Open Source · v0.4.0
Trace.
AI can write. Trace can read.
The first open-source security checker designed for AI-generated code. Detects the failure modes of large language models — hallucinated dependencies, hardcoded secrets, silent error handlers, unsafe sanitization — that traditional tools miss because they were built for human bugs.
$ npx trace-check your-file.pyIn 2026, AI ships half your code.
Security tools haven't caught up.
Large language models generate syntactically valid, functionally plausible code — and slip in bugs that no linter was designed to find. Hallucinated packages, leaked credentials, silently swallowed errors. The tooling gap is real, and widening.
45%
of AI-generated code contains security flaws (Veracode)
62%
AI code with vulnerabilities (Cloud Security Alliance)
42%
of all committed code is now AI-written (SonarSource)
Moltbook, Feb 2026
1.5M API keys exposed. The founder wrote zero lines himself; AI scaffolded a Supabase database with public read/write permissions, and nobody reviewed it.
Axios, Mar 2026
Supply chain attack via maintainer account. Thousands of downstream apps compromised in hours.
Four detection patterns that Snyk can't see.
Four patterns ship today in the open-source CLI. Three more are coming in the cloud version — same engine, deeper analysis.
| # | Pattern | Status | What it catches |
|---|---|---|---|
| 01 | Hallucinated dependencies | v0.1.0 | Imports of packages that don't exist in npm/PyPI |
| 03 | Credential leaks | v0.2.0 | Hardcoded API keys, tokens, DB passwords, PEM blocks |
| 05 | Silent exception handling | v0.3.0 | Empty catches, swallowed errors, promise .catch(()=>{}) |
| 06 | Unsafe sanitization | v0.4.0 | SQL injection, XSS, command injection, SSTI patterns |
| 02 | Deprecated API misuse | Cloud | AI confidently calling removed methods |
| 04 | Fake type safety | Cloud | any abuse, stripped generics, bypassed guards |
| 07 | Tautological tests | Cloud | expect(x).toBe(x) — tests that can never fail |
See it on a real file.
$ cat user-api.py
import fastapi
import fake_validator_xyz
from flask import request
import sqlite3
SECRET = "sk_live_51Hxyz_ABCDEFGHIJKLMNOPQRSTUVWXYZ"
def get_user(user_id):
conn = sqlite3.connect("db.sqlite")
cursor = conn.cursor()
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
return cursor.fetchone()
$ npx trace-check user-api.py
trace-check v0.4.0
user-api.py
✗ critical line 2 Package "fake_validator_xyz" not found on PyPI
✗ critical line 6 Hardcoded Stripe live secret key
> SECRET = "sk_l...XYZ"
✗ critical line 11 SQL injection: cursor.execute with f-string interpolation
> cursor.execute(f"SELECT * FROM users WHERE id = {'{user_id}'}")
Summary: 3 issues found across 1 file.Start in 10 seconds.
- 1.
Install
npm install -D trace-core - 2.
Run
npx trace-check src/**/*.ts - 3.
Integrate
Drop into CI or use as a pre-commit hook