v0.1.0 · OPEN SOURCE · GO CLI

Is your pipeline actually secure?

PipeGuard scans your CI/CD pipelines, Dockerfiles, and Jenkinsfiles for security vulnerabilities and quality issues. Dual scoring, maturity levels, and deterministic fix suggestions.

145 Rules 9 Categories Dual Scoring SARIF · JSON Output GitLab · GitHub · Jenkins · Dockerfile
See it in action View on GitHub
$ brew install tazi06/tap/pipeguard click to copy
$ curl -sfL https://raw.githubusercontent.com/tazi06/pipeguard/main/install.sh | sh click to copy
$ go install github.com/tazi06/pipeguard/cmd/pipeguard@latest click to copy
145
Security & Quality Rules
9
Rule Categories
4
File Types Supported
3
Output Formats
The Problem

You scan your code. You scan your images. But who scans your pipeline itself?

What happens today

  • allow_failure: true on SAST — security bypassed silently
  • No manual gate before production — anyone can deploy
  • No rollback stage — bug in prod = panic
  • Secret scan only on latest commit — git history exposed
  • Single container scanner — CVEs missed
  • No SBOM — Log4Shell hits, you don't know if you're affected
  • No image signing — tampered images reach production

With PipeGuard

  • Every security misconfiguration detected and reported
  • Maturity score: know exactly where you stand
  • Prioritized fixes: highest impact first
  • Deterministic fix suggestions for ~85% of rules
  • 145 rules across 9 categories — pipelines, Dockerfiles, Jenkinsfiles
  • Works with GitLab CI, GitHub Actions, Jenkins
  • Single binary — no dependencies
Features

Everything you need to audit, score, and fix your pipeline security.

145 Security & Quality Rules

Secrets, SAST, SCA, DAST, deployment, governance, Jenkinsfile, Dockerfile, and pipeline quality. Every rule explains WHY it matters.

Dual Scoring

Separate Security (0-100) and Quality (0-100) scores. Level 0 (None) to Level 5 (Optimized). Know exactly where you stand.

Deterministic Auto-Fix

No AI, no flaky suggestions. ~85% of rules have deterministic fix descriptions. Run with --fix to see exactly what to change.

Single Binary

Written in Go. Download, run. No Python, no npm, no dependencies. Works offline.

4 File Types

GitLab CI, GitHub Actions, Jenkinsfile, Dockerfile. One binary scans everything. Walk a directory and detect automatically.

SARIF & JSON Output

SARIF v2.1.0 for GitHub/GitLab Security tabs. JSON for automation. Terminal with ANSI colors for humans.

See it in Action

One command. Full security audit of your CI/CD pipeline.

pipeguard — scan
$ pipeguard scan examples/ PIPEGUARD v0.1.0 — Pipeline Security & Quality Scanner by yhakkache ==================================================================== [SCAN] .gitlab-ci.yml (61 violations found) CRITICAL R01 No secret scanning stage -3pts CRITICAL R03 Hardcoded secret or credential -5pts Line 7 | DB_PASSWORD: "supersecret123" HIGH R05 No Vault or secret manager -2pts CRITICAL R08 No SAST scanning stage -3pts HIGH R20 Using npm install instead of npm ci -2pts ... 56 more violations [SCAN] Dockerfile (25 violations found) CRITICAL D01 Using FROM with :latest tag -3pts CRITICAL D06 Secret in ENV or ARG instruction -5pts HIGH D16 apt-get without --no-install-recommends -3pts ... 22 more violations -------------------------------------------------------------------- RESULTS -------------------------------------------------------------------- Files scanned: 4 Violations: 161 (16 critical, 35 high, 90 medium, 20 low) Auto-fixable: 150/161 .gitlab-ci.yml SECURITY 9/100 Level 0 — None QUALITY 41/100 Level 2 — Developing Dockerfile SECURITY 40/100 Level 2 — Developing Jenkinsfile SECURITY 59/100 Level 2 — Developing -------------------------------------------------------------------- $
Rules Engine — 145 Security & Quality Checks

9 categories covering pipelines, Dockerfiles, Jenkinsfiles, and quality best practices.

Rule Check Category Points Severity
R01 Secret scanning stage present (GitLeaks/TruffleHog) Secrets 3 CRITICAL
R02 Secret scan blocks pipeline (allow_failure: false) Secrets 2 CRITICAL
R08 SAST tool present in pipeline SAST 3 CRITICAL
R10 SAST blocks pipeline on critical findings SAST 2 HIGH
R16 Container scanning present (Trivy/Grype) Supply Chain 3 CRITICAL
R17 2+ container scanners (defense in depth) Supply Chain 2 HIGH
R19 Image signing (Cosign) before deployment Supply Chain 2 HIGH
R22 DAST (ZAP) present in pipeline DAST 3 CRITICAL
R28 Manual approval gate before production Deploy 3 CRITICAL
R29 Rollback stage present Deploy 3 CRITICAL
R36 Centralized vulnerability tracker (DefectDojo) Governance 4 HIGH
R44 Pipeline cannot be skipped on protected branches Governance 2 CRITICAL

Showing 12 of 145 rules — see all rules →

DevSecOps Maturity Levels

PipeGuard scores your pipeline from 0 to 100 and maps it to a maturity level.

0
None
0 — 19 points
Pipeline has zero security stages. No scanning, no gates, no audit trail. Door wide open.
1
Basic
20 — 39 points
Some tools present but not blocking. Security reports generated but nobody reads them.
2
Developing
40 — 59 points
Security stages exist and some block. Major gaps in supply chain, DAST, or governance remain.
3
Defined
60 — 79 points
Solid pipeline with defense in depth partially implemented. Minor improvements needed.
4
Managed
80 — 94 points
Defense in depth, centralized tracking, strong governance. Production-grade security posture.
5
Optimized
95 — 100 points
Full DevSecOps maturity. Audit-ready. Automated compliance. Top 1% of organizations.
Supported Platforms

One tool for all your CI/CD pipelines.

GitLab CI

.gitlab-ci.yml

45 RULES

GitHub Actions

.github/workflows/*.yml

45 RULES

Jenkins

Jenkinsfile

30 RULES

Dockerfile

Dockerfile

40 RULES
Roadmap

Where PipeGuard is going.

1
DONE

CLI Scanner — Core Engine

Go binary, 145 rules across 4 file types, dual scoring, SARIF/JSON/Terminal output, fix suggestions. Shipped.

Go 145 Rules SARIF v2.1.0 Cobra CLI
2
NEXT

Auto-Fix Engine

Deterministic auto-fix: --fix --apply rewrites your files. No AI, no flaky output. ~85% of rules auto-fixable.

Regex Rewrite AST Patching Dry Run Diff Output
3
LATER

Web Dashboard

GitHub App / GitLab webhook. Continuous monitoring. Team dashboards. Trending. Compliance reports.

Next.js Dashboard Webhooks PDF Reports
4
FUTURE

Enterprise Platform

Organization-wide audits. Custom rules. Policy enforcement. Industry benchmarks. SSO. SLA.

Multi-Tenant SSO Custom Rules Benchmarks

Stop guessing. Start scanning.

One command to know if your pipeline is actually secure. Open source. Free forever for individuals.

$ brew install tazi06/tap/pipeguard click to copy
$ curl -sfL https://raw.githubusercontent.com/tazi06/pipeguard/main/install.sh | sh click to copy
$ go install github.com/tazi06/pipeguard/cmd/pipeguard@latest click to copy
Star on GitHub Read the Docs