Automated web application security scanner with compliance mapping, policy gates, and CI/CD integration
Project description
🔱 Trident
Automated web application security scanner with compliance mapping, policy gates, and CI/CD integration.
Trident scans websites for vulnerabilities aligned with OWASP Top 10 2025, OWASP API Security Top 10, and maps findings to PCI DSS 4.0, SOC 2, and NIST CSF — out of the box.
pip install trident-scanner
trident scan https://your-app.com
Why Trident?
Most security scanners dump findings. Trident tells you what to fix, how to fix it, and which compliance frameworks are affected — with framework-specific code snippets for nginx, Apache, Express, Django, Rails, and more.
| Feature | Trident | ZAP | Nuclei | Nikto |
|---|---|---|---|---|
| Compliance mapping (PCI DSS, SOC 2, NIST) | Yes | No | No | No |
| Policy-as-code CI gates | Yes | Manual | No | No |
| Fix suggestions with code snippets | Yes | No | No | No |
| SARIF for GitHub Code Scanning | Yes | Plugin | No | No |
| SBOM generation | Yes | No | No | No |
| SPA crawling (Playwright) | Yes | Yes | N/A | No |
| Community YAML templates | Yes | N/A | Yes | N/A |
| Web dashboard | Yes | Yes | Cloud | No |
Quick Start
# Install
pip install trident-scanner
# Basic scan (passive — safe for any target)
trident scan https://example.com
# Active mode (sends test payloads — use on targets you own)
trident scan https://example.com --active
# Scan a React/Vue/Angular SPA
trident scan https://spa-app.com --js-crawl
# Generate all report formats
trident scan https://example.com \
-o results.json \
--html report.html \
--sarif results.sarif \
--compliance compliance.json
# Check against a security policy (CI/CD gate)
trident scan https://example.com -o results.json --policy policy.yaml
# Start the web dashboard
trident serve
# Continuous monitoring with Slack alerts
trident monitor https://example.com --interval 30 --webhook https://hooks.slack.com/...
19 Security Scanners
| Scanner | What It Checks |
|---|---|
headers |
Missing security headers (HSTS, CSP, X-Frame-Options, etc.) |
tls |
HTTPS enforcement, weak protocols, certificate expiry |
xss |
Reflected XSS in GET params and POST forms (passive + active) |
sqli |
SQL injection via error-based detection |
cors |
CORS misconfigurations (origin reflection, null origin, wildcard) |
csrf |
Missing CSRF tokens on state-changing forms |
open-redirect |
Open redirect via common redirect parameters |
dir-enum |
Sensitive files and directories (.git, .env, backups, admin panels) |
cookies |
Cookie security (Secure, HttpOnly, SameSite attributes) |
info-disclosure |
Leaked secrets, stack traces, debug mode in HTML |
ssrf |
Server-Side Request Forgery via URL parameters |
tech-fingerprint |
Technology detection (CMS, frameworks, libraries, CDN) |
http-methods |
Dangerous HTTP methods (PUT, DELETE, TRACE) |
subdomain-enum |
DNS enumeration of 70+ common subdomains |
graphql |
GraphQL introspection, batching, alias DoS, field suggestions |
api-security |
OWASP API Top 10 (BOLA, auth, rate limiting, spec exposure) |
secrets |
API keys, tokens, credentials in responses and JS files |
js-libs |
Outdated JavaScript libraries with known CVEs |
templates |
Community YAML vulnerability templates |
Compliance Mapping
Every finding is automatically mapped to:
- OWASP Top 10 2025
- OWASP API Security Top 10 2023
- PCI DSS 4.0
- SOC 2 Trust Services Criteria
- NIST Cybersecurity Framework
trident scan https://example.com --compliance report.json
Output includes compliance percentage per framework:
OWASP Top 10 2025: 70.0% compliant
PCI DSS 4.0: 87.5% compliant
SOC 2: 83.3% compliant
Policy-as-Code
Define security policies in YAML and use them as CI/CD gates:
# policy.yaml
name: Production Security Policy
rules:
- name: no-critical-findings
type: max_severity
max: high
- name: max-high-findings
type: max_count
severity: high
max: 3
- name: required-scanners
type: required_scanner
scanners: [headers, tls, xss, sqli, secrets]
- name: no-leaked-secrets
type: forbidden_finding
titles: ["Secret Detected", "AWS Access Key"]
# Exits with code 1 on violations — perfect for CI
trident scan https://app.com -o results.json --policy policy.yaml
Community Templates
Add custom vulnerability checks as YAML files — no code needed:
# templates/my-check.yaml
id: exposed-admin-panel
name: "Admin Panel Exposed"
severity: high
author: your-name
tags: [exposure, admin]
remediation: "Restrict admin panel access by IP or require VPN."
