Installation
macOS & Linux — recommended
curl -fsSL https://trojancli.com/install.sh | sh
Detects your OS and architecture, downloads the right binary from GitHub Releases, and installs it to /usr/local/bin.
macOS (Homebrew tap)
brew install dev-zeph/trojan/trojan
Go
go install github.com/dev-zeph/trojan/cmd/trojan@latest
Your first scan
Navigate to your project directory and run:
trojan scan
Trojan auto-installs the underlying scanners (Semgrep, Trivy, Gitleaks, Checkov, Syft) on first run if they're not already present. This takes about a minute.
When the scan finishes, a browser tab opens at http://localhost:7878 with the full report. Press Ctrl+C to close.
To also scan your running app for runtime vulnerabilities, see DAST scanning →
DAST scanning
DAST (Dynamic Application Security Testing) scans your running local server for runtime vulnerabilities — things that only show up when the app is actually executing. It fires 6,000+ attack templates from Nuclei against your dev server and opens a separate report.
Start your dev server, then in another terminal:
trojan dast http://localhost:3000
On first run, Trojan downloads Nuclei automatically to ~/.trojan/bin/. The scan takes 3–5 minutes and streams live progress to your terminal. When it finishes, a DAST report opens at http://localhost:7879.
$ trojan dast http://localhost:3000 ✓ Server is up ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Before we start, a few things to know: Is http://localhost:3000 the URL of your localhost instance? Testing against URLs you don't own is a crime punishable by law. Confirm (y/n): y ... [nuclei] Templates loaded: 6,618 [nuclei] Scan completed in 3m. 2 matches found. 2 findings — 1 high 1 medium → Report ready at http://localhost:7879
DAST catches things SAST can't — CORS misconfigurations, exposed config files, missing security headers, and vulnerabilities that only exist at runtime. Run both for full coverage.
Commands
trojan scanScan the current directory and open the local SAST report.
trojan scan [path]Scan a specific directory.
trojan scan --pre-commitFast scan with no UI — exits non-zero on Critical/High findings. Used by the git hook.
trojan scan --watchRe-scan on every file save and push live updates to the open report. Pro only.
trojan dast <url>Scan a running local server for runtime vulnerabilities using 6,000+ Nuclei templates. Opens a separate DAST report.
trojan ciCI mode — outputs SARIF 2.1.0, exits non-zero on findings above threshold. No browser or UI.
trojan ci --output <file>Write SARIF output to a file instead of stdout.
trojan ci --severity <level>Set the exit threshold (default: high). Options: critical, high, medium, low.
trojan hook installInstall a pre-commit git hook that blocks commits with Critical/High findings.
trojan hook uninstallRemove the Trojan pre-commit hook.
trojan initInstall scanners and set up Trojan for this project.
trojan loginLog in to unlock Pro AI features and MCP integration.
trojan logoutLog out and clear saved credentials.
trojan proCheck your current plan and subscription status.
trojan mcp installAuto-configure Claude Code, Cursor, and Codex CLI to use the Trojan MCP server. Requires Pro.
trojan mcp [path]Start the MCP server over stdio — used internally by editors, not called directly.
trojan updateCheck for and install a newer version of Trojan.
trojan versionPrint the installed version.
CI integration
trojan ci runs all scanners silently and outputs SARIF 2.1.0 — compatible with GitHub Code Scanning, GitLab Security Dashboard, and any SARIF-aware CI tool.
Example GitHub Actions step:
- name: Trojan security scan
run: trojan ci --output trojan.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trojan.sarifExit code is 1 when findings at or above the threshold are detected (default: high), 0 when clean. Use --severity critical to only fail on critical findings.
Pre-commit hook
Trojan can block commits that introduce Critical or High severity findings. Install the hook from your project root:
trojan hook install
This writes a .git/hooks/pre-commit script that runs trojan scan --pre-commit before each commit — no browser, no UI, just a fast scan. If Critical or High findings are detected, the commit is blocked and the findings are printed to your terminal.
To remove the hook:
trojan hook uninstall
Trojan will not overwrite an existing pre-commit hook that it didn't install. If you already have one, manually add trojan scan --pre-commit to it.
AI features
Pro unlocks AI-generated explanations for every finding — plain-English descriptions of what the vulnerability means for your app and step-by-step fix instructions.
trojan login
This opens a login page in your browser. After subscribing, log in and run trojan scan to see AI explanations in the report.
Free plan users see up to 5 low and medium severity reports. Critical and high findings are visible but locked — upgrade to unlock all findings and AI explanations.
MCP integration
Trojan exposes your vulnerability findings via the Model Context Protocol, letting AI editors like Claude Code, Cursor, and GitHub Copilot read your scan results and fix vulnerabilities for you — without leaving your editor.
trojan mcp install
This auto-detects and configures Claude Code, Cursor, and Codex CLI. Then run a scan and ask your AI:
"Create a plan to fix all the High to Critical vulnerabilities found by Trojan and execute."
Ready to unlock everything?
Full reports, AI explanations, and MCP integration from $8.25/month.