Open source security scanner
Aggregation of AI powered SAST + DAST tools to easily find vulnerabilities in your codebase.
Yes, we know what “trojan” usually insinuates. We mean: your codebase is the real trojan, and we find what’s hiding inside before you ship to production.
Why Trojan
Why we are for you
Your code never leaves your machine.
No code is shared with us
Trojan runs every scanner locally. Your source code, secrets, and infrastructure configs are never uploaded to any server — not ours, not anyone else's.
We collect zero data
No telemetry. No analytics on your scan results. No phone-home requests. Trojan has no idea what you're scanning — and that's intentional.
Results stay on your machine
Scan output is written to ~/.trojan/ on your local filesystem. Nothing is persisted to a cloud database or shared with third parties.
We only help you find vulnerabilities
Our job is to point out what's wrong in your code. We don't fix it for you, we don't report it anywhere — we just surface it clearly so you can act on it.
See it in action
Security at your fingertips.


What gets scanned
Runtime vulnerability scanning against your live local server — CORS issues, exposed secrets, misconfigurations, and 6,000+ attack patterns.
SQL injection, XSS, insecure crypto, path traversal — caught before you ship.
Known CVEs in your npm, pip, go.mod, maven dependencies.
API keys, tokens, and passwords in current code and full git history.
Terraform, Kubernetes, Dockerfile, and CloudFormation misconfigurations.
Full software bill of materials and license compliance inventory.
MCP Integration
Connect your AI tools to fix vulnerabilities for you.
Trojan exposes your findings via the Model Context Protocol. Connect any MCP-compatible AI and let it read your scan results, suggest fixes, and mark issues resolved — without leaving your editor.
trojan mcp installWorks with
“Fix all the Critical and High vulnerabilities Trojan found.”
Built with modern open-source technology
Security & privacy
Our commitment to your security and privacy
Signed releases
Every Trojan binary is GPG-signed and attested via SLSA provenance. You can cryptographically verify that what you installed was built from our source code and has not been tampered with.
View security policy →Your code never leaves your machine
Trojan runs entirely on your local machine. Scan results are written to ~/.trojan/ and never transmitted to our servers. No telemetry, no phone-home, no cloud processing of your codebase.
Pinned, verified scanner versions
Every scanner Trojan ships with is pinned to a specific version we have tested and verified. Scanners are downloaded directly to ~/.trojan/bin/ with SHA256 checksum verification — never pulled from Homebrew or pip where versions can change without warning. Scanner versions only update when we ship a new Trojan release.
Read-only scanners
The open-source tools Trojan wraps — Semgrep, Trivy, Gitleaks, Checkov, and Syft — analyze code. They never write to it. Even in a worst-case upstream compromise, these tools cannot inject code into your project.
AI features are opt-in only
The AI explanation feature only activates when you explicitly click Explain. It sends a short finding summary — never raw source code — to the AI provider. You can use every scanner in Trojan without ever touching the AI features.
Start scanning in 30 seconds.
Free tier includes all six scanners (SAST + DAST), the local web UI, and pre-commit hooks. No account required.