Tracebit Community Edition helps developers detect intrusions and supply-chain attacks across their GitHub workflows and pipelines using canary credentials.

Pinning actions and hardening runners reduces your attack surface, but it doesn't tell you when a trusted dependency turns hostile. Recent campaigns like TeamPCP (Trivy, KICS, LiteLLM, Telnyx) showed how stolen credentials from one victim become the attack surface for the next. Community Edition gives you a detective control for exactly that scenario.

How it works

1. At the start of your workflow, the action calls the Tracebit API to issue short-lived canary AWS credentials and SSH keys.
2. Those credentials are written to ~/.aws/credentials, ~/.ssh, exported as environment variables, and held in runner process memory, covering every common exfiltration surface.
3. Tracebit watches for any use of those credentials. If they're touched, you get an alert with the repo, workflow, job, commit SHA, run ID, attacker IP, user-agent, and the underlying CloudTrail logs.

Why it's high-signal

Canary credentials have no permissions, so any API call is the signal. No tuning, no heuristics, no false positives from legitimate developer activity.

Get started

Free for up to 10 GitHub repos. A few minutes to add to a workflow. Sign up →

Read the full write-up: detecting CI/CD supply-chain attacks with canary credentials →