TL;DR: Trajan is an open-source CI/CD security tool from Praetorian that unifies vulnerability detection and attack validation across GitHub Actions, GitLab CI, Azure DevOps, and Jenkins in a single cross-platform engine. It ships with 32 detection plugins and 24 attack plugins covering poisoned pipeline execution, secrets exposure, self-hosted runner risks, and AI/LLM pipeline vulnerabilities. It replaces the need for separate tools like Gato and Glato, and even compiles to WebAssembly for in-browser use. Get it at github.com/praetorian-inc/trajan.
Over the past several years, vulnerable CI/CD pipelines have become the access vector of choice for Praetorian’s red team. We released Gato back in 2023 to help others prevent the kind of CI/CD vulnerabilities we’d been exploiting.
Trajan is an open-source, cross-platform CI/CD vulnerability detection and attack automation tool. It builds on our Gato and Glato frameworks for GitHub Actions and GitLab CI security, but with a platform-first architecture designed for multi-platform enterprise environments. Trajan currently supports GitHub Actions, GitLab CI, Azure DevOps, and Jenkins, with additional platforms actively in development. As software supply chains continue to become the primary target for attackers, and organizations embed increasingly complex logic, including AI agents, into their build pipelines, CI/CD continues to be a high-value attack surface. Trajan addresses this with a cross-platform analysis engine that enumerates access, parses workflow files, builds dependency graphs, runs detection plugins, and validates exploitability through built-in attack capabilities.
The Multi-Platform CI/CD Security Problem
We regularly encounter enterprise environments running multiple CI/CD platforms during security assessments. A typical Fortune 500 client might have GitHub Actions for their open-source projects and public-facing services, Azure DevOps for Azure-native pipeline operations and internal service deployments, and GitLab for containerized workloads. We’ve also seen Jenkins instances that are 8+ years old running alongside newer GitHub Actions deployments. This fragmentation happens through acquisitions, organic growth, compliance requirements, or simply different teams choosing different tools over the years.
When we released Gato and Glato, they solved GitHub Actions and GitLab CI security. But we kept running into environments that also had Azure DevOps, Jenkins, and other platforms. Assessing mixed environments meant using different tools for each platform and for platforms we didn’t have tools for yet, reviews were manual. It worked, but it didn’t scale. The underlying issue was architectural: each tool was platform-specific, and supporting more platforms meant building more separate tools.
So we decided to rebuild from scratch. Trajan uses a platform-first architecture where each platform has dedicated enumeration modules, detection plugins that understand its security model, and attack modules that can prove exploitability. The result is one tool that works consistently across the platforms enterprises actually use.
What Trajan Looks For
Traditional CI/CD Vulnerabilities
Trajan ships with 32 detection plugins and 24 attack plugins across four platforms:
- GitHub Actions
- GitLab CI
- Azure DevOps
- Jenkins
Poisoned Pipeline Execution – The most common critical finding in CI/CD assessments is a pipeline that runs attacker-controlled code. This takes several forms. Expression injection interpolates user input (a PR title, issue body, commit message) directly into a shell command. Unsafe checkout triggers like `pull_request_target` run fork code with the base repository’s secrets. Unpinned dependencies follow mutable tags that can be silently replaced. The mechanism varies by platform, but the result is the same: arbitrary code execution inside the build environment. Trajan detects these variants across supported platforms. It builds a workflow graph, traces user-controllable sources into execution sinks, and reports the specific nodes that create the path.
Secrets Exposure – Secrets leak from pipelines through both script behavior and access control failures. Scripts echo variables to build logs, tokens appear in URL parameters, and commands dump credentials where anyone with log access can read them. CI/CD platforms mask secrets in output but can’t intercept every path. The more systemic risks are structural: service connections scoped too broadly, secrets available on untrusted triggers, and variable groups shared across projects create credential exposure that no single workflow file reveals. Trajan maps these cross-workflow resource relationships to surface overpermissioned secrets, exposed tokens, and hijackable service connections. And an upcoming integration with Titus, our secrets scanner, will extend this to credential detection in build logs and workflow artifacts.
