# Auto Triaging (Planned) {#auto-triaging}

:::warning
This feature is planned for future release. If you are interested, please contact your account manager or support.
:::

Takumi Runner plans to offer an **auto triaging** feature that automatically scans accumulated trace data when malware or large-scale campaigns are discovered, and notifies users of affected jobs.

## What Is Auto Triaging {#what-is-auto-triaging}

Supply chain attacks targeting CI/CD pipelines can have widespread impact through malicious packages or compromised GitHub Actions. When such threats become public, quickly determining whether your CI/CD pipelines were affected is critical as a first step in incident response.

With auto triaging, when new malware or large-scale campaigns are discovered, Takumi Runner automatically scans accumulated trace data. If jobs that may have been affected are detected, users are notified to support rapid triage and response.

## Expected Use Cases {#use-cases}

Auto triaging is designed for scenarios such as:

- **When malicious npm / PyPI packages are discovered**: Automatically scan past builds to check whether the package was installed or whether suspicious network connections from that package were recorded
- **When GitHub Actions tampering is reported**: Review traces from jobs that used the affected Action to check for unauthorized behavior
- **When large-scale supply chain attack campaigns are disclosed**: Scan trace data across jobs using published IoCs (Indicators of Compromise) to identify the impact on your organization

## Benefits {#benefits}

Auto triaging provides the following benefits:

- **Faster initial response**: Significantly reduces lead time from threat disclosure to impact assessment for your organization
- **Retroactive analysis**: Since scanning is performed against accumulated trace data, it can address cases where the attack was not yet recognized as a threat at the time it occurred
- **Reduced manual investigation burden**: Eliminates the need to manually review traces across large volumes of job histories, allowing security teams to focus on evaluating triage results and taking action

## Caveats {#limitations}

The following caveats should be noted:

- **Scanning is limited to the trace retention period**: Jobs older than the retention period (90 days) are not included in scans
- **Depends on IoCs**: Scanning is based on known IoCs related to malware and attack campaigns, so threats without published IoCs cannot be addressed
- **Notifications indicate potential impact**: Scan results report jobs that "may have been affected" — users must verify whether actual damage occurred