Trivy Security Scanner MCP server

The MCP Trivy Security Scanner server enables scanning your projects for security vulnerabilities and automated fixing of dependencies through a standardized interface that integrates with Cursor IDE. This server bridges the gap between your development environment and the powerful Trivy security scanner.

Prerequisites

• Python 3.12 or higher
• Trivy installed on your system:

  # macOS
  brew install trivy
  

Installation

Set up your environment with these commands:

# Create and activate virtual environment
python -m venv .venv
source .venv/bin/activate

# Install dependencies
pip install -r requirements.txt

Running the Server

Start the server using the SSE transport method:

# Using SSE transport (default)
python server.py --transport sse --port 54321

Available Tools

The server provides two main tools:

Scan Project

Scans a directory for security vulnerabilities.

Required parameter:

• workspace: The directory path to scan

Fix Vulnerability

Updates a vulnerable package to a secure version.

Required parameters:

• workspace: The directory to modify
• pkg_name: Name of the package to update
• target_version: Version to update to

Integration with Cursor IDE

Setup

1. Start the MCP server:

   python server.py --transport sse --port 54321
   

2. Configure the connection in Cursor IDE:

   • Open Settings
   • Navigate to Features > MCP Servers
   • Add the server URL: http://127.0.0.1:54321/sse

Configuration

Create or update your .cursorrules file with the following instructions:

After making changes in any of the package dependency/manifest files, scan the project for security vulnerabilities.
Fixes should only be according to the desired version reported by the scanner.
If the scanner reports a fix unrelated to our change, ignore it.
After performing the fix, scan the project for security vulnerabilities again.

This configuration will:

• Trigger security scans automatically when dependency files change
• Help identify vulnerabilities when new dependencies are added
• Keep your project secure throughout development

Manual Usage

You can manually trigger a scan by prompting the agent through the composer interface:

Please scan my project for security vulnerabilities

Features

• Project Scanning: Automatically scan your project directory for vulnerabilities
• Automated Fixes: Update vulnerable dependencies to secure versions
• Multi-Package Support: Works with Python, Node.js, Ruby, and Go packages

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.