Documentation

Getting started

Install Trojan, run your first scan, and integrate it into your workflow in under a minute.

SAST + DAST6 scanners bundledSingle binary~30s to first scanYour code stays local

Installation

macOS & Linux — recommended

curl -fsSL https://trojancli.com/install.sh | sh

Detects your OS and architecture, downloads the right binary from GitHub Releases, and installs it to /usr/local/bin.

macOS (Homebrew tap)

brew install dev-zeph/trojan/trojan

Go

go install github.com/dev-zeph/trojan/cmd/trojan@latest

Your first scan

Navigate to your project directory and run:

trojan scan

Trojan auto-installs the underlying scanners (Semgrep, Trivy, Gitleaks, Checkov, Syft) on first run if they're not already present. This takes about a minute.

When the scan finishes, a browser tab opens at http://localhost:7878 with the full report. Press Ctrl+C to close.

To also scan your running app for runtime vulnerabilities, see DAST scanning →

DAST scanning

DAST (Dynamic Application Security Testing) scans your running local server for runtime vulnerabilities — things that only show up when the app is actually executing. It fires 6,000+ attack templates from Nuclei against your dev server and opens a separate report.

Start your dev server, then in another terminal:

trojan dast http://localhost:3000

On first run, Trojan downloads Nuclei automatically to ~/.trojan/bin/. The scan takes 3–5 minutes and streams live progress to your terminal. When it finishes, a DAST report opens at http://localhost:7879.

$ trojan dast http://localhost:3000

  ✓ Server is up

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Before we start, a few things to know:

  Is http://localhost:3000 the URL of your localhost instance?
  Testing against URLs you don't own is a crime
  punishable by law.

  Confirm (y/n): y
  ...

  [nuclei] Templates loaded: 6,618
  [nuclei] Scan completed in 3m. 2 matches found.

  2 findings — 1 high  1 medium
  → Report ready at http://localhost:7879

DAST catches things SAST can't — CORS misconfigurations, exposed config files, missing security headers, and vulnerabilities that only exist at runtime. Run both for full coverage.

Commands

trojan scan

Scan the current directory and open the local SAST report.

trojan scan [path]

Scan a specific directory.

trojan scan --pre-commit

Fast scan with no UI — exits non-zero on Critical/High findings. Used by the git hook.

trojan scan --watch

Re-scan on every file save and push live updates to the open report. Pro only.

trojan dast <url>

Scan a running local server for runtime vulnerabilities using 6,000+ Nuclei templates. Opens a separate DAST report.

trojan ci

CI mode — outputs SARIF 2.1.0, exits non-zero on findings above threshold. No browser or UI.

trojan ci --output <file>

Write SARIF output to a file instead of stdout.

trojan ci --severity <level>

Set the exit threshold (default: high). Options: critical, high, medium, low.

trojan hook install

Install a pre-commit git hook that blocks commits with Critical/High findings.

trojan hook uninstall

Remove the Trojan pre-commit hook.

trojan init

Install scanners and set up Trojan for this project.

trojan login

Log in to unlock Pro AI features and MCP integration.

trojan logout

Log out and clear saved credentials.

trojan pro

Check your current plan and subscription status.

trojan mcp install

Auto-configure Claude Code, Cursor, and Codex CLI to use the Trojan MCP server. Requires Pro.

trojan mcp [path]

Start the MCP server over stdio — used internally by editors, not called directly.

trojan update

Check for and install a newer version of Trojan.

trojan version

Print the installed version.

CI integration

trojan ci runs all scanners silently and outputs SARIF 2.1.0 — compatible with GitHub Code Scanning, GitLab Security Dashboard, and any SARIF-aware CI tool.

Example GitHub Actions step:

- name: Trojan security scan
  run: trojan ci --output trojan.sarif
- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: trojan.sarif

Exit code is 1 when findings at or above the threshold are detected (default: high), 0 when clean. Use --severity critical to only fail on critical findings.

Pre-commit hook

Trojan can block commits that introduce Critical or High severity findings. Install the hook from your project root:

trojan hook install

This writes a .git/hooks/pre-commit script that runs trojan scan --pre-commit before each commit — no browser, no UI, just a fast scan. If Critical or High findings are detected, the commit is blocked and the findings are printed to your terminal.

To remove the hook:

trojan hook uninstall

Trojan will not overwrite an existing pre-commit hook that it didn't install. If you already have one, manually add trojan scan --pre-commit to it.

AI features

Pro
AI explanations and fix instructions require a Pro subscription. Upgrade at trojancli.com/pricing →

Pro unlocks AI-generated explanations for every finding — plain-English descriptions of what the vulnerability means for your app and step-by-step fix instructions.

trojan login

This opens a login page in your browser. After subscribing, log in and run trojan scan to see AI explanations in the report.

Free plan users see up to 5 low and medium severity reports. Critical and high findings are visible but locked — upgrade to unlock all findings and AI explanations.

MCP integration

Pro
MCP integration requires a Pro subscription. Upgrade at trojancli.com/pricing →

Trojan exposes your vulnerability findings via the Model Context Protocol, letting AI editors like Claude Code, Cursor, and GitHub Copilot read your scan results and fix vulnerabilities for you — without leaving your editor.

trojan mcp install

This auto-detects and configures Claude Code, Cursor, and Codex CLI. Then run a scan and ask your AI:

"Create a plan to fix all the High to Critical vulnerabilities found by Trojan and execute."

Ready to unlock everything?

Full reports, AI explanations, and MCP integration from $8.25/month.

View pricing →