Free, forever. Built for builders.

Worried about supply chain attacks hitting your repos?

Would you even know if your keys were getting exposed?

Most teams find out from a customer, a researcher, or a postmortem - weeks later. Now you can have detection set up to be alerted straight away.

Free forever
Installs in your GitHub Action
Up to 10 repos covered

Join Tracebit Community Edition

Completely free, 5 minutes to set up

Already in? Log in. By continuing you agree to our Terms and Privacy Policy. Cookie preferences.

LIVE This is what your inbox looks like when something trips a canary.

AWS canary credential used
AKIA3F2NXJ7Q9P8KX1MZ 🇬🇧 94.198.55.12 just now
SSH canary key touched
root@bastion-eu-2 🇺🇸 185.143.223.41 20 days ago
AWS canary credential used
AKIA7K2QXJ4N1V8MZ3PR 🇺🇸 73.140.187.92 71 days ago

Security Canaries

What are canaries?

A canary is a decoy - a credential that looks exactly like a real one, but never gets used. So the moment anyone tries to, you know something is wrong.

Tracebit Community Edition now protects your GitHub Action workflow with AWS canary credentials and SSH key canaries deployed alongside your real ones.

If anyone touches them, we’ll send you an alert. It’s a quick win you can set up in any GitHub project and takes under 5 minutes.

1 # .github/workflows/deploy.yml 2 DEPLOY_TOKEN=${{ secrets.DEPLOY_TOKEN }} 3 NPM_TOKEN=${{ secrets.NPM_TOKEN }}

4 AWS_ACCESS_KEY_ID=AKIA3F2NXJ7Q9P8KX1MZ ← canary

5 SENTRY_DSN=${{ secrets.SENTRY_DSN }}

6 SSH_DEPLOY_KEY=-----BEGIN OPENSSH PRIVATE KEY----- ← canary

It’s no longer enough to
assume you won’t be hit.

Some of the repos compromised recently had large teams with great security. If it can happen to them, it can happen to anyone. So it’s really important to have detection in place to catch it the moment it affects you. Recent attacks include:

2026 · Open source toolchain

TeamPCP

Compromised a chain of widely-used open source tools earlier this year - Trivy, KICS, LiteLLM and Telnyx among them.

GitHub Actions

tj-actions

A popular action was modified to exfiltrate secrets from every workflow that pulled it in. Thousands of repos affected.

npm

s1ngularity

Typosquatted npm packages quietly harvested credentials from any build environment that installed them.

Self-replicating worm

Shai-Hulud

The first self-propagating npm supply chain worm. Spread by stealing tokens from every pipeline that touched an infected package.

Learn more in Alessandro Brucato's published research.

“

This was built with community security in mind, and will remain completely free.

We want to help you protect your repos and your work. We would also love to hear your feedback. If the limits don’t cover what you need, or there’s a feature you’d love to see — tell us, and we’ll see what we can do at community@tracebit.com.

FAQs

Is it really free, forever?

Yes. Community Edition was built to make security canaries accessible to all and it'll stay that way.

Do I need to be a security engineer to use this?

No. Community Edition is built so anyone can deploy it — no security background required.

Can Tracebit read my code?

All Tracebit will read is your GitHub Actions code, i.e. the contents of the workflows folder. This is needed so we can automatically integrate our GitHub Action in your workflows and keep them updated. Your real keys and your business logic never touch our infrastructure.

We also have access to metadata for your GitHub Actions workflow runs so that we can make sure your workflows are actually protected and calculate your coverage.

Can an attacker tell a canary is fake?

The credentials are created exactly the same way as real credentials, so attackers cannot tell the difference.

Does this really catch supply chain attacks?

Yes! Read more in Alessandro Brucato's published research.