AI can write. Trace can read. Static analyzer for AI-generated code, in your CI.
Trace detects the 24 failure patterns that only LLMs produce: hallucinated imports, credential leaks, silent exceptions, fake type safety, missing awaits, and more. This Action runs Trace on every push and PR, posts a summary comment, and uploads results to GitHub Code Scanning.
One line in your workflow. No install, no token, no Docker.
- uses: usercodeX-creator/trace-action@v1
with:
path: src/name: Trace
on: [push, pull_request]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
trace:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: usercodeX-creator/trace-action@v1
with:
path: src/
severity-threshold: low # low | medium | high | critical
fail-on-detection: 'false' # set 'true' to block the PR
comment-on-pr: 'true' # post summary as PR comment
upload-sarif: 'true' # upload to Code Scanning tabSee examples/ for more workflow patterns:
basic.yml— scan on every push and PRpr-only.yml— scan only on PRs, comment + SARIFstrict-blocking.yml— fail the check on medium+ findings
| Input | Default | Description |
|---|---|---|
path |
. |
Directory or file to scan |
severity-threshold |
low |
Minimum severity to report |
fail-on-detection |
false |
Fail the action when detections are found |
comment-on-pr |
true |
Post summary comment on PRs |
upload-sarif |
true |
Upload SARIF to Code Scanning |
trace-version |
latest |
Pin a specific trace-core version |
github-token |
${{ github.token }} |
Token for API calls |
| Output | Description |
|---|---|
detection-count |
Total detections at or above threshold |
critical-count |
Critical severity count |
high-count |
High severity count |
medium-count |
Medium severity count |
low-count |
Low severity count |
grade |
Letter grade: A (clean) through F |
summary-markdown |
Markdown summary for downstream use |
sarif-path |
Path to generated SARIF file |
json-path |
Path to raw Trace JSON output |
- Runs
npx trace-core@lateston your code - Converts JSON output to SARIF 2.1.0 for GitHub Code Scanning
- Posts a one-comment summary on each PR (updated on subsequent pushes)
MIT