Trivy plugin for starting an MCP server
Configuration
View docs{
"mcpServers": {
"aquasecurity-trivy-mcp": {
"command": "trivy",
"args": [
"mcp"
]
}
}
}This MCP server enables Trivy’s security scanning capabilities to be used by any MCP-enabled client, such as IDEs or other tools. It lets you ask in natural language about vulnerabilities, scan local files, container images, or remote repositories, and receive actionable results integrated through standard MCP transports.
Start the MCP server from your Trivy CLI, then connect your MCP client (IDE or tool) to the running server. You can ask questions in natural language like “Are there any vulnerabilities or misconfigurations in this project?” and perform scans across multiple targets (filesystem, container images, and remote repositories). The server also supports optional integration with Aqua Platform for enhanced scanning and policy assurance.
Prerequisites you need before starting:
Step-by-step install and start workflow:
# Install the MCP plugin for Trivy
trivy plugin install mcp
# Start the MCP server
trivy mcpAllows you to query security aspects in plain language and receive organized results.
Performs security scanning on local project directories to identify vulnerabilities and misconfigurations.
Scans container images for known vulnerabilities and policy compliance.
Analyzes security posture of remote repositories and their dependencies.
Optional integration with Aqua Platform for enhanced scanning capabilities and assurance policy compliance.
Supports multiple transports for MCP: stdio, HTTP streamable, and Server-Sent Events (SSE).
Seamless integration with IDEs like VS Code, Cursor, JetBrains IDEs, and Claude Desktop.