Local-first · Single binary · AI-powered
Trojan scans your codebase for security issues and opens a local report with plain-English explanations. One command. Your code never leaves your machine.
$ trojan scan Scanning your project... ✓ Static analysis (847 files, 12 findings) ✓ Dependencies (247 packages, 3 vulnerabilities) ✓ Secrets (full git history scanned, 1 leak) ✓ Infrastructure (3 config files, 2 misconfigs) ✓ SBOM generated (saved to .trojan/sbom.json) 18 total findings — 2 critical 4 high 7 medium 5 low → Report ready at http://localhost:7878 → Press Ctrl+C to close
Why Trojan
Your code stays local.
Snyk, Aikido, and Sonar upload your code to the cloud. Trojan runs entirely on your machine. Nothing leaves. Ever.
Built for developers, not security teams.
No CWE classifications. No CVSS scores. Plain-English explanations of what's wrong, why it matters, and how to fix it.
Scans as you build.
Run "trojan scan --watch". Every time you save a file, Trojan re-scans in the background and the report updates itself — the same way npm dev rebuilds as you write code. Fix one issue, save, watch it disappear. Work through the list until all vulnerabilities are addressed.
Automated security before every commit.
Install the pre-commit hook and Trojan automatically scans for Critical and High vulnerabilities before every push — blocking bad code before it ever reaches your branch.
One command, five scanners.
Semgrep, Trivy, Gitleaks, Checkov, and Syft — all running in parallel, all normalized into one report.
MCP integration.
Connect Claude, Cursor, Copilot, or any MCP-compatible AI to read your findings and fix vulnerabilities without leaving your editor.
What gets scanned
SQL injection, XSS, insecure crypto, path traversal — caught before you ship.
SQL injection, XSS, insecure crypto, path traversal — caught before you ship.
Known CVEs in your npm, pip, go.mod, maven dependencies.
Known CVEs in your npm, pip, go.mod, maven dependencies.
API keys, tokens, and passwords in current code and full git history.
API keys, tokens, and passwords in current code and full git history.
Terraform, Kubernetes, Dockerfile, and CloudFormation misconfigurations.
Terraform, Kubernetes, Dockerfile, and CloudFormation misconfigurations.
Full software bill of materials and license compliance inventory.
Full software bill of materials and license compliance inventory.
MCP Integration
Connect your AI tools to seamlessly fix vulnerabilities for you.
Trojan exposes your findings via the Model Context Protocol. Connect Claude, Cursor, Copilot, or any MCP-compatible AI and let it read your scan results, suggest fixes, and mark issues resolved — without leaving your editor.
Works with
Connect in one line
trojan mcp installThen try asking your AI
"Create a plan to fix all the High to Critical vulnerabilities found by Trojan and execute."
Built with modern open-source technology
Security & privacy
Our commitment to your security and privacy
Signed releases
Every Trojan binary is GPG-signed and attested via SLSA provenance. You can cryptographically verify that what you installed was built from our source code and has not been tampered with.
View security policy →Your code never leaves your machine
Trojan runs entirely on your local machine. Scan results are written to ~/.trojan/ and never transmitted to our servers. No telemetry, no phone-home, no cloud processing of your codebase.
Pinned, verified scanner versions
Every scanner Trojan ships with is pinned to a specific version we have tested and verified. Scanners are downloaded directly to ~/.trojan/bin/ with SHA256 checksum verification — never pulled from Homebrew or pip where versions can change without warning. Scanner versions only update when we ship a new Trojan release.
Read-only scanners
The open-source tools Trojan wraps — Semgrep, Trivy, Gitleaks, Checkov, and Syft — analyze code. They never write to it. Even in a worst-case upstream compromise, these tools cannot inject code into your project.
AI features are opt-in only
The AI explanation feature only activates when you explicitly click Explain. It sends a short finding summary — never raw source code — to the AI provider. You can use every scanner in Trojan without ever touching the AI features.
What developers say
“Finally a security tool that doesn't make me feel like an idiot. The plain-English explanations are genuinely useful — I fixed three issues in 20 minutes that had been sitting in our backlog for months.”
Marcus T.
Founding Engineer · Fintech startup
“We're in healthtech. Code never leaves our machine is not a nice-to-have — it's a hard requirement. Trojan is the only scanner that fits that constraint without sacrificing coverage.”
Priya S.
CTO · Digital health co.
“I was skeptical about another security wrapper. But the fact that it runs Semgrep, Trivy, and Gitleaks in one command and normalizes the output is genuinely a time saver. My pre-commit hook now blocks bad secrets from ever reaching GitHub.”
Daniel R.
Senior Developer · Agency
“The local web UI is what sold me. Not another wall of terminal output — an actual report I can walk a non-technical founder through. That alone is worth it.”
Sophie L.
Lead Engineer · SaaS co.
Start scanning in 30 seconds.
Free tier includes all five scanners, the local web UI, and pre-commit hooks. No account required.