https://github.com/praetorian-inc/trajan
A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.
https://github.com/praetorian-inc/trajan
actions-injection ci-cd-security cicd-scanner devsecops github-actions-security pipeline-security sast security-scanner supply-chain-security workflow-security
Last synced: 8 days ago
JSON representation
A multi-platform CI/CD vulnerability detection and attack automation tool for identifying security weaknesses in pipeline configurations.
- Host: GitHub
- URL: https://github.com/praetorian-inc/trajan
- Owner: praetorian-inc
- License: apache-2.0
- Created: 2026-03-06T03:17:33.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2026-07-07T10:43:52.000Z (10 days ago)
- Last Synced: 2026-07-07T12:19:24.614Z (10 days ago)
- Topics: actions-injection, ci-cd-security, cicd-scanner, devsecops, github-actions-security, pipeline-security, sast, security-scanner, supply-chain-security, workflow-security
- Language: Go
- Homepage:
- Size: 1.39 MB
- Stars: 164
- Watchers: 1
- Forks: 11
- Open Issues: 15
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Citation: CITATION.cff
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-software-supply-chain-security - praetorian-inc/trajan: Multi-platform CI/CD security scanner for detecting pipeline configuration weaknesses across GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog
README

# Trajan: CI/CD Security Scanner
Trajan scans CI/CD pipelines for security vulnerabilities that attackers use to compromise software supply chains. It supports GitHub Actions, GitLab CI, Azure DevOps, Jenkins, and JFrog.
[](https://go.dev/)
[](LICENSE)
## What it does
Trajan parses workflow YAML files, builds dependency graphs, runs detection plugins, and validates exploitability through built-in attack capabilities.
- 32 detection plugins across multiple CI/CD platforms
- 24 attack plugins across multiple CI/CD platforms
- Graph-based analysis with taint tracking and gate detection
- Browser-based scanner via WebAssembly (no backend needed)
- Attack chains for multi-stage sequences with automatic context passing
> [!NOTE]
> Trajan is under active development. Some features may be incomplete and rough edges are expected. If you run into issues, please [open one](https://github.com/praetorian-inc/trajan/issues).
## Installation
Prebuilt binaries are available on the [releases page](https://github.com/praetorian-inc/trajan/releases).
```sh
go install github.com/praetorian-inc/trajan/cmd/trajan@latest
```
Or build from source:
```sh
git clone https://github.com/praetorian-inc/trajan.git
cd trajan && make build
```
### Requirements
- Go 1.24 or later
- GitHub Personal Access Token with `repo` scope (for private repositories) or `public_repo` scope (for public repositories only)
## Library SDK (`pkg/lib`)
Trajan can be embedded as a Go library for programmatic CI/CD security scanning. The `pkg/lib` package provides a public SDK that wraps Trajan's internal platform registry, detection engine, and scanner into a single high-level API.
### Quick Start (Library)
```go
import "github.com/praetorian-inc/trajan/pkg/lib"
result, err := lib.Scan(ctx, lib.ScanConfig{
Platform: "github",
Token: os.Getenv("GH_TOKEN"),
Org: "myorg",
Repo: "myrepo",
Concurrency: 10,
Timeout: 5 * time.Minute,
})
if err != nil {
log.Fatal(err)
}
for _, f := range result.Findings {
fmt.Printf("[%s] %s in %s: %s\n", f.Severity, f.Type, f.WorkflowFile, f.Evidence)
}
```
### SDK API
| Function | Description |
|----------|-------------|
| `lib.Scan(ctx, cfg)` | Full scan: platform init → workflow discovery → detection execution |
| `lib.GetPlatform(name)` | Get a platform adapter by name (`github`, `gitlab`, `azuredevops`, `bitbucket`, `jenkins`, `jfrog`) |
| `lib.ListPlatforms()` | List all registered platform names |
| `lib.GetDetections(platform)` | Get detection plugins for a specific platform |
| `lib.GetDetectionsForPlatform(platform)` | Get platform-specific + cross-platform detections |
| `lib.ListDetectionPlatforms()` | List platforms with registered detections |
### ScanConfig
```go
type ScanConfig struct {
Platform string // CI/CD platform (required)
