README
ΒΆ
π Secure your CI/CD pipelines with Flowlyt
β Star us on GitHub
Flowlyt - Multi-Platform CI/CD Security Analyzer
Advanced AST-powered security analyzer for GitHub Actions and GitLab CI/CD workflows
Flowlyt combines traditional pattern matching with cutting-edge Abstract Syntax Tree (AST) analysis to deliver 62% faster scans with 66% fewer false positives. Selected for presentation at DEF CON 33 and Black Hat Europe 2025.
β¨ Key Features
- π― AST-Based Analysis - Call graph, reachability, and data flow analysis
- π Multi-Platform - GitHub Actions + GitLab CI/CD support
- π‘οΈ 85+ Security Rules - Injection, secrets, supply chain, misconfigurations
- π SARIF Output - GitHub Security tab integration
- βοΈ Configurable - Custom rules, policies, and ignore patterns
- π Real-time Intelligence - OSV.dev vulnerability database integration
π Quick Start
β οΈ Known Issues
Go Module Proxy Cache Issue
Issue: go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest may install an incorrect version (v1.0.0) due to a Go module proxy cache issue.
Symptoms:
- Installing with
@latestdownloads v1.0.0 instead of the actual latest version (v0.0.5) - Tool may not function correctly or detect security issues properly
Workaround: Use the GOPRIVATE environment variable to bypass the proxy cache:
# Recommended installation method (bypasses proxy cache)
GOPRIVATE=github.com/harekrishnarai/flowlyt go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest
Alternative: Install specific version directly:
# Install specific latest version
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@v0.0.3
Verification: Check that you have the correct version:
flowlyt --version
# Should output: flowlyt version 0.0.5
This issue has been reported to GitHub support and should be resolved server-side in the future.
# Install
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest
# Analyze a workflow
flowlyt analyze .github/workflows/ci.yml --enable-ast-analysis
# Scan entire repository
flowlyt scan ./my-repo --output-format sarif
π Example Output
π Analyzing: .github/workflows/ci.yml
β‘ AST Analysis: ON (62% faster, 66% fewer false positives)
π¨ CRITICAL: Shell Injection via curl | bash
ββ Line 23: curl -sSL https://get.docker.com/ | sh
ββ Risk: Remote code execution, supply chain attack
π₯ HIGH: Hardcoded Secret Detected
ββ Line 15: API_KEY="sk-1234567890abcdef"
ββ Risk: Credential exposure in version control
β
Scan completed in 28ms
Found 2 issues (1 Critical, 1 High, 0 Medium, 0 Low)
π§ GitHub Actions Integration
- name: Flowlyt Security Scan
uses: harekrishnarai/flowlyt@v1
with:
config-file: '.flowlyt.yml'
output-format: 'sarif'
enable-ast-analysis: true
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: flowlyt-results.sarif
π Documentation
| Topic | Description |
|---|---|
| Quick Start | Installation and basic usage |
| Features | Complete feature overview |
| AST Analysis | Advanced static analysis capabilities |
| Configuration | Detailed configuration guide |
| Security Rules | Complete rule reference |
| Custom Rules | Creating custom security rules |
| CLI Reference | Command-line options |
π Roadmap
- SARIF Output - GitHub Security tab integration
- AST Analysis - Call graph, reachability, data flow
- Multi-Platform - GitHub Actions + GitLab CI/CD
- IDE Extension - VS Code real-time analysis
- Workflow Visualization - Security dependency graphs
- Enterprise Features - SSO, RBAC, compliance reporting
π€ Contributing
We welcome contributions! See CONTRIBUTING.md for guidelines.
π License
MIT License - see LICENSE for details.
Conference Presentations:
- π― DEF CON 33 - AppSec Village (Presented)
- π₯ Black Hat Europe 2025 (Upcoming)
Contributors
Thanks to all the people who already contributed!
Hare Krishna Rai
Gaurav Joshi
Chanchal Kalnarayan
Prashant Venkatesh
Nandan Gupta
Mohd. Arif
Directories