Open source security scanner

Aggregation of AI powered SAST + DAST tools to easily find vulnerabilities in your codebase.

Yes, we know what “trojan” usually insinuates. We mean: your codebase is the real trojan, and we find what’s hiding inside before you ship to production.

6scanners
6,000+DAST templates
0 bytesuploaded to us
100%local execution
1command to run them all

Why Trojan

Why we are for you

Your code never leaves your machine.

No code is shared with us

Trojan runs every scanner locally. Your source code, secrets, and infrastructure configs are never uploaded to any server — not ours, not anyone else's.

We collect zero data

No telemetry. No analytics on your scan results. No phone-home requests. Trojan has no idea what you're scanning — and that's intentional.

Results stay on your machine

Scan output is written to ~/.trojan/ on your local filesystem. Nothing is persisted to a cloud database or shared with third parties.

We only help you find vulnerabilities

Our job is to point out what's wrong in your code. We don't fix it for you, we don't report it anywhere — we just surface it clearly so you can act on it.

See it in action

Security at your fingertips.

Trojan scan – static analysis results
Trojan scan – dependency vulnerabilities
Trojan scan – DAST findings

What gets scanned

DASTNuclei

Runtime vulnerability scanning against your live local server — CORS issues, exposed secrets, misconfigurations, and 6,000+ attack patterns.

SASTSemgrep

SQL injection, XSS, insecure crypto, path traversal — caught before you ship.

SCATrivy

Known CVEs in your npm, pip, go.mod, maven dependencies.

SecretsGitleaks

API keys, tokens, and passwords in current code and full git history.

IaCCheckov

Terraform, Kubernetes, Dockerfile, and CloudFormation misconfigurations.

SBOMSyft

Full software bill of materials and license compliance inventory.

MCP Integration

Connect your AI tools to fix vulnerabilities for you.

Trojan exposes your findings via the Model Context Protocol. Connect any MCP-compatible AI and let it read your scan results, suggest fixes, and mark issues resolved — without leaving your editor.

trojan mcp install

Works with

Claude
ChatGPT
Gemini
Cursor
Copilot
Windsurf

“Fix all the Critical and High vulnerabilities Trojan found.”

Built with modern open-source technology

Security & privacy

Our commitment to your security and privacy

Signed releases

Every Trojan binary is GPG-signed and attested via SLSA provenance. You can cryptographically verify that what you installed was built from our source code and has not been tampered with.

View security policy

Your code never leaves your machine

Trojan runs entirely on your local machine. Scan results are written to ~/.trojan/ and never transmitted to our servers. No telemetry, no phone-home, no cloud processing of your codebase.

Pinned, verified scanner versions

Every scanner Trojan ships with is pinned to a specific version we have tested and verified. Scanners are downloaded directly to ~/.trojan/bin/ with SHA256 checksum verification — never pulled from Homebrew or pip where versions can change without warning. Scanner versions only update when we ship a new Trojan release.

Read-only scanners

The open-source tools Trojan wraps — Semgrep, Trivy, Gitleaks, Checkov, and Syft — analyze code. They never write to it. Even in a worst-case upstream compromise, these tools cannot inject code into your project.

AI features are opt-in only

The AI explanation feature only activates when you explicitly click Explain. It sends a short finding summary — never raw source code — to the AI provider. You can use every scanner in Trojan without ever touching the AI features.

Start scanning in 30 seconds.

Free tier includes all six scanners (SAST + DAST), the local web UI, and pre-commit hooks. No account required.