FLOWLYT
Abstract
In March 2025, a significant supply chain attack compromised the widely-used GitHub Action tj-actions/changed-files, affecting over 23,000 repositories. Attackers injected malicious code that exfiltrated CI/CD secrets through workflow logs, demonstrating how a single compromised action can ripple across the software supply chain.
In response to this, flowlyt is an open-source Go language based CI/CD security analyzer that detects exploitable vulnerabilities in GitHub Actions workflows using a four-layer model: parser, graph builder, flow analyzer, and reporter.
The tool identifies issues such as pull_request_target injection, token exfiltration paths, unpinned third-party actions, and privilege escalation through workflow chaining while maintaining a 10 to 1 signal-to-noise ratio over existing tools like Zizmor and Actionlint.