If you discover a security vulnerability in Flowlyt, please send an email to hi@harekrishnarai.me with details about the issue. Please include:

• A description of the vulnerability
• Steps to reproduce the issue
• Potential impact and affected versions
• Proof of concept (if applicable)
• Suggestions for mitigations (if any)

We take security seriously and will:

• Acknowledge receipt within 48 hours
• Provide a detailed response within 7 days
• Work with you to understand and address the issue
• Keep you informed throughout the resolution process
• Credit you in the security advisory (unless you prefer to remain anonymous)

Please do not disclose the vulnerability publicly until we have released a fix.

We actively support the following versions with security updates:

Recommendation: Always use the latest stable release (v1.0.8+) for the best security and features.

All Flowlyt releases include multiple layers of verification:

1. SHA256 Checksums

# Download checksums file
curl -sSL https://github.com/harekrishnarai/flowlyt/releases/download/v1.0.8/checksums.txt -o checksums.txt

# Verify binary integrity
sha256sum -c checksums.txt --ignore-missing

2. Cosign Signatures

Flowlyt binaries and container images are signed with Cosign:

# Verify binary signature
cosign verify-blob \
  --signature flowlyt-linux-amd64.sig \
  --certificate flowlyt-linux-amd64.pem \
  --certificate-identity "https://github.com/harekrishnarai/flowlyt/.github/workflows/release.yml@refs/tags/v1.0.8" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  flowlyt-linux-amd64

# Verify container image signature
cosign verify \
  --certificate-identity "https://github.com/harekrishnarai/flowlyt/.github/workflows/docker-publish.yml@refs/heads/main" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/harekrishnarai/flowlyt:latest

3. SLSA Provenance

Flowlyt achieves SLSA Level 3 build provenance:

# Verify SLSA provenance
slsa-verifier verify-artifact \
  --provenance-path flowlyt-linux-amd64.intoto.jsonl \
  --source-uri github.com/harekrishnarai/flowlyt \
  flowlyt-linux-amd64

4. SBOM (Software Bill of Materials)

Each release includes a comprehensive SBOM:

# View SBOM
curl -sSL https://github.com/harekrishnarai/flowlyt/releases/download/v1.0.8/sbom.json | jq .

Our official GitHub Action (harekrishnarai/flowlyt) implements:

• ✅ Pinned Dependencies: All actions pinned to full SHA commits
• ✅ Checksum Verification: Binary integrity checked before execution
• ✅ Secure Token Handling: Tokens passed via environment variables, never command-line
• ✅ Command Injection Prevention: Array-based argument construction
• ✅ Timeout Protection: Download and execution timeouts
• ✅ Minimal Permissions: Least privilege principle

Example secure usage:

- name: Run Flowlyt Security Scan
  uses: harekrishnarai/flowlyt@v1.0.8  # Pin to specific version
  with:
    platform: github
    output-format: sarif
    min-severity: MEDIUM
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Token via env, not args

Our own GitHub Actions workflows follow security best practices:

• ✅ All actions pinned to SHA commits
• ✅ Minimal permissions with explicit grants
• ✅ Timeout protection on all jobs
• ✅ No persist-credentials where unnecessary
• ✅ Regular security scanning (CodeQL, govulncheck, Flowlyt self-scan)
• ✅ OpenSSF Scorecard monitoring

1. Keep Updated

# Check for updates
flowlyt --version

# Install latest version
go install github.com/harekrishnarai/flowlyt/cmd/flowlyt@latest

2. Use in CI/CD

Integrate Flowlyt into your pipeline for continuous security monitoring:

- name: Security Scan
  run: |
    flowlyt scan --repo . \
      --output sarif \
      --output-file results.sarif \
      --min-severity MEDIUM

3. Follow Remediation Advice

Flowlyt provides actionable remediation steps for each finding. Review and implement these recommendations.

4. Verify Binary Integrity

Always verify checksums when downloading releases:

# Automated verification
curl -sSL https://raw.githubusercontent.com/harekrishnarai/flowlyt/main/scripts/verify.sh | bash -s v1.0.8

1. Security Testing

Run security checks before submitting PRs:

# Run Flowlyt self-scan
make test-security

# Run all security checks
go test ./... -v
govulncheck ./...

2. Dependency Updates

Keep dependencies updated and review security advisories:

go list -m -u all
go mod tidy

3. Code Review

Security-sensitive changes require thorough review:

• Input validation changes
• Authentication/authorization logic
• Cryptographic operations
• External command execution

# Adjust secret detection sensitivity
flowlyt scan --entropy-threshold 4.5

# Use custom severity threshold
flowlyt scan --min-severity HIGH

# Output formats for integration
flowlyt scan --output sarif    # GitHub Advanced Security
flowlyt scan --output json     # Machine-readable

Flowlyt uses intelligent context-aware analysis to reduce false positives by 50-60%:

# .flowlyt.yml
context_aware:
  enabled: true  # Default: true

  # Custom severity overrides
  severity_overrides:
    BROAD_PERMISSIONS:
      test_workflows: MEDIUM
      release_workflows: HIGH

Disable only if you need raw findings:

export FLOWLYT_CONTEXT_AWARE=false

Flowlyt adheres to industry security standards:

• ✅ OpenSSF Best Practices: Badge earned
• ✅ SLSA Level 3: Build provenance attestations
• ✅ NIST SSDF: Secure Software Development Framework alignment
• ✅ GitHub Security Best Practices: All workflows hardened

OpenSSF Scorecard: Results published weekly via GitHub Actions

Flowlyt undergoes continuous security scanning:

• Flowlyt Self-Scan: Weekly and on every PR
• CodeQL Analysis: Semantic code analysis for vulnerabilities
• govulncheck: Go vulnerability database checks
• Dependency Review: Automated dependency vulnerability scanning
• OpenSSF Scorecard: Supply chain security posture assessment

All scan results are available:

• Security Tab
• Code Scanning Alerts
• Dependabot Alerts

Security advisories are published at:

• GitHub Security Advisories
• Release notes for security fixes

Subscribe to releases to stay informed: Watch Releases

• GitHub Actions Security Hardening Guide
• OWASP Top 10 CI/CD Security Risks
• Flowlyt Documentation

• SLSA Framework
• Sigstore (Cosign)
• OpenSSF Best Practices
• NIST SSDF

• Cosign - Binary signing and verification
• slsa-verifier - SLSA provenance verification
• govulncheck - Go vulnerability scanner

• Security Issues: hi@harekrishnarai.me (GPG key available upon request)
• General Questions: GitHub Discussions
• Bug Reports: GitHub Issues

Last Updated: February 2026 (v1.0.8) Next Review: May 2026