In March 2025, a critical supply chain attack struck the popular GitHub Action `tj-actions/changed-files`, used by more than 23,000 repositories. The attacker slipped in a malicious version that silently exfiltrated CI/CD secrets by printing them to workflow logs—everything from Personal Access Tokens to private SSH keys was suddenly at risk. This incident (CVE-2025-30066) revealed just how easy it is for a trusted third-party action to turn into a threat vector, especially when security controls around CI/CD workflows are lacking.

We built Flowlyt as a static analysis and policy-as-code tool that scans GitHub Actions workflows for signs of malicious behavior, hardcoded secrets, and insecure patterns. With support for Open Policy Agent (OPA), it lets security teams define and enforce custom rules that align with their CI/CD security standards.