Free, forever. Built for builders.

Worried about your repos getting hacked?

Would you even know if your keys were getting exposed?

Most teams find out from a customer, a researcher, or a postmortem - weeks later. Now you can have detection set up to be alerted straight away.

  • Free forever
  • Installs in your GitHub Action
  • Up to 10 repos covered

Join Tracebit Community Edition

Completely free, 5 minutes to set up

Already in? Log in. By continuing you agree to our Terms and Privacy Policy. Cookie preferences.
Trusted by
Audited
SOC 2 Type 2 audited Verified AWS Qualified Software
LIVE This is what your inbox looks like when something trips a canary.
  • AWS canary credential used

    🇬🇧 94.198.55.12 just now
  • SSH canary key touched

    🇺🇸 185.143.223.41 20 days ago
  • AWS canary credential used

    🇺🇸 73.140.187.92 71 days ago

Security Canaries

What are canaries?

A canary is a decoy - a credential that looks exactly like a real one, but never gets used. So the moment anyone tries to, you know something is wrong.

Tracebit Community Edition now protects your GitHub Action workflow with AWS canary credentials and SSH key canaries deployed alongside your real ones.

If anyone touches them, we’ll send you an alert. It’s a quick win you can set up in any GitHub project and takes under 5 minutes.

1 # .github/workflows/deploy.yml 2 DEPLOY_TOKEN=${{ secrets.DEPLOY_TOKEN }} 3 NPM_TOKEN=${{ secrets.NPM_TOKEN }}
4 AWS_ACCESS_KEY_ID=AKIA3F2NXJ7Q9P8KX1MZ ← canary
5 SENTRY_DSN=${{ secrets.SENTRY_DSN }}
6 SSH_DEPLOY_KEY=-----BEGIN OPENSSH PRIVATE KEY----- ← canary

Permissions & trust

What happens when you connect Tracebit

Setting up the integration takes about a minute. Here’s exactly what we do with the access you grant.

The permissions we ask for, and why

GitHub permission What we use it for
Read - Actions & Metadata To see your workflows and their runs, so we can place canaries in the right spot and confirm your pipelines are protected (this is how we calculate your coverage).
Read & write - Workflows GitHub requires this specific permission to add our canary step to the files in your .github/workflows/ folder.
Read & write - Code & Pull requests To open a pull request that adds the integration to your workflows. You review and merge it - we never push to your branches directly.

What we send to Tracebit

Only metadata about your workflow runs - the repository name, workflow name, job, commit SHA, and run ID. That’s what lets us tie an alert back to the exact pipeline if a canary ever fires.

What we write

A single pull request that adds the Tracebit canary step to your workflows. You see the diff, you approve it, you merge it. Nothing changes until you say so.

What we never touch

  • × Your real secrets and keys never reach our infrastructure. Canary credentials are decoys we issue - not your real ones.
  • × We don’t read or ingest your business logic, source code, or environments. The only code we look at is the workflow files we need to integrate with.
  • × We don’t merge, deploy, or change anything outside the pull request you approve.

It’s no longer enough to assume you won’t be hit.

Some of the repos compromised recently had large teams with great security. If it can happen to them, it can happen to anyone. So it’s really important to have detection in place to catch it the moment it affects you. Recent attacks include:

2026 · Open source toolchain

TeamPCP

Compromised a chain of widely-used open source tools earlier this year - Trivy, KICS, LiteLLM and Telnyx among them.

GitHub Actions

tj-actions

A popular action was modified to exfiltrate secrets from every workflow that pulled it in. Thousands of repos affected.

npm

s1ngularity

Typosquatted npm packages quietly harvested credentials from any build environment that installed them.

Self-replicating worm

Shai-Hulud

The first self-propagating npm supply chain worm. Spread by stealing tokens from every pipeline that touched an infected package.

Learn more in Alessandro Brucato's published research.

This was built with community security in mind, and will remain completely free.

We want to help you protect your repos and your work. We would also love to hear your feedback. If the limits don’t cover what you need, or there’s a feature you’d love to see - tell us, and we’ll see what we can do at community@tracebit.com.

FAQs

Is it really free, forever?

Yes. Community Edition was built to make security canaries accessible to all and it'll stay that way.

Do I need to be a security engineer to use this?

No. Community Edition is built so anyone can deploy it - no security background required.

Can Tracebit read my code?

Please look at the Permissions & trust section above.

Can an attacker tell a canary is fake?

The credentials are created exactly the same way as real credentials, so attackers cannot tell the difference.

Does this really catch supply chain attacks?

Yes! Read more in Alessandro Brucato's published research.