google/tsunami-security-scanner — explained in plain English
Analysis updated 2026-06-24
Scan your company's internal network for high-severity vulnerabilities like exposed admin panels or unpatched services
Add a custom vulnerability detection plugin for a new CVE without modifying the scanner's core code
Run automated security checks on infrastructure as part of a scheduled audit or CI/CD security gate
Extend Tsunami with plugins from the companion repository to detect a broader set of known vulnerabilities
| google/tsunami-security-scanner | airbnb/epoxy | dropwizard/dropwizard | |
|---|---|---|---|
| Stars | 8,568 | 8,560 | 8,578 |
| Language | Java | Java | Java |
| Setup difficulty | hard | moderate | moderate |
| Complexity | 4/5 | 3/5 | 3/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires Java build tooling, the README is sparse and full setup instructions live on the external documentation site.
Tsunami is an open-source network security scanner released by Google. Its job is to automatically check a network for serious security vulnerabilities, with a focus on finding real problems rather than generating large numbers of false alarms. The design goal is high confidence: when Tsunami reports a vulnerability, it is very likely to be a genuine issue. The scanner is built around a plugin system. The core of Tsunami handles the general work of scanning a network, while specific vulnerability checks are packaged as separate plugins. This means the scanner can be extended to detect new vulnerabilities by adding plugins without changing the core code. All publicly available plugins live in a companion repository on GitHub. The project is written in Java and released under the Apache 2.0 open-source license. Google notes that Tsunami is not an official Google product, meaning it is a research and engineering project shared with the community rather than a supported commercial offering. The README is sparse and points readers to the external documentation site for instructions on how to build, run, and contribute to the project. Details about specific vulnerability detections, plugin development, and deployment are covered there rather than in the repository itself.
Tsunami is an open-source network security scanner from Google that automatically checks networks for serious vulnerabilities, designed to produce high-confidence results with few false alarms and extended through a plugin system.
Mainly Java. The stack also includes Java.
Free to use, modify, and distribute for any purpose including commercial use, as long as you include the Apache 2.0 license and copyright notice.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.