Getting Started
How Trace works, what to expect during onboarding, and where to go next.
Trace is an AI-native security platform that scans your code for vulnerabilities, exposed secrets, and risky dependencies — and surfaces what actually matters in the places engineers already work: pull requests, GitHub code scanning, the dashboard, and your existing notification channels.
In short: connect your GitHub organization, and Trace's three scanning engines run on every push, every pull request, and every day on a schedule. Findings reach your team through PR checks, inline review comments, GitHub Code Scanning, and your notification channels.
This page walks through what Trace does, who it's for, and what happens when your organization is onboarded.
What Trace does
Trace runs three scanning engines against every connected repository:
| Engine | What it finds |
|---|---|
| Static Analysis (SAST) | Code-level vulnerabilities — injection, auth bypasses, unsafe deserialization, business-logic flaws, AI/LLM application risks — found by tracing data across files and services. |
| Software Composition Analysis (SCA) | Known CVEs in your third-party dependencies, prioritized by whether the vulnerable code path is actually reachable from your application. |
| Secrets Detection | Hardcoded credentials, API keys, and tokens. Trace verifies live secrets where it can, so you know which exposures need to be rotated now. |
Findings flow through PR checks, inline review comments, GitHub Code Scanning (SARIF), and the dashboard. You can also receive notifications via Slack, email, or webhooks, and pipe events into your own systems.
For a deeper look at each engine, see the Platform Overview.
Who Trace is built for
- AppSec engineers who need scanning that finds real issues without drowning the team in false positives.
- CISOs who need defensible, audit-ready coverage for SOC 2, ISO 27001, and similar compliance regimes.
- Engineering teams who want security feedback in their normal review loop — not a separate dashboard that nobody opens.
How onboarding works
Trace onboarding is hands-on. The Trace team runs the first few scans alongside you and tunes the platform to your codebase before you start receiving day-to-day output.
The flow looks like this:
- Account provisioning. We provision your organization in WorkOS and invite your initial admins. SSO (SAML, OIDC, Google, Microsoft) and SCIM provisioning can be wired up at this stage.
- Install the GitHub App. From the dashboard, you'll be guided to install Trace's GitHub App on your organization and select which repositories to grant access to. GitHub's install screen lists every permission Trace requests, and we publish a complete reference on request for security review.
- Repositories sync. Every repo you grant access to appears in your dashboard automatically. You can review them, add metadata (production vs. internal, etc.), and adjust scan settings per repo.
- Tuning pass. The Trace team runs the first round of scans, walks through the findings with you, and tunes thresholds, severity, and rules to fit your codebase. This is where we identify false positives, calibrate severity, and agree on what counts as "fix this now" versus "track this for later."
- Automated scanning turns on. Once you're happy with output quality, Trace flips on automated scanning. From this point on, every push and pull request runs through the engines, and a daily incremental scan covers anything that drifts on the default branch.
You don't need to wire up CI yourself, write rule files, or maintain language-specific configs. Trace works across any language in your repository without per-language setup.
Where to go from here
- Platform Overview — How Trace scans your code, what gets verified, and where findings show up.
- Pull Request Workflow — How Trace fits into PR review and what your developers will see.
- CLI Reference —
traceclifor working with Trace from your terminal. - Webhooks — Real-time event delivery for triage, ticketing, and compliance automation.