Trojan
Log inGet started

Security

Security Policy

Reporting a vulnerability

If you find a security vulnerability in Trojan, do not open a public GitHub issue.

Email security@trojancli.com with:

  • A description of the vulnerability
  • Steps to reproduce
  • Potential impact

We aim to respond within 48 hours and will keep you informed throughout the fix process. We will credit you in the release notes unless you prefer otherwise.

Release integrity

Every Trojan release is signed, attested, and reproducibly built. You can verify any installed binary independently.

GPG signing

The checksums file (trojan_VERSION_checksums.txt) and binary checksums file (trojan_VERSION_binary_checksums.txt) for every release are signed with our GPG key. The public key is embedded in the binary itself, so trojan verify requires no external tooling.

SLSA provenance

Every release is attested via GitHub's SLSA provenance action, published to the public Sigstore transparency log. This creates a verifiable chain from source code → GitHub Actions build → released binary.

Reproducible builds

Trojan is built with CGO_ENABLED=0 and deterministic ldflags. You can compile from source and verify the hash matches the release.

Config file permissions

~/.trojan/config.json (which holds your auth token) is written with 0600 permissions — owner read/write only.

Verify your installation

Run this at any time to confirm your binary is authentic:

trojan verify

This checks:

  1. The SHA256 of the running binary against the hash published with its release
  2. The GPG signature on the checksums file against our embedded public key

Verify manually

# Download the checksums file and signature for your version
curl -fsSL https://github.com/dev-zeph/Trojan/releases/download/vVERSION/trojan_VERSION_checksums.txt -o checksums.txt
curl -fsSL https://github.com/dev-zeph/Trojan/releases/download/vVERSION/trojan_VERSION_checksums.txt.sig -o checksums.txt.sig

# Verify the signature (requires gpg)
gpg --verify checksums.txt.sig checksums.txt

# Verify the archive hash
sha256sum --check --ignore-missing checksums.txt

Our public GPG key

Fingerprint: 2151 E3D2 9925 277B E7A3 EF53 8A5B B76B CEFF CB1F

The public key is embedded in every Trojan binary. It is also available on standard keyservers under the fingerprint above.

Supply chain notes

The open-source scanners Trojan wraps (Semgrep, Trivy, Gitleaks, Checkov, Syft) are read-only by design — they analyze code, they never write to it. Even in a worst-case upstream compromise, these tools cannot inject code into your project. The primary supply chain risk is Trojan itself, which is why we invest in signing, attestation, and reproducible builds.

Scanner versions are pinned and auto-installed via trojan init. If a scanner binary changes unexpectedly between runs, Trojan will warn you.