AI-powered DevSecOps platform that detects vulnerabilities, exposed secrets, and vulnerable dependencies, then generates OWASP-mapped remediation guidance.
Most security scanners stop at detection.
TraceHawk combines multiple security tools into a unified security analysis pipeline:
- Semgrep for vulnerable code detection (SAST)
- Gitleaks for exposed secrets and API keys
- Trivy for dependency vulnerability scanning
- Gemini 2.5 Flash for AI-powered remediation guidance
Instead of producing isolated findings, TraceHawk normalizes results into a unified security model, maps them to OWASP Top 10 categories and CWE identifiers, and generates actionable remediation guidance for developers.
TraceHawk runs three security tools against your codebase, normalizes their findings, classifies them by OWASP Top 10 category and CWE identifiers, and optionally generates AI-powered remediation guidance.
| tool | what it catches | classification |
|---|---|---|
| semgrep | vulnerable code patterns (SAST) | OWASP + CWE from rule metadata |
| gitleaks | hardcoded secrets and leaked API keys | secret-type → OWASP mapping |
| trivy | vulnerable dependencies (requirements.txt, package.json, etc.) |
A06:2021 + CVE/CWE IDs |
┌─────────────────────────────────────────────────────┐
│ Browser (localhost:5173) │
│ │
│ Svelte Frontend │
│ • Dashboard │
│ • Scan Trigger │
│ • Findings Explorer │
│ • AI Remediation Viewer │
│ │
└──────────────────┬──────────────────────────────────┘
│
│ REST API
▼
┌─────────────────────────────────────────────────────┐
│ FastAPI Backend (localhost:8000) │
│ │
│ Scanner Engine │
│ ├── Semgrep │
│ ├── Gitleaks │
│ └── Trivy │
│ │
│ Finding Normalization │
│ ├── OWASP Mapping │
│ ├── CWE Mapping │
│ └── Severity Classification │
│ │
│ AI Remediation Engine │
└──────────────────┬──────────────────────────────────┘
│
▼
Gemini 2.5 Flash
cp .env.example .envUpdate:
TRACEHAWK_API_KEY=your-random-secret
GEMINI_API_KEY=your-gemini-keydocker compose up --build -dThis starts:
- backend — FastAPI backend on port
8000 - frontend — Svelte dashboard on port
5173
curl -X POST http://localhost:8000/scan \
-H "Content-Type: application/json" \
-H "X-API-Key: $TRACEHAWK_API_KEY" \
-d '{
"target": "./test-repos",
"tools": "semgrep,gitleaks,trivy",
"output": "json"
}'| service | url |
|---|---|
| Dashboard | http://localhost:5173 |
| API Docs | http://localhost:8000/docs |
| Health Endpoint | http://localhost:8000/health |
The scanner can also be used directly inside the container.
| flag | description | default |
|---|---|---|
--target, -t |
local path or git URL to scan | ./test-repos |
--tools |
comma-separated list of tools | semgrep,gitleaks,trivy |
--output, -o |
json, terminal, both |
both |
docker compose exec backend \
python api/scanner.py --tools semgrep,gitleaksdocker compose exec backend \
python api/scanner.py --target ./src --tools trivy[
{
"tool": "semgrep",
"category": "A03:2021 - Injection",
"rule": "python.lang.security.audit.eval-detected",
"file": "app.py",
"line": 42,
"severity": "MEDIUM",
"cwe": ["CWE-95"],
"message": "Detected use of eval()",
"snippet": "eval(user_input)"
}
]TraceHawk exits with code 1 when HIGH or CRITICAL findings are detected, making it suitable for CI/CD integration.
TraceHawk uses Gemini 2.5 Flash to generate category-wise remediation guidance.
The remediation pipeline:
- Groups findings by OWASP category
- Generates risk explanations
- Produces vulnerable → remediated code examples
- Provides actionable remediation guidance
Example outputs include:
- Secure code replacements
- Dependency upgrade recommendations
- Secret rotation guidance
- OWASP risk explanations
- CWE-specific remediation advice
TraceHawk includes a DevSecOps workflow:
feature
↓
staging
↓
CI Validation
✓ Ruff
✓ Docker Build
✓ Gitleaks
✓ Semgrep
✓ Health Check
↓
prod
↓
Manual Approval
↓
Production Sync
This ensures all releases pass security and build validation before deployment.
Trivy downloads its vulnerability database during first execution.
A dedicated Docker volume is mounted to persist the cache between runs:
trivy-cache:This prevents repeated downloads and significantly speeds up subsequent scans.
Features:
- Unified Semgrep, Gitleaks, and Trivy scanning
- OWASP Top 10 classification
- CWE mapping
- AI remediation workflows
- Dockerized deployment
- REST API
- Svelte dashboard
- DevSecOps CI/CD pipeline
| layer | technology |
|---|---|
| Runtime | Python 3.11 |
| API | FastAPI + Uvicorn |
| Frontend | Svelte 5 + Vite |
| Serving | Nginx Unprivileged |
| SAST | Semgrep |
| Secret Detection | Gitleaks |
| Dependency Scanning | Trivy |
| AI | Gemini 2.5 Flash |
| Containerization | Docker + Docker Compose |
| CI/CD | GitHub Actions |
MIT