Free evaluation
Run PipeWarden locally or with Docker. Trial mode does not require billing setup and does not block boot.
Local setupQuick Start
Choose a real PipeWarden entry point.
The public Cloudflare Workers deployment hosts the marketing surface. PipeWarden itself currently ships as a single Go application for local or self-hosted operation, while hosted SaaS access is provisioned directly by the PipeWarden team.
Self-hosted
Deploy the same application with SQLite for a single-node customer environment using the supported Docker path.
Docker quick startHosted operator mode
Hosted SaaS access uses the same application with Postgres and managed secrets. Access is currently provisioned manually.
Request hosted accessSelf-hosted Docker
PipeWarden supports a single-node self-hosted deployment with SQLite. If PIPEWARDEN_VAULT_KEY is unset, the container entrypoint auto-generates one and persists it to /app/data/.vault_key — back up that file with your data volume.
docker compose up --build
# dashboard → http://localhost:8080Want to supply your own key?
export PIPEWARDEN_VAULT_KEY=$(openssl rand -hex 32) before docker compose up.Required provider token scopes
When adding a CI/CD connection, the dashboard shows scope requirements inline. For reference:
| Provider | Token type | Scopes | Setup link |
|---|---|---|---|
| GitHub Actions | GitHub App (preferred) | actions:read · contents:read · metadata:read · security_events:write | Install app |
| GitHub Actions | PAT (fallback) | repo · workflow · read:org | Create PAT |
| GitLab CI/CD | OAuth App (preferred) | read_api · read_repository | Connect via OAuth |
| GitLab CI/CD | Project access token | read_api · read_repository, role Reporter | Create token |
| Bitbucket Pipelines | App password | pipelines:read · repository:read · account:read | Create app password |
| Jenkins | API token | User with Overall/Read · Job/Read | Jenkins → User → Configure → API Token |
| Azure DevOps | PAT | Build (Read) · Code (Read) · Project and Team (Read) | Create PAT |
| CircleCI | Personal API token | All scopes (read-only) | Create token |
Local development
The current local baseline is a single binary with the embedded dashboard on port 8080.
make build
export PIPEWARDEN_VAULT_KEY='replace-with-a-long-random-secret'
./bin/pipewardenOptional features such as Claude-backed analysis and LemonSqueezy billing stay disabled until their environment variables are set.
Hosted access
Hosted mode uses Postgres plus secret-backed configuration and is intended for operator-managed SaaS deployments.
- Provisioning is currently handled directly by the PipeWarden team.
- GitHub App, GitLab, and Bitbucket connection flows are part of the GA surface.
- Experimental providers remain feature-flagged and are not part of hosted launch acceptance.
Request access via the hosted access form.
API and health endpoints
The same application serves the dashboard, REST APIs, and subsystem health reporting.
GET /healthGET /readinessGET /api/v1/statusGET|POST /api/v1/connectionsGET /api/v1/analysis/findingsPOST /api/v1/dlp/scan
Billing and plans
Billing is optional for boot and local evaluation. PipeWarden runs in trial or unlicensed mode until LemonSqueezy is configured.
- Free usage is intended for local validation and early testing.
- Pro and hosted access are provisioned through the sales workflow.
- Enterprise terms are handled during onboarding.
Security contact and posture
Provider credentials are designed to remain encrypted at rest behind the vault abstraction, with AES-256-GCM in supported self-hosted flows.
- GitHub webhook verification uses HMAC-SHA256 in the application runtime.
- Hosted mode requires Postgres and managed secret injection.
- Security disclosures: see /.well-known/security.txt.
Privacy summary
PipeWarden is designed to minimize stored secret material and to avoid plaintext credential persistence. Self-hosted customers control their own deployment data and retention settings.
Full policy: Privacy Policy. For data-processing terms, request DPA.
Terms summary
Self-hosted evaluation is governed by the software and configuration you run in your own environment. Hosted access, commercial support, and enterprise commitments are finalized during onboarding.
Full terms: Terms of Service. For commercial MSA, contact sales.