ZAP-powered scans built for CI

DAST that engineers will actually keep in the pipeline.

Tsun runs real OWASP ZAP scans with sane defaults: auth-friendly, low-noise CI profiles, baselines, and SARIF. Built for small SaaS teams that don’t want enterprise overhead.

✓Authenticated scans via headers, cookies, or a login command hook.

✓CI profile with time/URL caps so it finishes on schedule.

✓Baselines to dedupe noise and show what changed since last run.

✓SARIF output + GitHub Code Scanning upload.

Download Latest Release See pricing How it works

Free CLI available. Pro unlocks CI guardrails and advanced workflow features.

tsun — quick start

# Install from GitHub Releases
# macOS/Linux (amd64)
curl -L https://github.com/tsun-dev/tsun/releases/latest/download/tsun-$(uname -s)-$(uname -m) -o tsun
chmod +x tsun && sudo mv tsun /usr/local/bin/

# run a CI-scoped scan
tsun scan --target https://staging.example.com \
  --profile ci --min-severity medium --exit-on-severity high \
  --format sarif --output report.sarif

# compare to a baseline (pro)
tsun scan --target https://staging.example.com \
  --baseline baseline.json --format html --output report.html

Built for small teams running real apps

Tsun is a CLI-first wrapper around OWASP ZAP with pragmatic defaults and guardrails. You get reliable scans, useful output, and CI workflows that don’t create permanent red builds.

Auth

Scan behind login

Use headers, cookie files, or a pre-scan login command to generate sessions.

--header --cookies --login-command

CI-friendly

Predictable runtime

Profiles enforce time budgets and URL caps so scans finish when your pipeline needs them to.

--profile ci --timeout --max-urls

Noise control

Measure what changed

Baseline diffs show new vs fixed findings and severity/CVSS deltas over time.

--baseline --min-severity --exit-on-severity

Reports

Output devs can act on

Generate JSON/YAML/HTML for humans and SARIF for code scanning platforms.

html json sarif

Managed ZAP

Docker lifecycle handled

Auto port selection, health checks, cleanup on Ctrl+C—so CI doesn’t get messy.

--keep-zap health checks cleanup

GitHub

Code Scanning ready

Generate and upload SARIF to show findings right where engineers live: PRs and alerts.

upload-sarif GITHUB_TOKEN commit/ref

Pricing that won’t punish small teams

Start with the free CLI. Upgrade when you want cleaner CI workflows, stronger guardrails, and less noise.

Free

Run real ZAP scans locally or in CI.

forever

ZAP Docker scanning + mock mode
CI + Deep profiles
JSON / YAML / HTML / SARIF output
Basic severity filtering

Download

Pro

Unlock workflow features teams pay for.

$29

/ app / month (starting)

Baseline comparisons + diff summaries
CI gating policies tuned for low noise
Authenticated scanning helpers (premium workflows)
Better diagnostics for flaky scans

Request Pro Access Questions?

Exact tiers can evolve as Tsun ships. Keep it simple early.

FAQ

Short answers to the stuff engineers actually ask before adopting a scanner.

Is this safe to run in CI?

Yes—use the ci profile for time-boxed scans. Keep targets scoped to staging/preview environments.

Does it support authenticated apps?

Yes. Use headers, cookie files, or a pre-scan login command to generate sessions before scanning.

Do I need to manage ZAP myself?

No. Tsun can run ZAP in Docker and manages lifecycle, ports, health checks, and cleanup automatically.

What makes Pro worth it?

Pro focuses on workflow: baselines, noise control, CI guardrails, and better diagnostics—so teams keep scanning enabled.

Ship safer releases without enterprise baggage.

Install Tsun, run a CI profile scan on staging, and get actionable output in minutes.

Download Tsun View on GitHub Contact