playbooks

Home / MCP / Trivy MCP Server

Trivy MCP Server

Provides Trivy-based security scanning and automated fixes for multiple package managers via MCP

python
10stars
View on GitHub
Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
    "mcpServers": {
        "trivy_http": {
            "url": "http://127.0.0.1:54321/sse"
        }
    }
}

You can run a Python-based MCP server that uses Trivy to scan your projects for security vulnerabilities and automatically apply safe fixes. This MCP server exposes two tools for scanning and patching, and it integrates with Cursor IDE to streamline security checks as you work.

How to use

You interact with the Trivy MCP Server through an MCP client. The server offers two main tools: scan_project and fix_vulnerability. Use scan_project to scan a workspace directory for vulnerabilities, and use fix_vulnerability to update a vulnerable package to a secure version. Start by connecting your MCP client to the server transport you prefer, then run the available tools to manage your project’s security posture.

Practical usage patterns you can follow: - Start the server and connect your MCP client via the SSE transport on port 54321. - Use scan_project to analyze a specific workspace when you begin work on a project or after dependency changes. - If the scanner reports a vulnerability with a safe target version, run fix_vulnerability to apply the update in your project and re-scan to verify the fix.

How to install

Prerequisites you need before installation: - Python 3.12 or higher - Trivy installed on your system - A development environment where you can create and activate a Python virtual environment

# Create and activate virtual environment
python -m venv .venv
source .venv/bin/activate

# Install dependencies
pip install -r requirements.txt

Start the server using the SSE transport on port 54321. This establishes the MCP connection for your client.

python server.py --transport sse --port 54321

Additional notes

The MCP server includes two explicit endpoints for interaction: - HTTP endpoint: http://127.0.0.1:54321/sse for clients configured to connect over HTTP - STDIO startup: you can run the server locally with the Python command shown above, which uses the standard I/O transport There are two tools exposed by the server: - scan_project: scans a directory for security vulnerabilities - fix_vulnerability: updates a vulnerable package to a secure version No environment variables are required by default, but you can add them if you need to customize behavior or integration.

Tools and endpoints

The server provides two tools to manage security checks during development.

  • scan_project: Scans a directory for security vulnerabilities. Required argument: workspace - the directory path to scan
  • fix_vulnerability: Updates a vulnerable package to a secure version. Required arguments: workspace, pkg_name, target_version

Available tools

scan_project

Scans a directory for security vulnerabilities and reports issues found by Trivy.

fix_vulnerability

Updates a vulnerable package to a secure version based on the scanner's recommendations.