Tons of security tools didn't see it, just focused on the app code & dependencies. Almost nobody cares about how the pipeline is built.
That’s why I built plumber. It checks 40+ controls in your GitHub workflow (or GitLab CI) and gives you an A-E score with a list of issues to fix.
Controls are written in Rego but today you can’t add your own controls yet by dropping in a Rego file.
Do you think you haveh an A?
```
brew tap getplumber/plumber
brew install plumber
cd <your-git-repo>
plumber config generate # generates default configuration yaml file
plumber analyze
```