Trivy Security Scanner MCP Server

Trivy Security Scanner MCP Server

Provides Trivy security scanning capabilities through a standardized interface, allowing users to scan projects for vulnerabilities and automatically fix them by updating dependencies.

norbinsh

Category.security-and-iam
Developer Tools
Visit Server

README

Trivy Security Scanner MCP Server

A Model Context Protocol (MCP) server that provides Trivy security scanning capabilities through a standardized interface.

⚠️ Note: This is a proof of concept project to demonstrate the integration capabilities between MCP, Cursor IDE, and Trivy. It's intended for experimentation and learning purposes only and is not production-ready. Use at your own risk.

Features

  • 🔍 Project Scanning: Automatically scan your project directory for security vulnerabilities using Trivy
  • 🛠️ Automated Fixes: Automatically update vulnerable dependencies to secure versions
  • 📦 Multi-Package Support: Handles multiple package managers (Python, Node.js, Ruby, Go)

Demo

Demo

Architecture

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│  Cursor IDE │ --> │   MCP Server │ --> │    Trivy    │
│  (Composer) │     │              │     │             │
└─────────────┘     └──────────────┘     └─────────────┘

Prerequisites

  • Python 3.12 or higher
  • Trivy installed on your system:
    # macOS
brew install trivy

Installation

# Create and activate virtual environment
python -m venv .venv
source .venv/bin/activate

# Install dependencies
pip install -r requirements.txt

Usage

Start the server using SSE transport:

# Using SSE transport (default)
python server.py --transport sse --port 54321

The server exposes two tools:

  1. scan_project: Scans a directory for security vulnerabilities

    • Required argument: workspace - The directory path to scan

  2. fix_vulnerability: Updates a vulnerable package to a secure version

    • Required arguments:
      • workspace - The directory to modify
      • pkg_name - Name of the package to update
      • target_version - Version to update to

Using with Cursor IDE

  1. Start the server with SSE transport:

    python server.py --transport sse --port 54321

  2. Configure in Cursor:

    • Open Settings
    • Go to Features > MCP Servers
    • Add: http://127.0.0.1:54321/sse

  3. Add the following to your .cursorrules file, create it if you don't have one yet:

    After making changes in any of the package dependency/manifest files, scan the project for security vulnerabilities.
Fixes should only be according to the desired version reported by the scanner.
If the scanner reports a fix unrelated to our change, ignore it.
After performing the fix, scan the project for security vulnerabilities again.

    This configuration will:

    • Automatically trigger a security scan when any dependency file is modified
    • Help identify vulnerabilities as soon as new dependencies are added
    • Ensure your project stays secure throughout development

    if you want to use the tool manually, you can use prompt the agent to use the tool with the following prompt through the composer interface:

    Please scan my project for security vulnerabilities

Why MCP?

MCP (Model Context Protocol) exists to solve a fundamental problem in working with large language models (LLMs): how to efficiently and consistently connect these models to external data sources and tools.

Learn more at modelcontextprotocol.io.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

License

MIT License

Acknowledgments

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
MCP Package Docs Server

MCP Package Docs Server

Facilitates LLMs to efficiently access and fetch structured documentation for packages in Go, Python, and NPM, enhancing software development with multi-language support and performance optimization.

Featured
Local
TypeScript
Claude Code MCP

Claude Code MCP

An implementation of Claude Code as a Model Context Protocol server that enables using Claude's software engineering capabilities (code generation, editing, reviewing, and file operations) through the standardized MCP interface.

Featured
Local
JavaScript
@kazuph/mcp-taskmanager

@kazuph/mcp-taskmanager

Model Context Protocol server for Task Management. This allows Claude Desktop (or any MCP client) to manage and execute tasks in a queue-based system.

Featured
Local
JavaScript
Linear MCP Server

Linear MCP Server

Enables interaction with Linear's API for managing issues, teams, and projects programmatically through the Model Context Protocol.

Featured
JavaScript
mermaid-mcp-server

mermaid-mcp-server

A Model Context Protocol (MCP) server that converts Mermaid diagrams to PNG images.

Featured
JavaScript
Jira-Context-MCP

Jira-Context-MCP

MCP server to provide Jira Tickets information to AI coding agents like Cursor

Featured
TypeScript
Linear MCP Server

Linear MCP Server

A Model Context Protocol server that integrates with Linear's issue tracking system, allowing LLMs to create, update, search, and comment on Linear issues through natural language interactions.

Featured
JavaScript
VirusTotal MCP Server

VirusTotal MCP Server

A MCP server for querying the VirusTotal API. This server provides tools for scanning URLs, analyzing file hashes, and retrieving IP address reports.

Featured
TypeScript