request:
method: GET
path: /admin/login
matchers:
- type: word
words: ["Admin Login", "Sign In"]
condition: or
- type: status
status: [200]
matchers_condition: and
Drop .yaml files in ./templates/ or ~/.trident/templates/ and they're automatically loaded.
GitHub Actions
# .github/workflows/security.yml
name: Security Scan
on: [push]
jobs:
scan:
uses: your-org/trident/.github/workflows/trident-scan.yaml@main
with:
target_url: https://staging.your-app.com
fail_on_severity: high
Findings appear in the GitHub Security tab via SARIF upload.
Web Dashboard
trident serve
# Open http://127.0.0.1:8000
Dark-themed dashboard with:
- Scan configuration (URL, scanners, active mode)
- Live progress tracking
- Severity breakdown and compliance posture
- Expandable vulnerability details
- HTML/JSON/SARIF report downloads
Output Formats
| Format | Flag | Use Case |
|---|---|---|
| Console | (default) | Human-readable terminal output |
| JSON | -o results.json |
Machine processing, CI/CD |
| HTML | --html report.html |
Stakeholder sharing |
| SARIF | --sarif results.sarif |
GitHub Code Scanning |
| CycloneDX SBOM | --sbom sbom.json |
Supply chain compliance |
| Compliance | --compliance report.json |
Audit evidence |
Architecture
src/trident/
├── cli/ # Typer CLI (scan, serve, monitor, policy-check)
├── core/ # Engine, models, templates, policy, compliance, SBOM
├── crawlers/ # HTML crawler + Playwright JS crawler
├── scanners/ # 19 plugin scanners + YAML template engine
├── reporters/ # Console, JSON, HTML, SARIF output
├── api/ # FastAPI dashboard + REST API
└── templates/ # Built-in YAML vulnerability templates
Adding a new scanner:
from trident.core.scanner_base import BaseScanner
from trident.scanners import register_scanner
@register_scanner
class MyScanner(BaseScanner):
name = "my-scanner"
description = "Checks for something specific"
async def scan(self, urls: list[str]) -> list[Vulnerability]:
# Your detection logic here
return []
Development
git clone https://github.com/your-org/trident.git
cd trident
pip install -e ".[dev,api]"
pytest
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
trident_scanner-0.1.1.tar.gz
(72.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file trident_scanner-0.1.1.tar.gz.
File metadata
- Download URL: trident_scanner-0.1.1.tar.gz
- Upload date:
- Size: 72.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
46219616878c132732b23c11f2501f7c5196a3836120930026f05b75161d64c1
|
|
| MD5 |
d3bf1ac040a664eb982f3d20906385a2
|
|
| BLAKE2b-256 |
e9a9e1e48eaa35fb298b1892f1a41c2d0d63d481cbe41c4cb337ac98fbd14fa7
|
File details
Details for the file trident_scanner-0.1.1-py3-none-any.whl.
File metadata
- Download URL: trident_scanner-0.1.1-py3-none-any.whl
- Upload date:
- Size: 102.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c66e725c46e04c6faa91b46449f16f3f3b54b3a342b05121f53c99ca96710311
|
|
| MD5 |
45afd5360ab154f5c01fc669325437c7
|
|
| BLAKE2b-256 |
0ee0ee703ab7e461d215bc11f1a1c6e78e10689e9b768719b5ee72e9e3f0e565
|
