Trailmark turns code into graphs

2026-04-23 · Source: The Trail of Bits Blog · Field: Technology & Digital — Software Development & Engineering, Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, medium

Summary

Trailmark, an open-source library released on April 23, 2026, transforms source code into a queryable call graph, exposing it via a Python API for AI-assisted software analysis, particularly with Claude skills. It addresses the limitation of list-based code analysis by providing a structural view of functions, classes, and call relationships across 17 languages, including C, Rust, Go, Python, and Solidity. Trailmark operates in three phases: parsing code with tree-sitter, indexing the graph with rustworkx, and enabling complex queries like pathfinding and attack surface enumeration. Eight integrated Claude Code skills leverage this graph for tasks such as mutation triage ("genotoxic"), test vector generation ("vector-forge"), and architectural diagramming ("diagram"). Internal use on cryptographic libraries revealed that 73% of 45 surviving mutants in an Ed448 implementation were equivalent, and libhydrogen's entire functionality funnels through gimli_core_u8, highlighting architectural risks invisible to linear review. Trailmark also identified blast radius concentrations in arithmetic modules, high-value fuzzing targets in codec parsers, and sparse property-based testing in Rust crypto crates.

Key takeaway

For AI Security Engineers evaluating code quality or architectural risks, adopting graph-based analysis tools like Trailmark is crucial. Your current list-based methods likely miss critical insights into attack surface, blast radius, and true test coverage gaps. Integrate Trailmark to automatically triage mutation testing results and identify architectural bottlenecks. This will pinpoint high-value fuzzing targets, enhancing your ability to secure complex codebases more effectively.

Key insights

Code analysis benefits significantly from graph-based reasoning over list-based approaches, especially for security and test quality.

Principles

• Attackers think in graphs; defenders should too.
• Equivalent mutants often dominate mutation testing results.
• Architectural risks are clearer with graph visualization.

Method

Trailmark parses source code into an AST, extracts functions, classes, and call edges, then indexes this into a rustworkx PyDiGraph for querying callers, callees, paths, and complexity hotspots.

In practice

• Use "genotoxic" to triage mutation testing results by security relevance.
• Employ "diagram" to visualize call graphs and complexity heatmaps.
• Integrate SARIF/weAudit findings onto graph nodes for unified analysis.

Topics

• Code Graph Analysis
• Mutation Testing
• AI-Assisted Security
• Cryptographic Libraries
• Static Analysis
• Architectural Risk

Code references

• trailofbits/trailmark
• JohnLaTwC/Shared
• google/wycheproof

Best for: AI Architect, CTO, VP of Engineering/Data, AI Engineer, AI Security Engineer, Software Engineer

Related on AIssential

• Mutation testing for the agentic era — Mutation testing tools MuTON and mewt, powered by Tree-sitter and AI agents, enhance software quality by efficiently identifying untested code paths.
• AI is getting scary good at finding hidden software bugs - even in decades-old code — AI excels at finding obscure bugs in legacy code but also expands the attack surface for unpatchable systems.
• FlowGuard: Flow Matching for Identity-Independent Detection of Data-Free Model Stealing Attacks on Energy System Intrusion Detection Systems — FlowGuard detects data-free model stealing in energy IDS by identifying synthetic queries as out-of-distribution via flow matching.
• Autoresearch Claude Code Hacker - Can It Breach My Vibecoded Site? — An AI-driven red teaming framework can autonomously test web application security and iteratively refine attack strategies.
• Towards Secure Retrieval-Augmented Generation: A Comprehensive Review of Threats, Defenses and Benchmarks — RAG's multi-module architecture introduces complex security vulnerabilities requiring end-to-end threat and defense analysis.
• AI cybersecurity is not proof of work — AI cybersecurity success depends on model intelligence and understanding, not merely "proof of work" computational resources.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by The Trail of Bits Blog.