Trace Documentation

Welcome to the Trace documentation. This site covers how the Trace platform works, how to integrate with it, and how to work with it from the command line.

Start here

• Getting Started — What Trace does, who it's for, and how onboarding works.
• Platform Overview — How Trace scans your code, what gets verified, and where findings show up.

Platform

Deep dives on each part of the scanning platform.

• Static Analysis (SAST) — Code-level vulnerabilities, including AI-specific risks.
• Software Composition Analysis (SCA) — Dependency scanning with reachability verification.
• Secrets Detection — Hardcoded credential detection with live-secret verification.
• Pull Request Workflow — Check runs, inline comments, SARIF, blocking policy.
• Continuous Monitoring — Daily scans and drift detection.
• Verified Vulnerabilities — Coming soon: exploit-proven findings.

Integrations

Connect Trace to the systems your team already uses.

• Cloud Integrations — AWS and Vercel today; GCP and Azure on the roadmap.

Security

How Trace protects your data and how your team controls access.

• How Trace Handles Your Data — Protections applied to source code, secrets, and findings.
• Access Control — SSO, SCIM, roles, audit log, and GitHub App permissions.

For compliance attestations and audit reports, visit our Trust Center.

CLI

Use Trace CLI to authenticate, inspect repositories, and query vulnerabilities directly from your terminal.

• CLI Overview — Command tree, common options, and practical examples.

Webhooks

Receive real-time notifications when vulnerabilities are detected, resolved, or change status. Trace webhooks deliver structured event payloads to your endpoints so you can automate triage, alerting, and compliance workflows.

• Webhooks Overview — How webhooks work, authentication, and delivery guarantees.
• Event Types — Complete catalog of all webhook event types.
• Vulnerability Events — Events for vulnerability lifecycle changes.