Quick Start¶
Get up and running with PipelineConductor in minutes.
Prerequisites¶
- PipelineConductor installed
- GitHub personal access token with
reposcope
Step 1: Set Your GitHub Token¶
Step 2: Run Your First Scan¶
Scan a single organization:
This outputs a JSON compliance report to stdout.
Step 3: Generate a Readable Report¶
Use Markdown format for human-readable output:
Example output:
# Compliance Report
**Generated:** 2025-01-15T10:30:00Z
**Duration:** 1234ms
**Profile:** default
## Summary
| Metric | Value |
|--------|-------|
| Total Repos | 42 |
| Compliant | 38 |
| Non-Compliant | 4 |
| Compliance Rate | 90.5% |
## Repositories
### ✅ PASS myorg/api-server
*Scanned in 100ms*
### ❌ FAIL myorg/legacy-tool
**Violations:**
- 🟠 **[high]** ci/workflow-required: No CI/CD workflow found
- 💡 Remediation: Create a .github/workflows/ci.yml file
Step 4: Save the Report¶
Write the report to a file:
Step 5: Filter Repositories¶
Scan only Go repositories:
Scan multiple organizations:
Exclude archived and forked repos (default behavior):
Include them:
Step 6: Use a Profile¶
Profiles define expected CI/CD configurations:
# Use the modern profile (latest Go, fewer platforms)
pipelineconductor scan --orgs myorg --profile modern
# Use the legacy profile (older Go, Linux only)
pipelineconductor scan --orgs myorg --profile legacy
Step 7: Validate Custom Policies¶
If you have custom Cedar policies:
# Validate policy syntax
pipelineconductor validate ./policies/
# Use custom policies in scan
pipelineconductor scan --orgs myorg --policy-dir ./policies/
Common Workflows¶
Daily Compliance Check¶
#!/bin/bash
DATE=$(date +%Y-%m-%d)
pipelineconductor scan \
--orgs myorg \
--format markdown \
--output "reports/compliance-${DATE}.md"
SARIF for GitHub Security¶
CSV for Spreadsheet Analysis¶
Next Steps¶
- CLI Reference - Full command documentation
- Policies - Learn about policy-as-code
- Profiles - Configure profiles for your needs
- GitHub Actions Integration - Automate scans in CI