Self-Hosted Runners: Non ephemeral self-hosted runners and agents persist between jobs, accumulate filesystem state, have network access to internal systems, and often retain service account credentials from earlier runs. When a vulnerable workflow runs on self-hosted infrastructure, the blast radius can quickly expand. Trajan identifies jobs running on self-hosted runners across supported platforms, flagging which pipelines can reach internal systems if compromised and provides command execution capabilities for establishing persistence.
Beyond these categories, Trajan also detects supply chain risks like artifact poisoning, cache poisoning, and TOCTOU race conditions in dispatched workflows. It flags access control issues, environment protection bypasses, and platform-specific misconfigurations.
AI/LLM Vulnerabilities
Alongside traditional risks, we’re now seeing AI agents deployed into CI/CD pipelines at scale. GitHub Copilot reviews pull requests. CodeRabbit suggests code changes. Custom model workflows analyze commits for security issues. These AI actions can be misconfigured to receive untrusted input from pull requests and have access to repository secrets. This is the new attack surface.
The danger isn’t the AI review itself, it’s what happens when these workflows process attacker-controlled text. If the AI action has access to secrets, a malicious PR comment can get the model’s output to leak credentials. Trajan detects these conditions through dedicated plugins covering token exfiltration, code injection, workflow sabotage, and MCP abuse.
But detection is only half the problem. Validation requires knowing which AI services are actually deployed and whether they’re exploitable. Trajan integrates Julius, our LLM service fingerprinting tool, which probes endpoints extracted from workflow YAML files to identify providers across 30+ supported services. From there, Trajan hands off to Augustus, our LLM vulnerability scanner, which tests exploitability using 210+ adversarial prompt injection payloads across six attack categories: instruction override, role confusion, filter bypass, data extraction, jailbreak, and prompt hijack.
Organizations embedding AI into their build pipelines need to treat these workflows as privileged code execution surfaces, not helpful automation. Trajan detects six AI-specific vulnerability classes, identifies deployed AI services with Julius, and validates exploitability with Augustus across the full attack surface.
Three Modules: Enumerate, Scan, Attack
Enumerate maps your access and attack surface before anything else. The `enumerate token` command validates credentials, identifies the authenticated user, and reports what permissions the token actually has. From there, subcommands discover repositories, secrets, runners, build agents, service connections, and other platform-specific infrastructure. The goal is to answer two questions before you scan or attack: what can this token access, and where are the high-value targets?
> trajan ado enumerate variable-groups --org Middle-Earth-Arda --project LothlorienID NAME TYPE VARIABLES6 lothlorien-db-creds Vsts 65 lothlorien-cloud-creds Vsts 54 lothlorien-app-config Vsts 6Total: 3 variable groups Scan runs detection plugins against pipeline configurations. Trajan fetches workflow files via platform APIs, parses them into a graph, and runs registered detectors against that graph. Similar vulnerability classes (script injection, secret exposure, unpinned dependencies, self-hosted runner risks, AI/LLM abuse) appear across every platform, just with different syntax. Trajan handles the translation.
> trajan ado scan --org Middle-Earth-Arda --repo Lothlorien/Galadriel_repo --detailed --capabilities secrets-exposureFound 1 repositories, 1 workflowsRunning 6 detectors...Analysis complete: 1 finding━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Repository: Lothlorien/Galadriel_repo (3 findings)━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[HIGH]Finding: unredacted_secretsWorkflow: unredacted_secrets.ymlLocation: Line 20, Step: Debug Cloud CredentialsDescription:Echo command with variable expansion: echo "Debug:AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY)" echo "Debug:AZURE_CLIENT_SECRET=$(AZURE_CLIENT_SECRET)"Code Context:───────────────────────────────────────────18 steps:19 - script: |20 → echo "Debug: AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY)"21 echo "Debug: AZURE_CLIENT_SECRET=$(AZURE_CLIENT_SECRET)"22 displayName: 'Debug Cloud Credentials'─────────────────────────────────────────── Attack validates that detected vulnerabilities are actually exploitable. Every attack plugin requires explicit opt-in, tracks all created artifacts in a session file, and supports cleanup after the engagement for opsec. Attack capabilities include secrets exfiltration, command execution on build agents and runners, persistence mechanisms on runners, and AI prompt injection testing.
