Skip to main content
Glama
deenesjakoruzh

Trivy

Official
by aquasecurity
GitHub
Go
MIT License
22
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

Trivy MCP Server Plugin

This plugin starts a Model Context Protocol (MCP) server that integrates Trivy's security scanning capabilities with VS Code and other MCP-enabled tools.

Important

This is early stage development of the MCP Server, so you should assume things won't work great for now

Features

  • Natural Language Scanning: Ask questions about security issues in natural language
  • Multiple Scan Types:
    • Filesystem scanning for local projects
    • Container image vulnerability scanning
    • Remote repository security analysis
  • Integration with Aqua Platform: Optional integration with Aqua Security's platform for enhanced scanning capabilities
  • Flexible Transport: Support for both stdio and SSE (Server-Sent Events) transport protocols
  • VS Code Integration: Seamless integration with VS Code's chat interface

Installing the plugin

To install the plugin you can use Trivy's plugin management system

trivy plugin install mcp

The will install the latest version of the plugin

Starting the plugin

You're now ready to start the plugin, this will launch an MCP server that Cursor or VSCode can interact with. For now, the instructions will focus on VSCode

trivy mcp

Available Options

OptionValuesDefaultDescription
--transport / -tsse, stdiostdioTransport protocol for the MCP Server
--port / -p23456Port for SSE transport mode
--trivy-binaryCustom Trivy binary path (optional)
--use-aqua-platform / atrue/falsefalseEnable Aqua Platform integration
--debugtrue/falsefalseEnable debug logging

Authentication

The MCP Server supports integration with Aqua Platform through the auth subcommand:

# Save Aqua Platform credentials trivy mcp auth login --key "YOUR_AQUA_KEY" --secret "YOUR_AQUA_SECRET" --region "YOUR_REGION" # Clear saved credentials trivy mcp auth logout # Verify saved credentials trivy mcp auth status

Available Auth Options

OptionDescription
--keyAqua Platform API key
--secretAqua Platform API secret
--regionAqua Platform region (e.g., 'us-east-1')

After configuring credentials, you can use Aqua Platform features by starting the server with the --use-aqua-platform flag:

trivy mcp --use-aqua-platform

Credentials are securely stored in the platform specific key chain.

Configuring the MCP Server in VSCode

Now, we need to configure the server in VSCode to start using as an agent

Prereqs

  • >= version 1.99.0 of VS Code

Configuring the plugin

You can configure the Trivy mcp to start itself or use the sse http endpoint

Configuring for stdio
  1. In VS Code, press F1
  2. Search for "Preferences: Open User Settings (JSON)"
  3. Find or create the "mcp" block and add a server as below
    "mcp": { "servers": { "Trivy MCP": { "command": "trivy", "args": [ "mcp", "-t", "stdio" ] } } }
  4. When you save, an annotation will appear to Start the server
Configuring for SSE HTTP
  1. Start the MCP Server
    trivy mcp -t sse -p 23456
  2. In VS Code, press F1
  3. Search for "Preferences: Open User Settings (JSON)"
  4. Find or create the "mcp" block and add a server as below
    "mcp": { "servers": { "Trivy SSE": { "type": "sse", "url": "http://localhost:23456/sse" } } }
  5. When you save, an annotation will appear to Start the server

Example Queries

Important

Make sure to use the chat window in Agent mode, not Ask mode

Local Project Analysis

Are there any vulnerabilities or misconfigurations in this project?
Find all HIGH severity vulnerabilities in this codebase
Generate a CycloneDX SBOM for this project

Container Image Scanning

Does the python:3.12 image have any vulnerabilities?
Show me all critical security issues in the nginx:latest image
What are the licenses used by dependencies in the node:18 image?

Repository Analysis

What are the vulnerabilities in github.com/aquasecurity/trivy-ci-test?
Check for misconfigurations in kubernetes/kubernetes repository

Advanced Usage

Scan this project for secrets and license issues only
Generate an SPDX SBOM and show me any dependency vulnerabilities
What security issues were fixed in the latest version of this image?

This server cannot be installed

-
security - not tested
A
license - permissive license
-
quality - not tested

How are these scores calculated?

hybrid server

The server is able to function both locally and remotely, depending on the configuration or use case.

Trivy

  1. Features
    1. Installing the plugin
      1. Starting the plugin
        1. Available Options
      2. Authentication
        1. Available Auth Options
      3. Configuring the MCP Server in VSCode
        1. Prereqs
        2. Configuring the plugin
      4. Example Queries
        1. Local Project Analysis
        2. Container Image Scanning
        3. Repository Analysis
        4. Advanced Usage

      Related MCP Servers

      • Algoliaofficial

        algolia
        -
        security
        A
        license
        -
        quality
        Algolia
        Last updated -
        24
        MIT License
        • Apple

      View all related MCP servers

      New MCP Servers

      MCP directory API

      We provide all the information about MCP servers via our MCP API.

      curl -X GET 'https://glama.ai/api/mcp/v1/servers/aquasecurity/trivy-mcp'

      If you have feedback or need assistance with the MCP directory API, please join our Discord server