praetorian-inc

praetorian-inc / trajan

Public

A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.

actions-injection ci-cd-security cicd-scanner devsecops github-actions-security
13
1
100% credibility
Found Mar 07, 2026 at 13 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

Trajan is an open-source security scanner that analyzes CI/CD pipelines across platforms like GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog for vulnerabilities exploitable by attackers.

How It Works

1
📰 Discover Trajan

You hear about Trajan, a helpful tool that checks your team's automated build and deploy processes for hidden weak spots attackers might use.

2
📥 Get the scanner

Download the ready-to-run program to your computer or open it right in your web browser.

3
🔗 Link your workspace

Connect it to your development platform like GitHub or GitLab so it can safely look at your projects.

4
🎯 Pick your projects

Choose the repositories or team folders you want to check for safety.

5
🔍 Run the security check

Hit start and watch it carefully review your build steps for risks, showing progress as it goes.

6
📊 Review the results

See a clear list of issues found, ranked by how serious they are, with simple explanations.

🛡️ Strengthen your pipelines

Use the tips to fix problems, rescan, and feel confident your builds are now protected from common attacks.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 13 to 13 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is trajan?

Trajan is a Go-based CLI and browser tool that scans CI/CD pipelines across GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog for security vulnerabilities like secret leaks and injection flaws. It parses workflows, builds dependency graphs with taint tracking, and runs 32 detection plugins plus 24 attack plugins to validate exploits automatically. Users get quick scans via `trajan github scan --repo owner/repo` or a standalone WebAssembly HTML file for browser-based analysis without servers.

Why is it gaining traction?

It stands out with multi-platform support in one tool—no switching between GitHub-specific scanners—and built-in attack automation that chains exploits with session cleanup. The WASM browser version enables frictionless delivery for assessments, like dropping a single HTML file into air-gapped environments. Graph-based gates and taint analysis catch subtle issues others miss, outputting JSON, SARIF, or HTML.

Who should use this?

Red teamers probing supply chain attacks on GitHub orgs or Azure DevOps pipelines. DevSecOps engineers auditing enterprise CI/CD for secret exposures or agent compromises. Security researchers testing multi-platform setups like GitHub Actions with self-hosted runners.

Verdict

Worth trying for targeted CI/CD pentests despite 13 stars and 1.0% credibility score—docs and wiki are solid, tests cover plugins well, but it's early with rough edges. Install via `go install` and scan your org; contribute plugins if you expand platforms like CircleCI.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.