xyun92
trilane
Rustโœจ New

TriLane: autonomous AI pentester and multi-agent security auditor for authorized gray-box testing of web apps and APIs. Built with Rust and Tauri.

Last updated Jul 2, 2026
26
Stars
0
Forks
0
Issues
0
Stars/day
Attention Score
47
Language breakdown
Rust 98.8%
Python 0.4%
TypeScript 0.3%
CSS 0.2%
Starlark 0.1%
HTML 0.1%
โ–ธ Files click to expand
README

TriLane

TriLane

Autonomous gray-box security auditing with visible lanes, attack-surface state, and evidence-backed findings.

npm version latest release Apache-2.0 license macOS arm64 desktop GUI six audit lanes safe and lab modes

S0 admission -> S1 attack surface -> S2 semantic lanes -> S3 merge -> S4 probing -> S5 findings

TriLane turns one natural-language objective into a staged audit cockpit for authorized local labs, internal codebases, training apps, and bug-bounty targets where you have permission to test.

TriLane demo

| Attack-Surface Graph | Six Semantic Lanes | Evidence Ledger | | --- | --- | --- | | Maps routes, code paths, auth boundaries, and reachable surfaces before deep auditing. | Splits review across identity/auth, injection, ingress/files/SSRF, business logic, config/secrets/crypto, and edge coverage. | Merges duplicate claims into adjudicated findings with severity, evidence, payloads, and code paths. |

Quick Start

Run without a global install:

npx trilane@latest app

Or install and launch the desktop app:

npm install -g trilane
trilane doctor
trilane app

Then choose Safe or Lab mode and describe the authorized target:

Penetration test juice-shop, source code is in ~/juice-shop, service is running on localhost:3000. If not, use colima or start the service directly

Why TriLane?

Free-form AI security agents can drift. TriLane makes the audit state explicit: surfaces are inventoried, lane outputs are merged, risky probes are gated by mode, and final findings are deduplicated before export.

0.2.0 update: TriLane's workflow has been substantially optimized with stronger source scanning, leaner candidate generation, and cleaner PoC-bundle export. In our Juice Shop regression runs, the new pipeline is faster, uses fewer model tokens, and produces higher-quality replayable PoCs than the previous release.

TriLane screenshot

What TriLane Does

  • Builds an attack-surface graph before deep auditing.
  • Runs a six-lane semantic audit across identity/auth, injection/client-side sinks, ingress/files/SSRF, business logic, configuration/secrets/crypto, and edge-surface coverage.
  • Tracks Scan, Agent, Findings, and Config state in a desktop GUI.
  • Probes high-signal variants in Lab Mode when the target is explicitly authorized.
  • Deduplicates final findings with severity, evidence, payloads, code paths, and report export.
  • Archives run transcripts under ~/.trilane/transcripts for regression analysis.

Modes

Safe Mode is the default. It is intended for exploration and lower-risk review.

Lab Mode grants the agent broader local filesystem and command execution access for the active target. Use it only on systems you own, operate, or are explicitly authorized to test.

npm Package Status

The npm package includes a prebuilt macOS Apple Silicon app bundle so the Dock/Finder icon matches the TriLane brand. Other platforms can still run TriLane from source, or set TRILANE_BIN to a locally built binary:

TRILANE_BIN=/path/to/trilane-gui npx trilane app

Build From Source

Requirements:

  • Node.js 20 or newer
  • Rust toolchain from trilane-rs/rust-toolchain.toml
  • macOS for the current desktop build path
Build the frontend:
cd trilane-rs/trilane-gui/frontend
npm install
npm run build

Build and run the desktop binary:

cd ../../
cargo build -p trilane-gui --release
./target/release/trilane-gui

Safety

TriLane is a dual-use security tool. Do not use it against systems where you lack permission. See SECURITY.md for responsible-use boundaries, reporting guidance, and Lab Mode warnings.

License

TriLane is licensed under the Apache License 2.0. Portions of the Rust workspace are derived from the OpenAI Codex project and retain their original Apache-2.0 notices.

๐Ÿ”— More in this category

ยฉ 2026 GitRepoTrend ยท xyun92/trilane ยท Updated daily from GitHub