Skip to main content

Overview

Tracecat expressions let you build values from trigger data, action results, secrets, variables, and functions. Expressions use ${{ ... }}.

Where expressions are used

You can use expressions in:
  • Action inputs
  • run_if
  • for_each
  • Action environment
  • Workflow environment
  • Output schema
Use var.<name> in action inputs for actions that run with for_each.

Expression contexts

Use these references inside expressions:
  • TRIGGER.<field>
  • ACTIONS.<ref>.result
  • SECRETS.<name>.<KEY>
  • VARS.<name>.<key>
  • ENV.<field>
  • var.<name>
  • FN.<name>(...)

Operators

Expressions support literals and operators.

Literals

  • String literals such as "high" and 'prod'
  • Numeric literals such as 1 and 3.14
  • Boolean literals such as True and False
  • Null literals such as None
  • List literals such as ["a", "b"]
  • Object literals with string keys such as {"severity": "high"}

Operators

  • Logical operators: || and &&
  • Comparison operators such as ==, !=, <, <=, >, >=
  • Arithmetic operators such as +, -, *, /, %
  • Ternary expressions such as ${{ "p1" if TRIGGER.severity == "high" else "p3" }}
Python-style or / and and SQL-style OR / AND are not supported.

Examples

Basic trigger reference: 
text: "Alert ${{ TRIGGER.alert_id }}"
Action result reference: 
value: ${{ ACTIONS.fetch_alert.result }}
Secret reference: 
token: ${{ SECRETS.github.GITHUB_TOKEN }}
Variable reference: 
team: ${{ VARS.routing.team }}
Conditional execution: 
run_if: ${{ FN.is_equal(TRIGGER.severity, "high") }}
Iteration: 
for_each: ${{ for var.alert in TRIGGER.alerts }}
Using var.<name> in action inputs: 
title: ${{ var.alert.title }}
severity: ${{ var.alert.severity }}
Ternary: 
priority: ${{ "p1" if TRIGGER.severity == "high" else "p3" }}
Function call: 
created_at: ${{ FN.to_datetime(TRIGGER.created_at) }}
Nested list literal: 
value: ${{ [1, [2, 3], {"severity": "high", "flags": [True, False, None]}] }}
Nested object literal: 
value: ${{ {"alert": {"id": "al-123", "tags": ["auth", "critical"]}, "ok": True, "meta": None} }}

FAQ

Some actions only return data in certain conditions. For example, a hash enrichment might find no matches in your threat intel source. When a field does not exist, the expression resolves to None — no error is raised.Use run_if with a != None check to skip downstream actions when the data is missing, or use a ternary to supply a fallback value.
- ref: check_hash
  action: tools.virustotal.get_file_report
  args:
    hash: ${{ TRIGGER.file_hash }}

- ref: escalate_alert
  action: tools.slack.post_message
  depends_on:
    - check_hash
  run_if: ${{ ACTIONS.check_hash.result != None && ACTIONS.check_hash.result.malicious_count != None }}
  args:
    channel: ${{ SECRETS.slack.SECURITY_CHANNEL }}
    text: "Hash ${{ TRIGGER.file_hash }} flagged by ${{ ACTIONS.check_hash.result.malicious_count }} vendors"