# Catch the Flow: Live CI/CD Security Analysis with Flowlyt

By: Hare Krishna Rai

Conference: Defcon
Year: 2026
Date: 2026-04-28

Tags: ci-cd, supply-chain-security, cicd-security, devsecops, security-tools


## Resources
- Conference Link: https://defcon.org/html/defcon-singapore/dc-singapore-demolabs.html#content_65471
- Source Code: https://flowlyt.harekrishnarai.me



In March 2025, a significant supply chain attack compromised the widely-used GitHub Action tj-actions/changed-files, affecting over 23,000 repositories. Attackers injected malicious code that exfiltrated CI/CD secrets through workflow logs, demonstrating how a single compromised action can ripple across the software supply chain.

In response to this, flowlyt is an open-source Go language based CI/CD security analyzer that detects exploitable vulnerabilities in GitHub Actions workflows using a four-layer model: parser, graph builder, flow analyzer, and reporter.

The tool identifies issues such as pull_request_target injection, token exfiltration paths, unpinned third-party actions, and privilege escalation through workflow chaining while maintaining a 10 to 1 signal-to-noise ratio over existing tools like Zizmor and Actionlint.