Skip to main content

Auto Triaging (Planned)

info

The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.

warning

This feature is planned for future release. If you are interested, please contact your account manager or support.

Takumi Runner plans to offer an auto triaging feature that automatically scans accumulated trace data when malware or large-scale campaigns are discovered, and notifies users of affected jobs.

What Is Auto Triaging

Supply chain attacks targeting CI/CD pipelines can have widespread impact through malicious packages or compromised GitHub Actions. When such threats become public, quickly determining whether your CI/CD pipelines were affected is critical as a first step in incident response.

With auto triaging, when new malware or large-scale campaigns are discovered, Takumi Runner automatically scans accumulated trace data. If jobs that may have been affected are detected, users are notified to support rapid triage and response.

Expected Use Cases

Auto triaging is designed for scenarios such as:

  • When malicious npm / PyPI packages are discovered: Automatically scan past builds to check whether the package was installed or whether suspicious network connections from that package were recorded
  • When GitHub Actions tampering is reported: Review traces from jobs that used the affected Action to check for unauthorized behavior
  • When large-scale supply chain attack campaigns are disclosed: Scan trace data across jobs using published IoCs (Indicators of Compromise) to identify the impact on your organization

Benefits

Auto triaging provides the following benefits:

  • Faster initial response: Significantly reduces lead time from threat disclosure to impact assessment for your organization
  • Retroactive analysis: Since scanning is performed against accumulated trace data, it can address cases where the attack was not yet recognized as a threat at the time it occurred
  • Reduced manual investigation burden: Eliminates the need to manually review traces across large volumes of job histories, allowing security teams to focus on evaluating triage results and taking action

Caveats

The following caveats should be noted:

  • Scanning is limited to the trace retention period: Jobs older than the retention period (90 days) are not included in scans
  • Depends on IoCs: Scanning is based on known IoCs related to malware and attack campaigns, so threats without published IoCs cannot be addressed
  • Notifications indicate potential impact: Scan results report jobs that "may have been affected" — users must verify whether actual damage occurred
Last updated on