Advanced security analyzer with AI-enhanced false positive detection for GitHub Actions and GitLab CI/CD workflows

Flowlyt combines traditional pattern matching with cutting-edge Abstract Syntax Tree (AST) analysis and AI-powered verification to deliver 62% faster scans with 66% fewer false positives. Selected for presentation at DEF CON 33 and Black Hat Europe 2025.

🔑 Bring Your Own Key (BYOK) Model - Use your preferred AI provider with your own API key for enhanced privacy and control.

• OpenAI (GPT-4, GPT-4o, GPT-4o-mini) - General-purpose security analysis
• Google Gemini (1.5 Pro, 1.5 Flash) - Fast, cost-effective analysis
• Anthropic Claude (3 Opus, 3 Sonnet, 3 Haiku) - Detailed reasoning and nuanced analysis
• xAI Grok (Beta) - Alternative analysis perspective
• Perplexity (Llama 3.1 Sonar, GPT-4o) - Real-time web-enhanced analysis

• 🎯 False Positive Detection - AI distinguishes between real threats and configuration noise
• 🧠 Context-Aware Analysis - Understands CI/CD patterns and legitimate usage
• 🔒 Supply Chain Security Focus - Specialized in GitHub Actions hardening and runner security
• ⚡ Real-time Verification - Instant AI analysis of security findings
• 📊 Confidence Scoring - AI provides confidence levels (0-100%) for each assessment

• 🤖 AI-Powered Analysis - BYOK model with OpenAI, Gemini, Claude, and Grok support
• 🎯 AST-Based Analysis - Call graph, reachability, and data flow analysis
• 🚀 Multi-Platform - GitHub Actions + GitLab CI/CD support
• 🛡️ 85+ Security Rules - Injection, secrets, supply chain, misconfigurations
• 🧠 False Positive Reduction - AI distinguishes real threats from configuration noise
• 📊 SARIF Output - GitHub Security tab integration
• ⚙️ Configurable - Custom rules, policies, and ignore patterns
• 🔄 Real-time Intelligence - OSV.dev vulnerability database integration

Install latest version directly:

# Install specific latest version
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest

Install specific version directly:

# Install specific latest version
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@v1.0.3

Verification: Check that you have the correct version:

flowlyt --version
# Should output: flowlyt version 1.0.3

# Set your AI API key (BYOK model)
export AI_API_KEY=your-api-key

# Scan with AI-powered false positive detection
flowlyt scan ./my-repo --ai openai
flowlyt scan ./my-repo --ai gemini  
flowlyt scan ./my-repo --ai claude
flowlyt scan ./my-repo --ai grok
flowlyt scan ./my-repo --ai perplexity

# Advanced AI configuration
flowlyt scan ./my-repo \
  --ai openai \
  --ai-model gpt-4 \
  --ai-workers 10 \
  --ai-timeout 60

Unauthenticated API calls to GitHub/GitLab are heavily rate limited. For reliable --url scans, provide a token via environment variable or CLI flag.

# GitHub: use environment variable
export GITHUB_TOKEN=ghp_your_token_here
flowlyt scan --url https://github.com/step-security/github-actions-goat \
  --output json --output-file results.json

# GitHub: or via flag (overrides env)
flowlyt scan --url https://github.com/step-security/github-actions-goat \
  --github-token ghp_your_token_here \
  --output json --output-file results-with-token.json

# GitLab: SaaS or self-hosted
export GITLAB_TOKEN=glpat_your_token_here
flowlyt scan --platform gitlab \
  --url https://gitlab.com/owner/repo \
  --gitlab-token glpat_your_token_here

🔍 Analyzing: .github/workflows/ci.yml
⚡ AST Analysis: ON (62% faster, 66% fewer false positives)

🚨 CRITICAL: Shell Injection via curl | bash
   └─ Line 23: curl -sSL https://get.docker.com/ | sh
   └─ Risk: Remote code execution, supply chain attack
   
🔥 HIGH: Hardcoded Secret Detected  
   └─ Line 15: API_KEY="sk-1234567890abcdef"
   └─ Risk: Credential exposure in version control

✅ Scan completed in 28ms
Found 2 issues (1 Critical, 1 High, 0 Medium, 0 Low)

🔍 Analyzing: .github/workflows/ci.yml
⚡ AST Analysis: ON | 🤖 AI Analysis: gemini
🔍 Analyzing 12 findings with AI...
✅ AI Analysis Complete:
  - Successfully analyzed: 12/12 findings
  - Likely false positives: 8
  - Likely true positives: 4
  - High confidence: 10, Medium: 2, Low: 0

🚨 CRITICAL: Shell Injection via curl | bash
   └─ Line 23: curl -sSL https://get.docker.com/ | sh
   └─ Risk: Remote code execution, supply chain attack
   
   🤖 AI Analysis: Likely TRUE POSITIVE (95% confidence)
   AI Reasoning: This is a classic supply chain attack vector. The script downloads 
   and executes code directly from an external source without verification...

