# Trace Visualization {#trace-visualization}

Trace data collected by Takumi Runner can be viewed and analyzed in the Shisho Cloud console. This page explains how to read each tab in the job detail view.

## Accessing the Job Detail View {#accessing-traces}

Log in to the Shisho Cloud console and select the target job from **Runner** > **Jobs**. The job detail view will appear.

The job detail view has six tabs — **Overview**, **Timeline**, **Execution**, **Network**, **File Access**, and **Query** — each providing a different perspective on the trace data.

## Overview Tab {#overview-tab}

The overview tab shows a summary of process executions, network connections, and file accesses that occurred during the job.

![Overview tab](/docs/_md-assets/3e444a586b-job-overview.png)

Click the "View details" link in each section to navigate to the corresponding tab.

## Timeline Tab {#timeline-tab}

The timeline tab lists each workflow step. Each step shows its type (`uses` or `run`) and the number of processes detected within that step.

![Timeline tab](/docs/_md-assets/df92b4d670-job-timeline.png)

Select a step to view the trace events that occurred during its execution.

## Execution Tab {#execution-tab}

The execution tab displays all processes launched during the job as a chronological process tree. Each process shows its PID, command name, and the executed command line.

![Execution tab](/docs/_md-assets/e465efcd7c-job-execution.png)

Expand child processes to trace parent-child relationships.

## Network Tab {#network-tab}

The network tab displays network connections that occurred during the job, categorized by destination type. Destinations are classified into four categories: **External Services**, **GitHub Infrastructure**, **Package Registries**, and **Runner Infrastructure**.

![Network tab](/docs/_md-assets/afdfe8dce4-job-network.png)

The connection graph provides a graphical view of communication destinations from the workflow. This is useful for identifying suspicious outbound connections.

## File Access Tab {#fileaccess-tab}

The file access tab displays files accessed during the job as a directory tree. Each directory and file shows the number of accesses and the access type (read / write / create / truncate / append).

![File access tab](/docs/_md-assets/d51941b5ef-job-fileaccess.png)

Expand directories and click files to view access details.

## Query Tab {#query-tab}

The query tab lets you run arbitrary SQL (DuckDB) queries against the trace data. Use this when you need analysis beyond what the predefined tabs provide.

![Query tab](/docs/_md-assets/61508f6bc4-job-query.png)

Enter SQL in the query editor and click **Run Query** to see results. Previously executed queries can be reused from **History**.

## Analysis Tips {#analysis-tips}

### Checking for Suspicious Outbound Connections {#suspicious-connections}

In the **External Services** section of the network tab, check for connections to hosts that are not needed for the build. For example, if connections to hosts other than `registry.npmjs.org` are made during `npm install`, a malicious package's postinstall script may be sending data externally.

### Sensitive File Access {#sensitive-file-access}

In the file access tab, check whether accesses to paths containing credentials — such as `~/.netrc`, `~/.ssh/`, or `~/.aws/` — have been recorded. A normal build process typically does not need to access these files.