DAST that engineers will actually keep in the pipeline.
Tsun runs real OWASP ZAP scans with sane defaults: auth-friendly, low-noise CI profiles, baselines, and SARIF. Built for small SaaS teams that don’t want enterprise overhead.
# Install from GitHub Releases (macOS/Linux) os=$(uname -s | tr '[:upper:]' '[:lower:]'); [ "$os" = "darwin" ] && os=macos arch=$(uname -m); [ "$arch" = "arm64" ] && arch=aarch64 curl -fL "https://github.com/tsun-dev/tsun/releases/latest/download/tsun-${os}-${arch}.tar.gz" | tar -xz sudo install -m 0755 tsun /usr/local/bin/tsun # run a CI-scoped scan tsun scan --target https://staging.example.com \ --profile ci --min-severity medium --exit-on-severity high \ --format sarif --output report.sarif # compare to a baseline (pro) tsun scan --target https://staging.example.com \ --baseline baseline.json --format html --output report.html
Built for small teams running real apps
Tsun is a CLI-first wrapper around OWASP ZAP with pragmatic defaults and guardrails. You get reliable scans, useful output, and CI workflows that don’t create permanent red builds.
Scan behind login
Use headers, cookie files, or a pre-scan login command to generate sessions.
Predictable runtime
Profiles enforce time budgets and URL caps so scans finish when your pipeline needs them to.
Measure what changed
Baseline diffs show new vs fixed findings and severity/CVSS deltas over time.
Output devs can act on
Generate JSON/YAML/HTML for humans and SARIF for code scanning platforms.
Docker lifecycle handled
Auto port selection, health checks, cleanup on Ctrl+C—so CI doesn’t get messy.
Code Scanning ready
Generate and upload SARIF to show findings right where engineers live: PRs and alerts.
Pricing that won’t punish small teams
Start with the free CLI. Upgrade when you want cleaner CI workflows, stronger guardrails, and less noise.
No per-seat pricing. No per-scan billing. Cancel anytime.
Free
Authenticated ZAP scans that work in CI, forever.
- Authenticated scans (headers, cookies, login hooks)
- CI scan profile (~10–15 min runtime)
- Managed ZAP lifecycle (Docker auto-start/cleanup)
- JSON + SARIF output
- Exit-code gating for CI
- Scan tuning (timeout, URL limits, attack strength)
- Runs locally. No account required.
Pro Team
Baselines, deep scans, and noise-free CI for small teams.
- Everything in Free, plus:
- Baseline comparisons (new/fixed/unchanged vulns)
- Severity deltas over time (trend: improved/unchanged/regressed)
- Deep scan profile (60–120 min runtime)
- Advanced scan profiles (custom tuning + longer runs)
- HTML + YAML output formats
- GitHub SARIF upload (Code Scanning integration)
- CI noise reduction + graceful fallbacks
Pro Plus
Same power, prioritized for larger orgs.
- Everything in Pro Team
- Priority onboarding + support
- Intended for higher-frequency CI usage
- Best for teams of 25–50 devs
FAQ
Is this safe to run in CI?
Yes—use the ci profile for time-boxed scans. Keep targets scoped to staging/preview environments.
Does it support authenticated apps?
Yes. Use headers, cookie files, or a pre-scan login command to generate sessions before scanning.
Do I need to manage ZAP myself?
No. Tsun can run ZAP in Docker and manages lifecycle, ports, health checks, and cleanup automatically.
What makes Pro worth it?
Pro focuses on workflow: baselines, noise control, CI guardrails, and better diagnostics—so teams keep scanning enabled.
Ship safer releases without enterprise baggage.
Install Tsun, run a CI profile scan on staging, and get actionable output in minutes.