TL;DR: Trajan is an open-source CI/CD security tool from Praetorian that unifies vulnerability detection and attack validation across GitHub Actions, GitLab CI, Azure DevOps, and Jenkins in a single cross-platform engine. It ships with 32 detection plugins and 24 attack plugins covering poisoned pipeline execution, secrets exposure, self-hosted runner risks, and AI/LLM pipeline vulnerabilities. It replaces the need for separate tools like Gato and Glato, and even compiles to WebAssembly for in-browser use. Get it at github.com/praetorian-inc/trajan.

Over the past several years, vulnerable CI/CD pipelines have become the access vector of choice for Praetorian’s red team. We released Gato back in 2023 to help others prevent the kind of CI/CD vulnerabilities we’d been exploiting.

Trajan is an open-source, cross-platform CI/CD vulnerability detection and attack automation tool. It builds on our Gato and Glato frameworks for GitHub Actions and GitLab CI security, but with a platform-first architecture designed for multi-platform enterprise environments. Trajan currently supports GitHub Actions, GitLab CI, Azure DevOps, and Jenkins, with additional platforms actively in development. As software supply chains continue to become the primary target for attackers, and organizations embed increasingly complex logic, including AI agents, into their build pipelines, CI/CD continues to be a high-value attack surface. Trajan addresses this with a cross-platform analysis engine that enumerates access, parses workflow files, builds dependency graphs, runs detection plugins, and validates exploitability through built-in attack capabilities.

We regularly encounter enterprise environments running multiple CI/CD platforms during security assessments. A typical Fortune 500 client might have GitHub Actions for their open-source projects and public-facing services, Azure DevOps for Azure-native pipeline operations and internal service deployments, and GitLab for containerized workloads. We’ve also seen Jenkins instances that are 8+ years old running alongside newer GitHub Actions deployments. This fragmentation happens through acquisitions, organic growth, compliance requirements, or simply different teams choosing different tools over the years.

When we released Gato and Glato, they solved GitHub Actions and GitLab CI security. But we kept running into environments that also had Azure DevOps, Jenkins, and other platforms. Assessing mixed environments meant using different tools for each platform and for platforms we didn’t have tools for yet, reviews were manual. It worked, but it didn’t scale. The underlying issue was architectural: each tool was platform-specific, and supporting more platforms meant building more separate tools.

So we decided to rebuild from scratch. Trajan uses a platform-first architecture where each platform has dedicated enumeration modules, detection plugins that understand its security model, and attack modules that can prove exploitability. The result is one tool that works consistently across the platforms enterprises actually use.

Trajan ships with 32 detection plugins and 24 attack plugins across four platforms:

• GitHub Actions
• GitLab CI
• Azure DevOps
• Jenkins

Poisoned Pipeline Execution – The most common critical finding in CI/CD assessments is a pipeline that runs attacker-controlled code. This takes several forms. Expression injection interpolates user input (a PR title, issue body, commit message) directly into a shell command. Unsafe checkout triggers like `pull_request_target` run fork code with the base repository’s secrets. Unpinned dependencies follow mutable tags that can be silently replaced. The mechanism varies by platform, but the result is the same: arbitrary code execution inside the build environment. Trajan detects these variants across supported platforms. It builds a workflow graph, traces user-controllable sources into execution sinks, and reports the specific nodes that create the path.

Secrets Exposure – Secrets leak from pipelines through both script behavior and access control failures. Scripts echo variables to build logs, tokens appear in URL parameters, and commands dump credentials where anyone with log access can read them. CI/CD platforms mask secrets in output but can’t intercept every path. The more systemic risks are structural: service connections scoped too broadly, secrets available on untrusted triggers, and variable groups shared across projects create credential exposure that no single workflow file reveals. Trajan maps these cross-workflow resource relationships to surface overpermissioned secrets, exposed tokens, and hijackable service connections. And an upcoming integration with Titus, our secrets scanner, will extend this to credential detection in build logs and workflow artifacts.

Self-Hosted Runners: Non ephemeral self-hosted runners and agents persist between jobs, accumulate filesystem state, have network access to internal systems, and often retain service account credentials from earlier runs. When a vulnerable workflow runs on self-hosted infrastructure, the blast radius can quickly expand. Trajan identifies jobs running on self-hosted runners across supported platforms, flagging which pipelines can reach internal systems if compromised and provides command execution capabilities for establishing persistence.

Beyond these categories, Trajan also detects supply chain risks like artifact poisoning, cache poisoning, and TOCTOU race conditions in dispatched workflows. It flags access control issues, environment protection bypasses, and platform-specific misconfigurations.

