub REST API for branch protection, required reviews, code scanning, secret scanning, Dependabot, signed commits. Closes the gap with Legitify and OpenSSF Scorecard.

Adding a new provider

  1. Create pipeline_check/core/providers/<name>.py subclassing BaseProvider.
  2. Set NAME, implement build_context(**kwargs) and check_classes.
  3. Register it in pipeline_check/core/providers/__init__.py.
  4. Add check modules under pipeline_check/core/checks/<name>/ and tests under tests/<name>/.
  5. (Optional) Add compliance mappings for the new check IDs in pipeline_check/core/standards/data/*.py.

The Scanner, --pipeline CLI flag, and provider registry pick it up automatically.