🔥 HIGH: Hardcoded Secret Detected  
   └─ Line 15: API_KEY="sk-1234567890abcdef"
   └─ Risk: Credential exposure in version control
   
   🤖 AI Analysis: Likely FALSE POSITIVE (90% confidence)
   AI Reasoning: This appears to be a placeholder value commonly used in 
   documentation and examples, not an actual secret...

✅ Scan completed in 1.2s
Found 4 real issues (1 Critical, 1 High, 2 Medium) | 8 false positives filtered by AI

name: Security Scan
on: [push, pull_request]

jobs:
  security:
    runs-on: ubuntu-latest
    permissions:
      security-events: write  # Required for SARIF upload
      contents: read
    
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Flowlyt Security Scan
        uses: harekrishnarai/flowlyt@v1.0.3
        with:
          output-format: 'sarif'
          output-file: 'flowlyt-results.sarif'
          min-severity: 'MEDIUM'
          fail-on-severity: 'HIGH'
          
      - name: Upload to GitHub Security
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: flowlyt-results.sarif
          category: flowlyt

- name: Advanced Flowlyt Scan
  uses: harekrishnarai/flowlyt@v1.0.3
  with:
    config-file: '.flowlyt.yml'
    output-format: 'sarif'
    output-file: 'flowlyt-results.sarif'
    enable-ast-analysis: true        # Enable AST-based analysis
    enable-vuln-intel: true           # Enable OSV.dev vulnerability intelligence
    enable-policy-enforcement: true   # Enable enterprise policy checks
    min-severity: 'LOW'
    fail-on-severity: 'CRITICAL'
    verbose: true
    
- name: Upload Results
  if: always()
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: flowlyt-results.sarif

Note: AI-powered analysis is currently available via CLI only. Use the action for automated scanning and CLI with --ai flag for AI-enhanced local analysis.

• Your Keys, Your Control - Use your own API keys with any supported provider
• No Data Storage - Findings are analyzed in real-time, not stored by AI providers
• Transparent Costs - Pay only for what you use with your own account
• Provider Choice - Switch between OpenAI, Gemini, Claude, or Grok anytime

• SARIF Output - GitHub Security tab integration
• AST Analysis - Call graph, reachability, data flow
• Multi-Platform - GitHub Actions + GitLab CI/CD
• 🤖 AI-Powered Analysis - BYOK model with multi-provider support
• False Positive Reduction - AI-enhanced accuracy and context awareness
• IDE Extension - VS Code real-time analysis with AI
• Workflow Visualization - Security dependency graphs
• Enterprise Features - SSO, RBAC, compliance reporting
• AI Model Training - Custom models for organization-specific patterns

We welcome contributions! See CONTRIBUTING.md for guidelines.

MIT License - see LICENSE for details.

# 1. Install Flowlyt
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest

# 2. Get your API key (choose one):
# - OpenAI: https://platform.openai.com/api-keys
# - Gemini: https://aistudio.google.com/app/apikey  
# - Claude: https://console.anthropic.com/
# - Grok: https://console.x.ai/
# - Perplexity: https://www.perplexity.ai/settings/api

# 3. Run AI-enhanced scan
export AI_API_KEY=your-api-key
flowlyt scan ./your-repo --ai gemini

• 🎯 60-80% Fewer False Positives - Focus on real threats, not noise
• ⚡ Instant Triage - AI explains why findings matter in seconds
• 🔒 Supply Chain Focus - Built for GitHub Actions and CI/CD security
• 💰 Cost Effective - Pay only for what you analyze with BYOK model
• 🛡️ Privacy First - Your keys, your data, your control

Conference Presentations:

• 🎯 DEF CON 33 - AppSec Village (Presented)
• 🔥 Black Hat Europe 2025 (Upcoming)

Thanks to all the people who already contributed!
Hare Krishna Rai
Gaurav Joshi
Chanchal Kalnarayan
Prashant Venkatesh
Nandan Gupta
Mohd. Arif