> trajan ado attack --org Middle-Earth-Arda --repo Lothlorien/Galadriel_repo --plugin secrets-dump --confirm
=== Attack Results (Session: 07b00b13) ===
[SUCCESS] ado-secrets-dump
Message: Secrets dump successful.
Secrets written to: ado-secrets-07b00b13.txt
Summary: 146 environment variables, 3 variable groups (15 secrets)
Artifacts:
- branch: trajan-secrets-07b00b13
- workflow: pipeline:141
To cleanup: trajan ado attack cleanup --session 07b00b13
Browser-Based CI/CD Security with WebAssembly
Trajan also compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file. It uses the same detection engine, attack plugins, and enumeration logic as the CLI, just compiled to WASM. The web version of Trajan enables low-friction delivery into target environments as part of an assessment.
Get Started with Trajan
Trajan is available now at https://github.com/praetorian-inc/trajan. Prebuilt binaries for Linux, macOS, and Windows are on the releases page.
Support for additional CI/CD platforms is in active development: Bitbucket Pipelines, CircleCI, AWS CodePipeline, and Google Cloud Build. If you find bugs, want to contribute detection or attack plugins, or have feature requests, open an issue. We’re actively developing Trajan and want to hear how you’re using it.
Frequently Asked Questions
What is Trajan?
Trajan is an open-source CI/CD security tool developed by Praetorian. It automates vulnerability detection and attack validation across GitHub Actions, GitLab CI, Azure DevOps, and Jenkins from a single unified platform. Trajan ships with 32 detection plugins and 24 attack plugins, covering traditional pipeline risks like poisoned pipeline execution and secrets exposure, as well as emerging AI/LLM pipeline vulnerabilities.
What CI/CD platforms does Trajan support?
Trajan currently supports GitHub Actions, GitLab CI, Azure DevOps, and Jenkins. Support for Bitbucket Pipelines, CircleCI, AWS CodePipeline, and Google Cloud Build is in active development.
How is Trajan different from Gato and Glato?
Gato and Glato were platform-specific tools for GitHub Actions and GitLab CI, respectively. Trajan replaces both with a unified, cross-platform architecture that uses a single detection and attack engine across all supported CI/CD platforms.
Can Trajan detect AI and LLM vulnerabilities in CI/CD pipelines?
Yes. Trajan includes dedicated detection plugins for AI/LLM risks such as token exfiltration, code injection, workflow sabotage, and MCP abuse. It integrates with Julius for AI service fingerprinting and Augustus for adversarial prompt injection testing across 210+ payloads.
Is Trajan open source?
Yes. Trajan is fully open source and available at github.com/praetorian-inc/trajan with prebuilt binaries for Linux, macOS, and Windows.
How does Trajan compare to other CI/CD security tools?
Most CI/CD security tools focus on a single platform. Praetorian’s earlier tools, Gato and Glato, covered GitHub Actions and GitLab CI individually. Trajan replaces both with a single cross-platform engine that also adds Azure DevOps and Jenkins support. Beyond static detection, Trajan validates exploitability through built-in attack modules and includes dedicated AI/LLM pipeline security checks that most CI/CD scanners lack.
What types of CI/CD vulnerabilities does Trajan detect?
Trajan detects poisoned pipeline execution (expression injection, unsafe checkouts, unpinned dependencies), secrets exposure, self-hosted runner risks, supply chain attacks (artifact and cache poisoning, TOCTOU race conditions), access control misconfigurations, environment protection bypasses, and AI/LLM-specific vulnerability classes.
Can Trajan run in the browser?
Yes. Trajan compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file, using the same detection engine, attack plugins, and enumeration logic as the CLI.