Alongside traditional risks, we’re now seeing AI agents deployed into CI/CD pipelines at scale. GitHub Copilot reviews pull requests. CodeRabbit suggests code changes. Custom model workflows analyze commits for security issues. These AI actions can be misconfigured to receive untrusted input from pull requests and have access to repository secrets. This is the new attack surface.

The danger isn’t the AI review itself, it’s what happens when these workflows process attacker-controlled text. If the AI action has access to secrets, a malicious PR comment can get the model’s output to leak credentials. Trajan detects these conditions through dedicated plugins covering token exfiltration, code injection, workflow sabotage, and MCP abuse.

But detection is only half the problem. Validation requires knowing which AI services are actually deployed and whether they’re exploitable. Trajan integrates Julius, our LLM service fingerprinting tool, which probes endpoints extracted from workflow YAML files to identify providers across 30+ supported services. From there, Trajan hands off to Augustus, our LLM vulnerability scanner, which tests exploitability using 210+ adversarial prompt injection payloads across six attack categories: instruction override, role confusion, filter bypass, data extraction, jailbreak, and prompt hijack.

Organizations embedding AI into their build pipelines need to treat these workflows as privileged code execution surfaces, not helpful automation. Trajan detects six AI-specific vulnerability classes, identifies deployed AI services with Julius, and validates exploitability with Augustus across the full attack surface.

Enumerate maps your access and attack surface before anything else. The `enumerate token` command validates credentials, identifies the authenticated user, and reports what permissions the token actually has. From there, subcommands discover repositories, secrets, runners, build agents, service connections, and other platform-specific infrastructure. The goal is to answer two questions before you scan or attack: what can this token access, and where are the high-value targets?

> trajan ado enumerate variable-groups --org Middle-Earth-Arda --project Lothlorien

ID  NAME                    TYPE  VARIABLES

6   lothlorien-db-creds     Vsts  6

5   lothlorien-cloud-creds  Vsts  5

4   lothlorien-app-config   Vsts  6

Total: 3 variable groups

Scan runs detection plugins against pipeline configurations. Trajan fetches workflow files via platform APIs, parses them into a graph, and runs registered detectors against that graph. Similar vulnerability classes (script injection, secret exposure, unpinned dependencies, self-hosted runner risks, AI/LLM abuse) appear across every platform, just with different syntax. Trajan handles the translation.

> trajan ado scan --org Middle-Earth-Arda --repo Lothlorien/Galadriel_repo --detailed --capabilities secrets-exposure

Found 1 repositories, 1 workflows

Running 6 detectors...

Analysis complete: 1 finding

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Repository: Lothlorien/Galadriel_repo (3 findings)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

[HIGH]

Finding: unredacted_secrets

Workflow: unredacted_secrets.yml

Location: Line 20, Step: Debug Cloud Credentials

Description:

Echo command with variable expansion: echo "Debug:

AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY)" echo "Debug:

AZURE_CLIENT_SECRET=$(AZURE_CLIENT_SECRET)"

Code Context:

───────────────────────────────────────────

18   steps:

19     - script: |

20 →       echo "Debug: AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY)"

21         echo "Debug: AZURE_CLIENT_SECRET=$(AZURE_CLIENT_SECRET)"

22       displayName: 'Debug Cloud Credentials'

───────────────────────────────────────────

Attack validates that detected vulnerabilities are actually exploitable. Every attack plugin requires explicit opt-in, tracks all created artifacts in a session file, and supports cleanup after the engagement for opsec. Attack capabilities include secrets exfiltration, command execution on build agents and runners, persistence mechanisms on runners, and AI prompt injection testing.

> trajan ado attack --org Middle-Earth-Arda --repo Lothlorien/Galadriel_repo --plugin secrets-dump --confirm
=== Attack Results (Session: 07b00b13) ===

[SUCCESS] ado-secrets-dump

Message: Secrets dump successful.

Secrets written to: ado-secrets-07b00b13.txt

Summary: 146 environment variables, 3 variable groups (15 secrets)

Artifacts:

- branch: trajan-secrets-07b00b13

- workflow: pipeline:141

To cleanup: trajan ado attack cleanup --session 07b00b13

Trajan also compiles to a WebAssembly binary that runs entirely in the browser as a single HTML file. It uses the same detection engine, attack plugins, and enumeration logic as the CLI, just compiled to WASM. The web version of Trajan enables low-friction delivery into target environments as part of an assessment.

Trajan is available now at https://github.com/praetorian-inc/trajan. Prebuilt binaries for Linux, macOS, and Windows are on the releases page.

Support for additional CI/CD platforms is in active development: Bitbucket Pipelines, CircleCI, AWS CodePipeline, and Google Cloud Build. If you find bugs, want to contribute detection or attack plugins, or have feature requests, open an issue. We’re actively developing Trajan and want to hear how you’re using it.