Trojan
Log inGet started

Documentation

Getting started

Everything you need to install Trojan, run your first scan, and integrate it into your workflow.

Installation

macOS (Homebrew)

brew install trojan

Linux / macOS (install script)

curl -fsSL https://trojan.dev/install.sh | sh

Go

go install github.com/dev-zeph/trojan/cmd/trojan@latest

Your first scan

Navigate to your project directory and run:

trojan scan

Trojan auto-installs the underlying scanners (Semgrep, Trivy, Gitleaks, Checkov, Syft) on first run if they're not already present. This takes about a minute.

When the scan finishes, a browser tab opens at http://localhost:7878 with the full report. Press Ctrl+C to close.

Commands

trojan scan

Scan the current directory and open the local report.

trojan scan [path]

Scan a specific directory.

trojan scan --pre-commit

Fast scan with no UI — exits non-zero on Critical/High findings. Used by the git hook.

trojan scan --watch

Re-scan on every file save and push live updates to the open report. Pro only.

trojan ci

CI mode — outputs SARIF 2.1.0, exits non-zero on findings above threshold. No browser or UI.

trojan ci --output <file>

Write SARIF output to a file instead of stdout.

trojan ci --severity <level>

Set the exit threshold (default: high). Options: critical, high, medium, low.

trojan hook install

Install a pre-commit git hook that blocks commits with Critical/High findings.

trojan hook uninstall

Remove the Trojan pre-commit hook.

trojan init

Install scanners and set up Trojan for this project.

trojan login

Log in to unlock Pro AI features and MCP integration.

trojan logout

Log out and clear saved credentials.

trojan pro

Check your current plan and subscription status.

trojan mcp install

Auto-configure Claude Code, Cursor, and Codex CLI to use the Trojan MCP server. Requires Pro.

trojan mcp [path]

Start the MCP server over stdio — used internally by editors, not called directly.

trojan update

Check for and install a newer version of Trojan.

trojan version

Print the installed version.

CI integration

trojan ci runs all scanners silently and outputs SARIF 2.1.0 — compatible with GitHub Code Scanning, GitLab Security Dashboard, and any SARIF-aware CI tool.

Example GitHub Actions step:

- name: Trojan security scan
  run: trojan ci --output trojan.sarif
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: trojan.sarif

Exit code is 1 when findings at or above the threshold are detected (default: high), 0 when clean. Use --severity critical to only fail on critical findings.

Pre-commit hook

Trojan can block commits that introduce Critical or High severity findings. Install the hook from your project root:

trojan hook install

This writes a .git/hooks/pre-commit script that runs trojan scan --pre-commit before each commit — no browser, no UI, just a fast scan. If Critical or High findings are detected, the commit is blocked and the findings are printed to your terminal.

To remove the hook:

trojan hook uninstall

Trojan will not overwrite an existing pre-commit hook that it didn't install. If you already have one, you'll need to manually add trojan scan --pre-commit to it.

AI features Pro

Pro unlocks AI-generated explanations for every finding — plain-English descriptions of what the vulnerability means for your app and step-by-step fix instructions, powered by DeepSeek.

trojan login

This opens a login page in your browser. After subscribing at trojan.dev/pricing, log in and run trojan scan to see AI explanations in the report.

Free plan users see up to 5 low and medium severity reports. Critical and high findings are visible but locked — upgrade to unlock all findings and AI explanations.

MCP integration Pro

Trojan exposes your vulnerability findings via the Model Context Protocol, letting AI editors like Claude Code, Cursor, and GitHub Copilot read your scan results and fix vulnerabilities for you — without leaving your editor.

trojan mcp install

This auto-detects and configures Claude Code, Cursor, and Codex CLI. Then run a scan and ask your AI:

"Create a plan to fix all the High to Critical vulnerabilities found by Trojan and execute."

MCP requires a Pro subscription. Upgrade at trojan.dev/pricing →