whatisgithub

What is tsunami-security-scanner?

google/tsunami-security-scanner — explained in plain English

Analysis updated 2026-06-24

8,568JavaAudience · ops devopsComplexity · 4/5LicenseSetup · hard

In one sentence

Tsunami is an open-source network security scanner from Google that automatically checks networks for serious vulnerabilities, designed to produce high-confidence results with few false alarms and extended through a plugin system.

Mindmap

mindmap
  root((repo))
    What It Does
      Scan for vulnerabilities
      High confidence results
      Few false alarms
    Architecture
      Plugin system
      Extensible core
      Companion plugin repo
    Use Cases
      Network audits
      CVE detection
      Infrastructure scanning
    Audience
      Security engineers
      DevOps teams
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Scan your company's internal network for high-severity vulnerabilities like exposed admin panels or unpatched services

USE CASE 2

Add a custom vulnerability detection plugin for a new CVE without modifying the scanner's core code

USE CASE 3

Run automated security checks on infrastructure as part of a scheduled audit or CI/CD security gate

USE CASE 4

Extend Tsunami with plugins from the companion repository to detect a broader set of known vulnerabilities

What is it built with?

Java

How does it compare?

google/tsunami-security-scannerairbnb/epoxydropwizard/dropwizard
Stars8,5688,5608,578
LanguageJavaJavaJava
Setup difficultyhardmoderatemoderate
Complexity4/53/53/5
Audienceops devopsdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires Java build tooling, the README is sparse and full setup instructions live on the external documentation site.

Free to use, modify, and distribute for any purpose including commercial use, as long as you include the Apache 2.0 license and copyright notice.

So what is it?

Tsunami is an open-source network security scanner released by Google. Its job is to automatically check a network for serious security vulnerabilities, with a focus on finding real problems rather than generating large numbers of false alarms. The design goal is high confidence: when Tsunami reports a vulnerability, it is very likely to be a genuine issue. The scanner is built around a plugin system. The core of Tsunami handles the general work of scanning a network, while specific vulnerability checks are packaged as separate plugins. This means the scanner can be extended to detect new vulnerabilities by adding plugins without changing the core code. All publicly available plugins live in a companion repository on GitHub. The project is written in Java and released under the Apache 2.0 open-source license. Google notes that Tsunami is not an official Google product, meaning it is a research and engineering project shared with the community rather than a supported commercial offering. The README is sparse and points readers to the external documentation site for instructions on how to build, run, and contribute to the project. Details about specific vulnerability detections, plugin development, and deployment are covered there rather than in the repository itself.

Copy-paste prompts

Prompt 1
Show me how to build Tsunami from source using Maven and run it against a target IP to get a vulnerability report
Prompt 2
Walk me through writing a Tsunami plugin in Java that checks whether a specific HTTP endpoint is publicly accessible without authentication
Prompt 3
How do I configure Tsunami to run only a specific subset of plugins and output the results as JSON?
Prompt 4
Explain the Tsunami plugin architecture, how does the core scanner discover and hand off work to individual vulnerability detection plugins?
Prompt 5
How do I add the Tsunami companion plugin repository as a dependency and enable all available vulnerability checks?

Frequently asked questions

What is tsunami-security-scanner?

Tsunami is an open-source network security scanner from Google that automatically checks networks for serious vulnerabilities, designed to produce high-confidence results with few false alarms and extended through a plugin system.

What language is tsunami-security-scanner written in?

Mainly Java. The stack also includes Java.

What license does tsunami-security-scanner use?

Free to use, modify, and distribute for any purpose including commercial use, as long as you include the Apache 2.0 license and copyright notice.

How hard is tsunami-security-scanner to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is tsunami-security-scanner for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.