Token string // API authentication token
BaseURL string // Custom base URL for self-hosted instances
Org string // Organization/owner name
Repo string // Repository name (empty = scan all org repos)
Concurrency int // Parallel detection workers (default: 10)
Timeout time.Duration // Max scan duration (default: 5m)
LocalPath string // Local filesystem path (file or dir) for offline scan
}
```
### ScanResult
```go
type ScanResult struct {
Findings []detections.Finding // Security vulnerabilities detected
Workflows []platforms.Workflow // CI/CD workflow files discovered
Errors []error // Non-fatal errors during scanning
SkippedDetections []string // Detection names skipped in LocalPath mode (API-only); always empty in API-mode scans
}
```
### Integration Example (Chariot Platform)
The SDK is used by the [Chariot](https://github.com/praetorian-inc/chariot) attack surface management platform to run CI/CD security scans as a capability:
```go
import trajanlib "github.com/praetorian-inc/trajan/pkg/lib"
result, err := trajanlib.Scan(ctx, trajanlib.ScanConfig{
Platform: platformName,
Token: token,
Org: repo.Org,
Repo: repo.Name,
})
// Convert result.Findings → capmodel.Risk emissions
```
## Quick usage
```sh
# Scan a GitHub repo
export GH_TOKEN=ghp_your_token
trajan github scan --repo owner/repo
# Scan a GitHub org
trajan github scan --org myorg --concurrency 20
# Scan GitLab projects
export GITLAB_TOKEN=glpat_your_token
trajan gitlab scan --group mygroup
# Scan Azure DevOps
export AZURE_DEVOPS_PAT=your_pat
trajan ado scan --org myorg --repo myproject/myrepo
# Offline scan: scan local workflow files without API access
trajan github scan --path ./my-repo
trajan github scan --path ./.github/workflows/ci.yml
# JSON output
trajan github scan --repo owner/repo -o json > results.json
```
For detailed usage, detection explanations, and attack walkthroughs, see the [Wiki](https://github.com/praetorian-inc/trajan/wiki).
## Platform coverage
| Platform | Detections | Attacks | Enumerate |
|----------|-----------|---------|-----------|
| GitHub Actions | 11 | 9 | token, repos, secrets |
| GitLab CI | 8 | 3 | token, projects, groups, secrets, runners, branch-protections |
| Azure DevOps | 6 | 9 | token, projects, repos, pipelines, connections, agent-pools, users, groups, and more |
| Jenkins | 7 | 3 | access, jobs, nodes, plugins |
| JFrog | scan-only | - | - |
## Browser extension
Trajan also compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file. It uses the same detection engine, attack plugins, and enumeration logic as the CLI, just compiled to WASM. The web version of Trajan enables low-friction delivery into target environments as part of an assessment.
```sh
make wasm # build browser/trajan.wasm
make wasm-dist # build self-contained trajan-standalone.html
```
## Architecture
```mermaid
graph TD
subgraph CLI
CMD[Cobra Commands]
end
subgraph Platforms
GH[GitHub]
GL[GitLab]
ADO[Azure DevOps]
JK[Jenkins]
JF[JFrog]
end
CMD --> GH & GL & ADO & JK & JF
subgraph SF[Scan Flow]
API[Platform API] --> |fetch workflows| YAML[Workflow YAML]
YAML --> P
subgraph P[Parser]
direction LR
GHP[GitHub] ~~~ GLP[GitLab] ~~~ ADP[Azure] ~~~ JKP[Jenkins]
end
P --> NW[Normalized Workflow]
NW --> GB[Graph Builder]
GB --> Graph[Workflow → Job → Step Graph]
end
subgraph AE[Analysis Engine]
direction LR
TT[Taint Tracker] --> Tagged[Tagged Graph]
Tagged --> DP[Detection Plugins]
DP --> GA[Gate Analysis]
GA --> Findings
end
subgraph AF[Attack Flow]
direction LR
AP[Attack Plugins] --> |artifacts| Session[Session Tracker]
Session --> Cleanup
end
Graph --> AE
AE --> AF
```
## Roadmap
Additional CI/CD platform support is in active development:
- Bitbucket Pipelines
- CircleCI
- AWS CodePipeline
- Google Cloud Build
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines, plugin authoring, and project structure.
## Acknowledgements
Built on research from [Gato](https://github.com/praetorian-inc/gato), [Glato](https://github.com/praetorian-inc/glato), [Gato-X](https://github.com/AdnaneKhan/gato-x) by Adnan Khan, and the [GitHub Security Lab](https://securitylab.github.com/research/).
## License
Apache 2.0. See [LICENSE](LICENSE).