Worried about your repos getting hacked?
Would you even know if your keys were getting exposed?
Most teams find out from a customer, a researcher, or a postmortem - weeks later. Now you can have detection set up to be alerted straight away.
- Free forever
- Installs in your GitHub Action
- Up to 10 repos covered
Join Tracebit Community Edition
Completely free, 5 minutes to set up
- AKIA3F2NXJ7Q9P8KX1MZ 🇬🇧 94.198.55.12 just now
AWS canary credential used
root@bastion-eu-2 🇺🇸 185.143.223.41 20 days agoSSH canary key touched
- AKIA7K2QXJ4N1V8MZ3PR 🇺🇸 73.140.187.92 71 days ago
AWS canary credential used
Security Canaries
What are canaries?
A canary is a decoy - a credential that looks exactly like a real one, but never gets used. So the moment anyone tries to, you know something is wrong.
Tracebit Community Edition now protects your GitHub Action workflow with AWS canary credentials and SSH key canaries deployed alongside your real ones.
If anyone touches them, we’ll send you an alert. It’s a quick win you can set up in any GitHub project and takes under 5 minutes.
Permissions & trust
What happens when you connect Tracebit
Setting up the integration takes about a minute. Here’s exactly what we do with the access you grant.
The permissions we ask for, and why
| GitHub permission | What we use it for |
|---|---|
| Read - Actions & Metadata | To see your workflows and their runs, so we can place canaries in the right spot and confirm your pipelines are protected (this is how we calculate your coverage). |
| Read & write - Workflows |
GitHub requires this specific permission to add our canary step to the files in your .github/workflows/ folder.
|
| Read & write - Code & Pull requests | To open a pull request that adds the integration to your workflows. You review and merge it - we never push to your branches directly. |
What we send to Tracebit
Only metadata about your workflow runs - the repository name, workflow name, job, commit SHA, and run ID. That’s what lets us tie an alert back to the exact pipeline if a canary ever fires.
What we write
A single pull request that adds the Tracebit canary step to your workflows. You see the diff, you approve it, you merge it. Nothing changes until you say so.
What we never touch
- × Your real secrets and keys never reach our infrastructure. Canary credentials are decoys we issue - not your real ones.
- × We don’t read or ingest your business logic, source code, or environments. The only code we look at is the workflow files we need to integrate with.
- × We don’t merge, deploy, or change anything outside the pull request you approve.
It’s no longer enough to
assume you won’t be hit.
Some of the repos compromised recently had large teams with great security. If it can happen to them, it can happen to anyone. So it’s really important to have detection in place to catch it the moment it affects you. Recent attacks include:
2026 · Open source toolchain
TeamPCP
Compromised a chain of widely-used open source tools earlier this year - Trivy, KICS, LiteLLM and Telnyx among them.
GitHub Actions
tj-actions
A popular action was modified to exfiltrate secrets from every workflow that pulled it in. Thousands of repos affected.
npm
s1ngularity
Typosquatted npm packages quietly harvested credentials from any build environment that installed them.
Self-replicating worm
Shai-Hulud
The first self-propagating npm supply chain worm. Spread by stealing tokens from every pipeline that touched an infected package.
Learn more in Alessandro Brucato's published research.
This was built with community security in mind, and will remain completely free.
We want to help you protect your repos and your work. We would also love to hear your feedback. If the limits don’t cover what you need, or there’s a feature you’d love to see - tell us, and we’ll see what we can do at community@tracebit.com.
FAQs
Is it really free, forever?
Yes. Community Edition was built to make security canaries accessible to all and it'll stay that way.
Do I need to be a security engineer to use this?
No. Community Edition is built so anyone can deploy it - no security background required.
Can Tracebit read my code?
Please look at the Permissions & trust section above.
Can an attacker tell a canary is fake?
The credentials are created exactly the same way as real credentials, so attackers cannot tell the difference.
Does this really catch supply chain attacks?
Yes! Read more in Alessandro Brucato's published research.