ZAP-powered scans built for CI

DAST that engineers will actually keep in the pipeline.

Tsun runs real OWASP ZAP scans with sane defaults: auth-friendly, low-noise CI profiles, baselines, and SARIF. Free and open source, built for small SaaS teams that don't want enterprise overhead.

✓Authenticated scans via headers, cookies, or a login command hook.

✓CI profile with time/URL caps so it finishes on schedule.

✓Baselines to dedupe noise and show what changed since last run.

✓SARIF output + GitHub Code Scanning upload.

Download Latest Release How it works

tsun — quick start

# Install from GitHub Releases
# macOS/Linux (amd64)
curl -L https://github.com/tsun-dev/tsun/releases/latest/download/tsun-$(uname -s)-$(uname -m) -o tsun
chmod +x tsun && sudo mv tsun /usr/local/bin/

# run a CI-scoped scan
tsun scan --target https://staging.example.com \
  --profile ci --min-severity medium --exit-on-severity high \
  --format sarif --output report.sarif

# compare to a baseline
tsun scan --target https://staging.example.com \
  --baseline baseline.json --format html --output report.html

Built for small teams running real apps

Tsun is a CLI-first wrapper around OWASP ZAP with pragmatic defaults and guardrails. You get reliable scans, useful output, and CI workflows that don't create permanent red builds.

Auth

Scan behind login

Use headers, cookie files, or a pre-scan login command to generate sessions.

--header --cookies --login-command

CI-friendly

Predictable runtime

Profiles enforce time budgets and URL caps so scans finish when your pipeline needs them to.

--profile ci --timeout --max-urls

Noise control

Measure what changed

Baseline diffs show new vs fixed findings and severity/CVSS deltas over time.

--baseline --min-severity --exit-on-severity

Reports

Output devs can act on

Generate JSON/YAML/HTML for humans and SARIF for code scanning platforms.

html json sarif

Managed ZAP

Docker lifecycle handled

Auto port selection, health checks, cleanup on Ctrl+C—so CI doesn't get messy.

--keep-zap health checks cleanup

GitHub

Code Scanning ready

Generate and upload SARIF to show findings right where engineers live: PRs and alerts.

upload-sarif GITHUB_TOKEN commit/ref

Open source & community supported

Tsun is free and open-source. If it saves your team time, consider supporting the project—every contribution helps keep it maintained and improving.

⭐ Star & contribute on GitHub

Browse the source, open issues, submit PRs, or just give us a star. Community contributions are what make open source tools thrive.

View on GitHub

💜 Sponsor the project

If Tsun is useful to you or your team, consider sponsoring via GitHub Sponsors or Open Collective. It helps fund ongoing development and maintenance.

GitHub Sponsors Get in touch

FAQ

Is this safe to run in CI?

Yes—use the ci profile for time-boxed scans. Keep targets scoped to staging/preview environments.

Does it support authenticated apps?

Yes. Use headers, cookie files, or a pre-scan login command to generate sessions before scanning.

Do I need to manage ZAP myself?

No. Tsun can run ZAP in Docker and manages lifecycle, ports, health checks, and cleanup automatically.

Is it really free?

Yes—completely. No paywalls, no feature tiers, no account required. All features are available to everyone.

Ship safer releases without enterprise baggage.

Install Tsun, run a CI profile scan on staging, and get actionable output in minutes.

Download Tsun View on GitHub Contact