v0.1.0 · OPEN SOURCE · GO CLI

Is your pipeline actually secure?

PipeGuard scans your CI/CD pipelines, Dockerfiles, and Jenkinsfiles for security vulnerabilities and quality issues. Dual scoring, maturity levels, and deterministic fix suggestions.

145 Rules 9 Categories Dual Scoring SARIF · JSON Output GitLab · GitHub · Jenkins · Dockerfile
See it in action View on GitHub
$ brew install tazi06/tap/pipeguard click to copy
$ curl -sfL https://raw.githubusercontent.com/tazi06/pipeguard/main/install.sh | sh click to copy
$ go install github.com/tazi06/pipeguard/cmd/pipeguard@latest click to copy
145
Security & Quality Rules
9
Rule Categories
4
File Types Supported
3
Output Formats
The Problem

You scan your code. You scan your images. But who scans your pipeline itself?

What happens today

  • allow_failure: true on SAST — security bypassed silently
  • No manual gate before production — anyone can deploy
  • No rollback stage — bug in prod = panic
  • Secret scan only on latest commit — git history exposed
  • Single container scanner — CVEs missed
  • No SBOM — Log4Shell hits, you don't know if you're affected
  • No image signing — tampered images reach production

With PipeGuard

  • Every security misconfiguration detected and reported
  • Maturity score: know exactly where you stand
  • Prioritized fixes: highest impact first
  • Deterministic fix suggestions for ~85% of rules
  • 145 rules across 9 categories — pipelines, Dockerfiles, Jenkinsfiles
  • Works with GitLab CI, GitHub Actions, Jenkins
  • Single binary — no dependencies
Features

Everything you need to audit, score, and fix your pipeline security.

145 Security & Quality Rules

Secrets, SAST, SCA, DAST, deployment, governance, Jenkinsfile, Dockerfile, and pipeline quality. Every rule explains WHY it matters.

Dual Scoring

Separate Security (0-100) and Quality (0-100) scores. Level 0 (None) to Level 5 (Optimized). Know exactly where you stand.

Deterministic Auto-Fix

No AI, no flaky suggestions. ~85% of rules have deterministic fix descriptions. Run with --fix to see exactly what to change.

Single Binary

Written in Go. Download, run. No Python, no npm, no dependencies. Works offline.

4 File Types

GitLab CI, GitHub Actions, Jenkinsfile, Dockerfile. One binary scans everything. Walk a directory and detect automatically.

SARIF & JSON Output

SARIF v2.1.0 for GitHub/GitLab Security tabs. JSON for automation. Terminal with ANSI colors for humans.

See it in Action

One command. Full security audit of your CI/CD pipeline.

pipeguard — scan
$ pipeguard scan examples/ ┌─────────────────────────────────────────────────────────┐ PIPEGUARD v0.1.0 Pipeline Security & Quality Scanner └─────────────────────────────────────────────────────────┘ ● .gitlab-ci.yml 61 violations found ─────────────────────────────────────────────────────────── CRITICAL R01 No secret scanning stage -3pts CRITICAL R03 Hardcoded secret or credential -5pts ↳ Line 7 │ DB_PASSWORD: "supersecret123" HIGH R05 No Vault or secret manager -2pts CRITICAL R08 No SAST scanning stage -3pts HIGH R20 Using npm install instead of npm ci -2pts ... 56 more ↓ ● Dockerfile 25 violations found ─────────────────────────────────────────────────────────── CRITICAL D01 Using FROM with :latest tag -3pts CRITICAL D06 Secret in ENV or ARG instruction -5pts HIGH D16 apt-get without --no-install-rec -3pts ... 22 more ↓ ═══════════════════════════════════════════════════════════ RESULTS SUMMARY ═══════════════════════════════════════════════════════════ Files scanned 4 Violations 161 16 critical · 35 high · 90 med · 20 low Auto-fixable 150/161 ─────────────────────────────────────────────────────────── .gitlab-ci.yml SECURITY 9/100 Level 0 — None QUALITY 41/100 Level 2 — Developing Dockerfile SECURITY 40/100 Level 2 — Developing Jenkinsfile SECURITY 59/100 Level 2 — Developing ═══════════════════════════════════════════════════════════ $
Rules Engine — 145 Security & Quality Checks

9 categories covering pipelines, Dockerfiles, Jenkinsfiles, and quality best practices.

Rule Check Category Points Severity
R01 Secret scanning stage present (GitLeaks/TruffleHog) Secrets 3 CRITICAL
R02 Secret scan blocks pipeline (allow_failure: false) Secrets 2 CRITICAL
R08 SAST tool present in pipeline SAST 3 CRITICAL
R10 SAST blocks pipeline on critical findings SAST 1 MEDIUM
R16 Container scanning present (Trivy/Grype) Supply Chain 1 HIGH
R17 2+ container scanners (defense in depth) Supply Chain 1 MEDIUM
R19 Image signing (Cosign) before deployment Supply Chain 1 LOW
R22 DAST (ZAP) present in pipeline DAST 1 LOW
R28 Manual approval gate before production Deploy 3 CRITICAL
R29 Rollback stage present Deploy 1 HIGH
R36 Centralized vulnerability tracker (DefectDojo) Governance 4 HIGH
R44 Pipeline cannot be skipped on protected branches Governance 1 MEDIUM

Showing 12 of 145 rules — see all rules →

DevSecOps Maturity Levels

PipeGuard scores your pipeline from 0 to 100 and maps it to a maturity level.

0
None
0 — 19 points
Pipeline has zero security stages. No scanning, no gates, no audit trail. Door wide open.
1
Basic
20 — 39 points
Some tools present but not blocking. Security reports generated but nobody reads them.
2
Developing
40 — 59 points
Security stages exist and some block. Major gaps in supply chain, DAST, or governance remain.
3
Defined
60 — 79 points
Solid pipeline with defense in depth partially implemented. Minor improvements needed.
4
Managed
80 — 94 points
Defense in depth, centralized tracking, strong governance. Production-grade security posture.
5
Optimized
95 — 100 points
Full DevSecOps maturity. Audit-ready. Automated compliance. Top 1% of organizations.
Supported Platforms

One tool for all your CI/CD pipelines.

GitLab CI

.gitlab-ci.yml

45 RULES

GitHub Actions

.github/workflows/*.yml

45 RULES

Jenkins

Jenkinsfile

30 RULES

Dockerfile

Dockerfile

40 RULES
Roadmap

Where PipeGuard is going.

1
DONE

CLI Scanner — Core Engine

Go binary, 145 rules across 4 file types, dual scoring, SARIF/JSON/Terminal output, fix suggestions. Shipped.

Go 145 Rules SARIF v2.1.0 Cobra CLI
2
NEXT

Auto-Fix Engine

Deterministic auto-fix: --fix --apply rewrites your files. No AI, no flaky output. ~85% of rules auto-fixable.

Regex Rewrite AST Patching Dry Run Diff Output
3
LATER

Web Dashboard

GitHub App / GitLab webhook. Continuous monitoring. Team dashboards. Trending. Compliance reports.

Next.js Dashboard Webhooks PDF Reports

Stop guessing. Start scanning.

One command to know if your pipeline is actually secure. Open source. Free forever for individuals.

$ brew install tazi06/tap/pipeguard click to copy
$ curl -sfL https://raw.githubusercontent.com/tazi06/pipeguard/main/install.sh | sh click to copy
$ go install github.com/tazi06/pipeguard/cmd/pipeguard@latest click to copy
Star on GitHub Read the Docs