CI/CD Security Scanning
CI/CDiswheresecretsgotoleak.
Flowlyt scans GitHub Actions workflows, GitLab CI pipelines, and other CI/CD configurations for exposed credentials, OIDC misconfigurations, and unvalidated supply chain dependencies — catching what code review misses.
The failures
Leaked secrets in CI
API tokens, database credentials, and signing keys committed directly into workflow files or passed as unmasked environment variables. They persist in git history long after the secret is rotated.
“One exposed NPM token shut down a company's deployment pipeline for three days.”
Over-permissioned GitHub tokens
OIDC configurations granting write access to all tokens when only a single scope is required. Misconfigured workflow permissions that allow any job to push code or modify releases.
“One misconfigured id-token scope gave an external contributor write access to the main branch.”
Unvalidated third-party Actions
Actions referenced by mutable tags like @v3 or @main instead of immutable SHA commits. A compromised upstream action runs with the same permissions as your workflow — silently.
“One exposed token ended a company's seed round.”
Why findings hold up
Intelligent agentic analysis, not noisy matching.
Flowlyt uses an intelligent agentic system to reason about workflow intent, data flow, and execution behavior. That context helps reduce false positives and makes the findings more trustworthy for engineering and security teams.
Context-aware analysis
Flowlyt reasons about triggers, permissions, job boundaries, and execution context instead of flagging every risky-looking pattern in isolation.
Lower false positives
The system filters noisy matches by understanding which findings are actually reachable and meaningful in the real workflow path.
Actionable findings
Security teams get fewer dead-end alerts and more precise findings they can trust, prioritize, and remediate quickly.
Capabilities
Secrets Detection
Scans workflow files and environment variable blocks for hardcoded tokens, API keys, and credentials — including entropy-based detection for unrecognized formats.
OIDC Misconfiguration Analysis
Detects overly permissive id-token scopes and flags non-minimal permission sets that violate the principle of least privilege in GitHub Actions OIDC configurations.
Action Pinning Enforcement
Enforces SHA-commit pinning on all third-party Actions, blocking mutable tag references like @v3 or @main that expose workflows to upstream supply chain attacks.
Multi-Ecosystem Coverage
Analyzes GitHub Actions, GitLab CI, and other CI/CD ecosystems with platform-aware rules for risky permissions, insecure triggers, and unsafe pipeline behavior.
SARIF Output
Exports findings in SARIF 2.1 format, compatible with GitHub Code Scanning, SonarQube, Semgrep, and any SAST platform that accepts standard static analysis results.
GitHub PR Annotation
Posts inline review comments on the exact line of each violation, with remediation guidance, rule reference, and severity classification — directly in the pull request.
In production
“We found a leaked NPM token that had been live in CI for eleven months. Flowlyt caught it in the first scan. We had no idea it was there.”
“The SARIF output plugs directly into our existing security dashboard. Zero configuration on our end. It just appeared in Code Scanning like any other tool.”
“Every third-party Action in our org is now SHA-pinned. Enforcing that workflow alone was worth the annual contract — it takes that work completely off our plate.”
Early access
Join the waitlist.
Flowlyt is in closed preview. Drop your email — we'll reach out when your team's slot opens, with full access and a setup session included. No credit card required.
What you get
Full platform access
Unlimited repositories, 90-day history, and all detection rules from day one.
Dedicated setup session
A 30-minute call with the team to connect your org and review your first scan report.
Direct feedback loop
Your security findings shape what we build next. Early teams set the product roadmap.