From https://github.com/harekrishnarai/flowlyt
Flowlyt is a security analyzer that scans GitHub Actions workflows to detect malicious patterns, misconfigurations, and secrets exposure, helping enforce secure CI/CD practices.
Flowlyt combines traditional pattern matching with cutting-edge Abstract Syntax Tree (AST) analysis and AI-powered verification to deliver 62% faster scans with 66% fewer false positives. It supports multiple AI providers (OpenAI, Gemini, Claude, Grok, Perplexity) via a Bring Your Own Key model.
Key Features:
- AI-Powered Analysis β BYOK model with multi-provider support for false positive detection
- AST-Based Analysis β Call graph, reachability, and data flow analysis
- Multi-Platform β GitHub Actions and GitLab CI/CD support
- 85+ Security Rules β Injection, secrets, supply chain, misconfigurations
- SARIF Output β GitHub Security tab integration
- Context-Aware Analysis β Intelligent severity adjustment based on workflow context, achieving 50-60% false positive reduction
