Trajan scans CI/CD pipelines for security vulnerabilities that attackers use to compromise software supply chains. It supports GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.
Trajan parses workflow YAML files, builds dependency graphs, runs detection plugins, and validates exploitability through built-in attack capabilities.
- 32 detection plugins across multiple CI/CD platforms
- 24 attack plugins across multiple CI/CD platforms
- Graph-based analysis with taint tracking and gate detection
- Browser-based scanner via WebAssembly (no backend needed)
- Attack chains for multi-stage sequences with automatic context passing
Note
Trajan is under active development. Some features may be incomplete and rough edges are expected. If you run into issues, please open one.
Prebuilt binaries are available on the releases page.
go install github.com/praetorian-inc/trajan/cmd/trajan@latestOr build from source:
git clone https://github.com/praetorian-inc/trajan.git
cd trajan && make build- Go 1.24 or later
- GitHub Personal Access Token with
reposcope (for private repositories) orpublic_reposcope (for public repositories only)
Trajan can be embedded as a Go library for programmatic CI/CD security scanning. The pkg/lib package provides a public SDK that wraps Trajan's internal platform registry, detection engine, and scanner into a single high-level API.
import "github.com/praetorian-inc/trajan/pkg/lib"
result, err := lib.Scan(ctx, lib.ScanConfig{
Platform: "github",
Token: os.Getenv("GH_TOKEN"),
Org: "myorg",
Repo: "myrepo",
Concurrency: 10,
Timeout: 5 * time.Minute,
})
if err != nil {
log.Fatal(err)
}
for _, f := range result.Findings {
fmt.Printf("[%s] %s in %s: %s\n", f.Severity, f.Type, f.WorkflowFile, f.Evidence)
}| Function | Description |
|---|---|
lib.Scan(ctx, cfg) |
Full scan: platform init → workflow discovery → detection execution |
lib.GetPlatform(name) |
Get a platform adapter by name (github, gitlab, azuredevops, bitbucket, jenkins, jfrog) |
lib.ListPlatforms() |
List all registered platform names |
lib.GetDetections(platform) |
Get detection plugins for a specific platform |
lib.GetDetectionsForPlatform(platform) |
Get platform-specific + cross-platform detections |
lib.ListDetectionPlatforms() |
List platforms with registered detections |
type ScanConfig struct {
Platform string // CI/CD platform (required)
Token string // API authentication token
BaseURL string // Custom base URL for self-hosted instances
Org string // Organization/owner name
Repo string // Repository name (empty = scan all org repos)
Concurrency int // Parallel detection workers (default: 10)
Timeout time.Duration // Max scan duration (default: 5m)
}type ScanResult struct {
Findings []detections.Finding // Security vulnerabilities detected
Workflows []platforms.Workflow // CI/CD workflow files discovered
Errors []error // Non-fatal errors during scanning
}The SDK is used by the Chariot attack surface management platform to run CI/CD security scans as a capability:
import trajanlib "github.com/praetorian-inc/trajan/pkg/lib"
result, err := trajanlib.Scan(ctx, trajanlib.ScanConfig{
Platform: platformName,
Token: token,
Org: repo.Org,
Repo: repo.Name,
})
// Convert result.Findings → capmodel.Risk emissions# Scan a GitHub repo
export GH_TOKEN=ghp_your_token
trajan github scan --repo owner/repo
# Scan a GitHub org
trajan github scan --org myorg --concurrency 20
# Scan GitLab projects
export GITLAB_TOKEN=glpat_your_token
trajan gitlab scan --group mygroup
# Scan Azure DevOps
export AZURE_DEVOPS_PAT=your_pat
trajan ado scan --org myorg --repo myproject/myrepo
# JSON output
trajan github scan --repo owner/repo -o json > results.jsonFor detailed usage, detection explanations, and attack walkthroughs, see the Wiki.
| Platform | Detections | Attacks | Enumerate |
|---|---|---|---|
| GitHub Actions | 11 | 9 | token, repos, secrets |
| GitLab CI | 8 | 3 | token, projects, groups, secrets, runners, branch-protections |
| Azure DevOps | 6 | 9 | token, projects, repos, pipelines, connections, agent-pools, users, groups, and more |
| Jenkins | 7 | 3 | access, jobs, nodes, plugins |
| JFrog | scan-only | - | - |
Trajan also compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file. It uses the same detection engine, attack plugins, and enumeration logic as the CLI, just compiled to WASM. The web version of Trajan enables low-friction delivery into target environments as part of an assessment.
make wasm # build browser/trajan.wasm
make wasm-dist # build self-contained trajan-standalone.htmlgraph TD
subgraph CLI
CMD[Cobra Commands]
end
subgraph Platforms
GH[GitHub]
GL[GitLab]
ADO[Azure DevOps]
JK[Jenkins]
JF[JFrog]
end
CMD --> GH & GL & ADO & JK & JF
subgraph SF[Scan Flow]
API[Platform API] --> |fetch workflows| YAML[Workflow YAML]
YAML --> P
subgraph P[Parser]
direction LR
GHP[GitHub] ~~~ GLP[GitLab] ~~~ ADP[Azure] ~~~ JKP[Jenkins]
end
P --> NW[Normalized Workflow]
NW --> GB[Graph Builder]
GB --> Graph[Workflow → Job → Step Graph]
end
subgraph AE[Analysis Engine]
direction LR
TT[Taint Tracker] --> Tagged[Tagged Graph]
Tagged --> DP[Detection Plugins]
DP --> GA[Gate Analysis]
GA --> Findings
end
subgraph AF[Attack Flow]
direction LR
AP[Attack Plugins] --> |artifacts| Session[Session Tracker]
Session --> Cleanup
end
Graph --> AE
AE --> AF
Additional CI/CD platform support is in active development:
- Bitbucket Pipelines
- CircleCI
- AWS CodePipeline
- Google Cloud Build
See CONTRIBUTING.md for development guidelines, plugin authoring, and project structure.
Built on research from Gato, Glato, Gato-X by Adnan Khan, and the GitHub Security Lab.
Apache 2.0. See LICENSE.