Tien

Passive Security CLI

100% passive. 0% exploitation.

100% Passive Security Audits for Repos + URLs

Tien finds secrets, vulnerable deps, insecure patterns, and web misconfigs without active exploitation. JS/TS first, deterministic by design.

Install & RunView on GitHub
Passive-onlyLocal-firstOpen SourceSARIF-ready
Repo ScanReport / PlotURL Scan

Tri-beam scanner: repo + URL inputs, merged into a single report.

Momentum

Investor-grade visibility without risky traffic.

Confidence signals for security leaders, compliance teams, and DevSecOps.

Security Teams
Open-source Maintainers
CI/CD Pipelines
AppSec Leads
DevSecOps
Compliance
Platform Teams
Security Researchers
Security Teams
Open-source Maintainers
CI/CD Pipelines
AppSec Leads
DevSecOps
Compliance
Platform Teams
Security Researchers
0%

Passive by design

0

Active probes

0

Pipeline stages

0

Audit engines

Trust by clarity

Passive-only, local-first, and transparent about limits.

No hidden crawling. No credential stuffing. No exploit payloads.

What it does

  • - Reads repo files and dependency metadata
  • - Fetches passive URL signals (headers, TLS, policies)
  • - Emits SARIF and deterministic artifacts

What it never does

  • - No exploitation or fuzzing
  • - No intrusive crawling or active probing
  • - No data exfiltration or mutation

Features

Focused checks with a disciplined pipeline.

Tien blends well-known engines with a deterministic CLI pipeline.

Repo Scan

Secrets + deps + patterns with JS/TS focus. All passive, no exploitation.

  • - Gitleaks
  • - OSV SCA
  • - Semgrep SAST

URL Scan (Passive)

No crawling or exploitation. Strictly reads config and surface metadata.

  • - TLS
  • - Headers + Cookies
  • - CORS + security.txt
  • - Mixed Content

Pipeline UX

scan -> merge -> report -> plot with stdin/stdout friendly, deterministic output.

  • - Portable artifacts
  • - Diffable outputs
  • - CI-safe

Product moat

Designed for disciplined security teams.

Local-first architecture with deterministic artifacts and export-ready reporting.

Reproducible

Deterministic output

Stable artifacts for diffing, versioning, and audit trails across CI runs.

Privacy

Local-first

Runs without shipping code to remote services. Keep sensitive repos on-device.

Interoperable

SARIF-ready

Report outputs designed to integrate with code scanning dashboards.

Unified

Multi-input merge

Unifies repo + URL scans into a single artifact for portfolio reporting.

CI-ready

Pipeline automation

Chain commands in CI for repeatable scans, diffs, and compliance evidence.

Reporting

Readable artifacts

GOB, JSONL, SARIF, and HTML outputs built for security stakeholders.

Install

Install Tien, then run the pipeline.

Release binaries, Go, Homebrew, or npm wrapper. All passive-only.

Release binaries

Releases

Download the latest binary directly. Checksums included.

Terminal
curl -L -o tien https://github.com/seibel777/tien.app/releases/latest/download/tien_linux_amd64chmod +x tien./tien --help # macOS arm64curl -L -o tien https://github.com/seibel777/tien.app/releases/latest/download/tien_darwin_arm64chmod +x tien./tien --help

Go install

Install from source via Go tooling.

Terminal
tien --help

Homebrew

Formula template: Formula/tien.rb

Terminal
brew tap seibel777/tien.app https://github.com/seibel777/tien.appbrew install tien

npm wrapper (planned)

Wrapper lives in packages/npm and downloads the binary on postinstall. Package not yet published.

Terminal
npm version 0.1.0npm publish --access public

Pipeline demo

Terminal
cat targets.txt | tien scan url --format gob > url.tientien merge repo.tien url.tien > all.tientien report --type sarif all.tien > tien.sariftien plot all.tien > report.html

Passive by design

Every command is read-only. Tien never mutates targets, never submits payloads, and never attacks endpoints.

Tip: keep artifacts in CI to diff results over time.

Resources

Docs, security, releases, and examples.

Everything linked to the repo for real usage.

Docs and flags

Start with the docs, then use built-in help for each command.

Docs indexMain README
Terminal
tien scan url --helptien scan repo --helptien report --helptien plot --helptien diff --helptien merge --helptien encode --helptien history --helptien hybrid --help

License and security

Open source policies and coordinated disclosure.

LICENSESECURITY.mdCONTRIBUTING.md

Releases and checksums

Releases

Each release ships *.sha256 files plus a combined checksums.txt.

CHANGELOG.md
Terminal
sha256sum -c tien_linux_amd64.sha256 # macOSshasum -a 256 -c tien_darwin_arm64.sha256

checksums.txt is generated in the release workflow.

Output examples

Sample SARIF and HTML plot in the repo.

report.sarifplot.html
Terminal
./tien plot examples/repo-scan.jsonl > /tmp/report.html

Why passive matters

Safe for CI, safe for prod, still useful.

Passive checks reduce risk while catching real misconfig, supply-chain issues, and insecure patterns.

  • - No destructive behavior or traffic spikes
  • - Deterministic output makes CI diffs reliable
  • - Focuses on exploitable signals, not noise

Warning: Authorization is still required for URL targets.

Roadmap

Tightening the pipeline and widening coverage.

  • - Homebrew tap auto-updates on release tags
  • - NPM wrapper package for npx installs
  • - Release notes automation
  • - Single checksums.txt per release
  • - SBOM generation for artifacts
  • - Artifact signing + provenance (cosign/SLSA)
  • - GitHub Action with SARIF upload
  • - GitLab CI template snippet
  • - Pre-commit hook example
  • - Baseline/ignore file for known findings
  • - Config profiles for local vs CI

FAQ

Straight answers.

If you need active scanning, pair Tien with other tools.

Is this a pentest tool?

No. Tien is passive-only and emits audit signals, not exploitation results.

Can it replace ZAP/Burp?

No. Those are active scanners and proxies. Tien is a safe, passive layer.

Does it run in CI?

Yes. It is deterministic, stdin/stdout friendly, and SARIF-ready.

Does it support other languages?

Planned. JS/TS is first.

Ready to run

Install Tien. Scan without risk.

Open source, local-first, passive-only. No surprise traffic.

Install & RunView on GitHub

Disclaimer: Passive-only audits still require authorization for URL targets.