Docs / Home
pipeguard.dev GitHub

PipeGuard Documentation

Pipeline Security & Quality Scanner — 145 rules, dual scoring, deterministic auto-fix. Built in Go.

Getting Started

Install PipeGuard and run your first scan in under 2 minutes.

CLI Reference

All commands, flags, and options for the PipeGuard binary.

Scoring & Maturity

How dual scoring works. Security vs Quality. Maturity levels 0-5.

CI Integration

Add PipeGuard to GitLab CI, GitHub Actions, or Jenkins pipelines.

Output Formats

Terminal, JSON, and SARIF v2.1.0 output format details.

Rules Reference

PipeGuard ships with 145 built-in rules across 4 file types and 9 categories. Every rule has an ID, severity, description, and fix suggestion.

Pipeline Rules (45)

R01-R45. GitLab CI and GitHub Actions. Secrets, SAST, SCA, DAST, deployment, governance.

Jenkins Rules (30)

J01-J30. Jenkinsfile security. Agent, credentials, timeout, shared libraries, sandbox.

Dockerfile Rules (40)

D01-D40. Base image, secrets, privileges, multi-stage, HEALTHCHECK, layer optimization.

Quality Rules (35)

Q01-Q35. Pipeline quality and reliability. Caching, retries, artifacts, naming, structure.

Quick Start

Install

shell# Homebrew $ brew install tazi06/tap/pipeguard # Curl $ curl -sfL https://raw.githubusercontent.com/tazi06/pipeguard/main/install.sh | sh # Go $ go install github.com/tazi06/pipeguard/cmd/pipeguard@latest

Scan

shell# Scan current directory $ pipeguard scan . # Scan specific file $ pipeguard scan .gitlab-ci.yml # JSON output $ pipeguard scan . --format json --output report.json # SARIF for GitHub Security tab $ pipeguard scan . --format sarif --output results.sarif # Show only critical and high $ pipeguard scan . --severity critical,high # Show fix suggestions $ pipeguard scan . --fix

Architecture

PipeGuard is a single Go binary with zero external dependencies. The scan pipeline:

  1. Detector — walks the directory tree, identifies file types (GitLab CI, GitHub Actions, Jenkinsfile, Dockerfile)
  2. Parser — reads each file into lines + raw content
  3. Engine — evaluates 145 rules against parsed files (regex-based, file-scope and line-scope)
  4. Scorer — calculates dual scores (Security 0-100, Quality 0-100), maps to maturity level
  5. Output — formats results as Terminal (ANSI), JSON, or SARIF v2.1.0

Rule Categories

CodeCategoryRulesScope
SECSecret Management8Pipeline
SASStatic Analysis (SAST)6Pipeline
SCASupply Chain Security7Pipeline
DSTDynamic Testing (DAST)4Pipeline
DEPDeployment Security8Pipeline
GOVGovernance & Compliance12Pipeline
JENJenkinsfile Security30Jenkinsfile
DOCDockerfile Security40Dockerfile
PQLPipeline Quality30Pipeline
Open Source — PipeGuard is licensed under AGPL-3.0. Free for individuals and open source projects. Commercial use requires compliance with AGPL terms.
© 2026 yhakkache. PipeGuard is AGPL-3.0 licensed.
Home GitHub License