Trailmark turns code into graphs#2161
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://blog.trailofbits.com/2026/04/23/trailmark-turns-code-into-graphs/ Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources -> Fuzzing Methodology (add a subsection on graph-based fuzz target selection and mutation-testing triage) and/or Pentesting Web -> Source code Review / SAST Tools (as a code-graph + SARIF correlation technique/tool)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
What this post is about
Trail of Bits open-sourced Trailmark, a library that parses source code into a queryable call graph (functions, classes, call relationships, plus semantic metadata like complexity metrics) and exposes it via a Python API intended to be called directly by Claude Code skills. The security thesis is that many important questions are graph questions (e.g., “can untrusted input reach this code, and what breaks if it’s wrong?”), whi...
🔧 Technical Details
Graph-first security triage (reachability + blast radius): Instead of treating tool output as a flat list, build a call graph of the codebase and ask graph queries such as “is there any path from an entrypoint/untrusted input handler to this sink?” and “how many security-critical operations depend on this node?”. Use
callers/calleesandpaths_betweento determine exploitability/reachability, and compute blast radius to prioritize fixes in high-dependency hubs.Mutation-testing survivor classification using structural + mathematical constraints: When mutation testing yields surviving mutants, use graph context (calling paths and call-site constraints) plus domain invariants (e.g., arithmetic algorithms structurally bounding values) to separate equivalent mutants (behavior cannot change) from true security-relevant test gaps. Survivors that remain after filtering should be translated into targeted tests or fuzzing inputs, especially...
🤖 Agent Actions
I’m mapping the repo first, then I’ll read the most relevant fuzzing and source-review pages before deciding whether this belongs in one existing file or not.
I’ve narrowed it to the existing fuzzing methodology page and the web source-review/SAST page. Next I’m reading both, plus adjacent methodology pages, to see where Trailmark adds genuinely new technique rather than tool-only overlap.
The repo already has general fuzzing guidance, but not this specific “graph-first” triage workflow. I’m verifying the Trailmark details from the project sources now, then I’ll patch a single methodology page rather than splitting the content across sections.
I’ve made the placement decision: one addition to fuzzing.md is the cleanest fit. I’m patching it with the reusable methodology, not a tool advertisement, and I’ll keep the repo references at the end of the file.
Updated fuzzing.md with a new section on graph-first fuzz target selection and mutation triage.
The addition abstracts the Trailmark post into reusable methodology: intersecting complexity, untrusted-input reachability, and blast radius to choose fuzz targets; separating equivalent mutants from actionable survivors with graph context; and projecting SARIF findings onto graph nodes to prioritize harnesses. I kept it in a single existing file, added concise CLI/Python examples, and updated the
## Referencessection with the Trail of Bits blog and Trailmark repo.I reviewed the diff after editing and didn’t find existing HackTricks content covering this exact technique set.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.