Trace-AI

What is Trace-AI

Trace-AI is a service that provides real-time Software Bills of Materials (SBOMs), exploit-aware risk scoring, license compliance, and vendor visibility for software repositories. It aims to help users know what they ship and trust what they depend on by analyzing metadata-driven information.

How to use Trace-AI

1. Connect your repo: Link your GitHub or GitLab repository.
2. Scan: Trace-AI analyzes dependencies and generates an SBOM.
3. Monitor: Track vulnerabilities and compliance in real-time.
4. Export: Generate audit-ready reports in CycloneDX, SPDX, and JSON formats.

Features of Trace-AI

• Real-time SBOMs: Generates accurate CycloneDX and SPDX from CI, tracking direct and transitive dependencies continuously.
• Exploit-aware scanning: Prioritizes vulnerabilities with known exploits, providing context for fixes.
• Vendor visibility: Tracks APIs, SDKs, SLA expiry, and breach history alongside code dependencies.
• Vulnerability Dashboard: Displays risk at a glance, showing exposure levels and changes over time.
• Dependency Analysis: Provides a clear view of every package, CVE, and version with project context.
• License Compliance: Identifies licenses like GPL and LGPL, helping to avoid issues during enterprise review.
• Policy as Code: Offers forkable YAML or JSON for ISO, SOC 2, and OSS license checks.
• Customizable Configuration: Allows editing of risk scoring, license mapping, and vendor thresholds.

Use Cases of Trace-AI

• Understanding software supply chain security.
• Managing vulnerabilities and prioritizing fixes.
• Ensuring license compliance for software components.
• Gaining visibility into third-party software vendors.
• Generating audit-ready evidence for compliance frameworks like ISO 27001 and SOC 2.

Pricing

• The first 5 repositories are free.
• Predictable per-repository pricing is available for scaling.
• Features include live SBOMs, exploit-aware vulnerability checks, license tracking, and vendor monitoring.

FAQ

• What is an SBOM and why do I need one? An SBOM is a complete inventory of software components, essential for understanding security posture, managing vulnerabilities, and meeting compliance. It's critical due to increasing regulatory pressure and supply-chain attacks.
• How is exploit-aware scanning different from traditional CVE scanning? Exploit-aware scanning prioritizes vulnerabilities with known exploits in the wild, unlike traditional scanners that report all CVEs. It uses threat intelligence to determine exploitability, reducing alert fatigue.
• Which programming languages and package managers do you support? Supports major ecosystems including npm/yarn (JavaScript), pip (Python), Maven/Gradle (Java), Go modules, RubyGems, NuGet (.NET), Cargo (Rust), and more.
• Is my code and data secure? Yes. Analysis focuses on dependency manifests and lock files, not source code. Data is encrypted in transit and at rest. ZSBOM can also be run locally for full control.
• How does ZSBOM compare to other SBOM tools? ZSBOM is open-source and transparent, allowing auditing of classification logic and customization of risk scoring. It focuses on accuracy, exploit-awareness, and developer experience.
• What compliance frameworks do you support? Maps SBOM data to ISO 27001, SOC 2, PCI-DSS, HIPAA, and GDPR. Includes pre-built compliance checks in its policy-as-code library.