Trace-AI

Know What You Ship.
Trust What You Depend On.

Real-time SBOMs, exploit-aware risk scoring, and license compliance straight from your repos.

Sign up with Email Sign up with Google

No credit card required • Up to 5 repositories free

Trace-AI - Know What You Ship. Secure What You Depend On. | Product Hunt
Trace-AI Dashboard showing vulnerability breakdown and dependency network

Trusted by teams shipping to enterprise

Thynk AI Aldeniere Bulios
🧾

Real-time SBOMs

Accurate CycloneDX and SPDX from your CI. Direct and transitive dependencies tracked continuously.

🛡️

Exploit-aware scanning

Move beyond CVE dumps. Prioritize what is actually exploitable and fix with full context.

🔗

Vendor visibility

Track APIs, SDKs, SLA expiry and breach history alongside your code dependencies.

See your security posture in real-time

Vulnerability breakdown Timeline Dependency network
Dashboard showing vulnerability pie chart, timeline, and dependency network

See risk at a glance

Critical, High, Medium and Low exposure in one place. Watch risk change as your code evolves.

Direct vs transitive Severity tags Project context
Dependencies table with versions, severities and project mapping

Clarity without the noise

Every package, every CVE and every version in one view. No black box. Built for developers.

License distribution Policies library Audit evidence
License distribution chart and dependencies table

License compliance made simple

Identify GPL, LGPL and other copyleft licenses instantly. Avoid surprises during enterprise review.

From code to context in minutes

Connect your repository and watch as Trace-AI automatically generates comprehensive SBOMs, scans for vulnerabilities, and validates license compliance.

1

Connect

Link GitHub or GitLab repository

2

Scan

Analyze dependencies and generate SBOM

3

Monitor

Track vulnerabilities and compliance

4

Export

Generate audit-ready reports

Workflow animation showing SBOM generation process

Open source transparency

We publish everything. Trace-AI is not a black box. ZSBOM is open and auditable.

  • The model. ZSBOM classification logic is public and open for review.
  • Policy as code. ISO, SOC 2 and OSS license checks published as forkable YAML or JSON.
  • Configuration. Risk scoring, license mapping and vendor thresholds are editable.
Explore ZSBOM on GitHub
Policy as code example showing YAML configuration
ZSBOM GitHub activity and adoption metrics

Built in the open, with you

  • Public from day one – Code, roadmap, and discussions live on GitHub.
  • Fork, star, contribute – Join a growing community shaping the future of supply-chain security.
  • Adopted globally – 50+ clones and already powering startups across Czechia, Germany, the UK, and India.
0
GitHub stars
0
Repo clones
0
Active branches
4
Countries

How it works

Step 1

Connect your repo

GitHub or GitLab. Minimal setup.

Step 2

Generate a live SBOM

Direct and transitive dependencies.

Step 3

Scan for risks

Exploit context. Not just CVE lists.

Step 4

Track licenses and vendors

In one dashboard.

Step 5

Export evidence

CycloneDX, SPDX and JSON.

Turn SBOMs into audit-ready evidence

What is in your product maps cleanly to your audit checklist. No spreadsheets.

ISO 27001 A.12.1.2 ISO 27001 A.14.2.4 SOC 2 CC8.1+

Simple pricing

First 5 repositories free. Predictable per-repo pricing as you scale.

  • Live SBOMs with CycloneDX and SPDX
  • Exploit-aware vulnerability checks
  • License tracking and alerts
  • Vendor monitoring
Sign up with Email Sign up with Google

Get a launch reminder

Be first to try new features and early adopter perks.

Frequently asked questions

A Software Bill of Materials (SBOM) is a complete inventory of all components in your software. It's essential for understanding your security posture, managing vulnerabilities, and meeting compliance requirements. With increasing regulatory pressure and supply-chain attacks, having an accurate, up-to-date SBOM is critical.

Traditional scanners report all CVEs, creating noise and alert fatigue. Exploit-aware scanning prioritizes vulnerabilities that have known exploits in the wild, helping you focus on real risks first. We integrate multiple threat intelligence sources to determine exploitability.

Trace-AI supports all major ecosystems including npm/yarn (JavaScript), pip (Python), Maven/Gradle (Java), Go modules, RubyGems, NuGet (.NET), Cargo (Rust), and more. We continuously add support for new package managers and languages.

Yes. We only analyze dependency manifests and lock files – never your source code. All data is encrypted in transit and at rest. We only access your dependencies file and our workflow is metadata driven. You can also run ZSBOM locally for complete control.

ZSBOM is fully open-source and transparent. Unlike black-box commercial tools, you can audit our classification logic, customize risk scoring, and contribute improvements. We focus on accuracy, exploit-awareness, and developer experience.

We map SBOM data to ISO 27001, SOC 2, PCI-DSS, HIPAA, and GDPR requirements. Our policy-as-code library includes pre-built compliance checks that you can fork and customize for your specific needs.