{"id":50771291,"url":"https://github.com/praetorian-inc/trajan","last_synced_at":"2026-07-08T16:30:45.538Z","repository":{"id":342641257,"uuid":"1174069552","full_name":"praetorian-inc/trajan","owner":"praetorian-inc","description":"A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.","archived":false,"fork":false,"pushed_at":"2026-07-07T10:43:52.000Z","size":1459,"stargazers_count":164,"open_issues_count":15,"forks_count":11,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-07-07T12:19:24.614Z","etag":null,"topics":["actions-injection","ci-cd-security","cicd-scanner","devsecops","github-actions-security","pipeline-security","sast","security-scanner","supply-chain-security","workflow-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/praetorian-inc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-06T03:17:33.000Z","updated_at":"2026-07-02T16:31:41.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/praetorian-inc/trajan","commit_stats":null,"previous_names":["praetorian-inc/trajan"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/praetorian-inc/trajan","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Ftrajan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Ftrajan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Ftrajan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Ftrajan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/praetorian-inc","download_url":"https://codeload.github.com/praetorian-inc/trajan/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praetorian-inc%2Ftrajan/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35271852,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions-injection","ci-cd-security","cicd-scanner","devsecops","github-actions-security","pipeline-security","sast","security-scanner","supply-chain-security","workflow-security"],"created_at":"2026-06-11T19:00:26.657Z","updated_at":"2026-07-08T16:30:45.532Z","avatar_url":"https://github.com/praetorian-inc.png","language":"Go","funding_links":[],"categories":["Frameworks and best practice references"],"sub_categories":["Supply chain beyond libraries"],"readme":"\u003cimg width=\"1200\" height=\"628\" alt=\"trajan\" src=\"https://github.com/user-attachments/assets/edfc7ab4-ee3a-43d5-8626-710298377ec2\" /\u003e\n\n# Trajan: CI/CD Security Scanner\n\nTrajan scans CI/CD pipelines for security vulnerabilities that attackers use to compromise software supply chains. It supports GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.\n\n[![Go Version](https://img.shields.io/badge/Go-1.25+-00ADD8?logo=go)](https://go.dev/)\n[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n\n## What it does\n\nTrajan parses workflow YAML files, builds dependency graphs, runs detection plugins, and validates exploitability through built-in attack capabilities.\n\n- 32 detection plugins across multiple CI/CD platforms\n- 24 attack plugins across multiple CI/CD platforms\n- Graph-based analysis with taint tracking and gate detection\n- Browser-based scanner via WebAssembly (no backend needed)\n- Attack chains for multi-stage sequences with automatic context passing\n\n\u003e [!NOTE]\n\u003e Trajan is under active development. Some features may be incomplete and rough edges are expected. If you run into issues, please [open one](https://github.com/praetorian-inc/trajan/issues).\n\n## Installation\n\nPrebuilt binaries are available on the [releases page](https://github.com/praetorian-inc/trajan/releases).\n\n```sh\ngo install github.com/praetorian-inc/trajan/cmd/trajan@latest\n```\n\nOr build from source:\n\n```sh\ngit clone https://github.com/praetorian-inc/trajan.git\ncd trajan \u0026\u0026 make build\n```\n\n### Requirements\n\n- Go 1.24 or later\n- GitHub Personal Access Token with `repo` scope (for private repositories) or `public_repo` scope (for public repositories only)\n\n## Library SDK (`pkg/lib`)\n\nTrajan can be embedded as a Go library for programmatic CI/CD security scanning. The `pkg/lib` package provides a public SDK that wraps Trajan's internal platform registry, detection engine, and scanner into a single high-level API.\n\n### Quick Start (Library)\n\n```go\nimport \"github.com/praetorian-inc/trajan/pkg/lib\"\n\nresult, err := lib.Scan(ctx, lib.ScanConfig{\n    Platform:    \"github\",\n    Token:       os.Getenv(\"GH_TOKEN\"),\n    Org:         \"myorg\",\n    Repo:        \"myrepo\",\n    Concurrency: 10,\n    Timeout:     5 * time.Minute,\n})\nif err != nil {\n    log.Fatal(err)\n}\n\nfor _, f := range result.Findings {\n    fmt.Printf(\"[%s] %s in %s: %s\\n\", f.Severity, f.Type, f.WorkflowFile, f.Evidence)\n}\n```\n\n### SDK API\n\n| Function | Description |\n|----------|-------------|\n| `lib.Scan(ctx, cfg)` | Full scan: platform init → workflow discovery → detection execution |\n| `lib.GetPlatform(name)` | Get a platform adapter by name (`github`, `gitlab`, `azuredevops`, `bitbucket`, `jenkins`, `jfrog`) |\n| `lib.ListPlatforms()` | List all registered platform names |\n| `lib.GetDetections(platform)` | Get detection plugins for a specific platform |\n| `lib.GetDetectionsForPlatform(platform)` | Get platform-specific + cross-platform detections |\n| `lib.ListDetectionPlatforms()` | List platforms with registered detections |\n\n### ScanConfig\n\n```go\ntype ScanConfig struct {\n    Platform    string        // CI/CD platform (required)\n    Token       string        // API authentication token\n    BaseURL     string        // Custom base URL for self-hosted instances\n    Org         string        // Organization/owner name\n    Repo        string        // Repository name (empty = scan all org repos)\n    Concurrency int           // Parallel detection workers (default: 10)\n    Timeout     time.Duration // Max scan duration (default: 5m)\n    LocalPath   string        // Local filesystem path (file or dir) for offline scan\n}\n```\n\n### ScanResult\n\n```go\ntype ScanResult struct {\n    Findings          []detections.Finding   // Security vulnerabilities detected\n    Workflows         []platforms.Workflow   // CI/CD workflow files discovered\n    Errors            []error                // Non-fatal errors during scanning\n    SkippedDetections []string               // Detection names skipped in LocalPath mode (API-only); always empty in API-mode scans\n}\n```\n\n### Integration Example (Chariot Platform)\n\nThe SDK is used by the [Chariot](https://github.com/praetorian-inc/chariot) attack surface management platform to run CI/CD security scans as a capability:\n\n```go\nimport trajanlib \"github.com/praetorian-inc/trajan/pkg/lib\"\n\nresult, err := trajanlib.Scan(ctx, trajanlib.ScanConfig{\n    Platform: platformName,\n    Token:    token,\n    Org:      repo.Org,\n    Repo:     repo.Name,\n})\n// Convert result.Findings → capmodel.Risk emissions\n```\n\n## Quick usage\n\n```sh\n# Scan a GitHub repo\nexport GH_TOKEN=ghp_your_token\ntrajan github scan --repo owner/repo\n\n# Scan a GitHub org\ntrajan github scan --org myorg --concurrency 20\n\n# Scan GitLab projects\nexport GITLAB_TOKEN=glpat_your_token\ntrajan gitlab scan --group mygroup\n\n# Scan Azure DevOps\nexport AZURE_DEVOPS_PAT=your_pat\ntrajan ado scan --org myorg --repo myproject/myrepo\n\n# Offline scan: scan local workflow files without API access\ntrajan github scan --path ./my-repo\ntrajan github scan --path ./.github/workflows/ci.yml\n\n# JSON output\ntrajan github scan --repo owner/repo -o json \u003e results.json\n```\n\nFor detailed usage, detection explanations, and attack walkthroughs, see the [Wiki](https://github.com/praetorian-inc/trajan/wiki).\n\n## Platform coverage\n\n| Platform | Detections | Attacks | Enumerate |\n|----------|-----------|---------|-----------|\n| GitHub Actions | 11 | 9 | token, repos, secrets |\n| GitLab CI | 8 | 3 | token, projects, groups, secrets, runners, branch-protections |\n| Azure DevOps | 6 | 9 | token, projects, repos, pipelines, connections, agent-pools, users, groups, and more |\n| Jenkins | 7 | 3 | access, jobs, nodes, plugins |\n| JFrog | scan-only | - | - |\n\n## Browser extension\n\nTrajan also compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file. It uses the same detection engine, attack plugins, and enumeration logic as the CLI, just compiled to WASM. The web version of Trajan enables low-friction delivery into target environments as part of an assessment.\n\n```sh\nmake wasm       # build browser/trajan.wasm\nmake wasm-dist  # build self-contained trajan-standalone.html\n```\n\n## Architecture\n\n```mermaid\ngraph TD\n    subgraph CLI\n        CMD[Cobra Commands]\n    end\n\n    subgraph Platforms\n        GH[GitHub]\n        GL[GitLab]\n        ADO[Azure DevOps]\n        JK[Jenkins]\n        JF[JFrog]\n    end\n\n    CMD --\u003e GH \u0026 GL \u0026 ADO \u0026 JK \u0026 JF\n\n    subgraph SF[Scan Flow]\n        API[Platform API] --\u003e |fetch workflows| YAML[Workflow YAML]\n        YAML --\u003e P\n\n        subgraph P[Parser]\n            direction LR\n            GHP[GitHub] ~~~ GLP[GitLab] ~~~ ADP[Azure] ~~~ JKP[Jenkins]\n        end\n\n        P --\u003e NW[Normalized Workflow]\n        NW --\u003e GB[Graph Builder]\n        GB --\u003e Graph[Workflow → Job → Step Graph]\n    end\n\n    subgraph AE[Analysis Engine]\n        direction LR\n        TT[Taint Tracker] --\u003e Tagged[Tagged Graph]\n        Tagged --\u003e DP[Detection Plugins]\n        DP --\u003e GA[Gate Analysis]\n        GA --\u003e Findings\n    end\n\n    subgraph AF[Attack Flow]\n        direction LR\n        AP[Attack Plugins] --\u003e |artifacts| Session[Session Tracker]\n        Session --\u003e Cleanup\n    end\n\n    Graph --\u003e AE\n    AE --\u003e AF\n```\n\n## Roadmap\n\nAdditional CI/CD platform support is in active development:\n\n- Bitbucket Pipelines\n- CircleCI\n- AWS CodePipeline\n- Google Cloud Build\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines, plugin authoring, and project structure.\n\n## Acknowledgements\n\nBuilt on research from [Gato](https://github.com/praetorian-inc/gato), [Glato](https://github.com/praetorian-inc/glato), [Gato-X](https://github.com/AdnaneKhan/gato-x) by Adnan Khan, and the [GitHub Security Lab](https://securitylab.github.com/research/).\n\n## License\n\nApache 2.0. See [LICENSE](LICENSE).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Ftrajan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpraetorian-inc%2Ftrajan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraetorian-inc%2Ftrajan/lists"}