This plugin starts a Model Context Protocol (MCP) server that integrates Trivy's security scanning capabilities with VS Code and other MCP-enabled tools.
Important
This is early stage development of the MCP Server, so you should assume things won't work great for now
- Natural Language Scanning: Ask questions about security issues in natural language
- Multiple Scan Types:
- Filesystem scanning for local projects
- Container image vulnerability scanning
- Remote repository security analysis
- Integration with Aqua Platform: Optional integration with Aqua Security's platform for enhanced scanning capabilities
- Flexible Transport: Support for both stdio and SSE (Server-Sent Events) transport protocols
- VS Code Integration: Seamless integration with VS Code's chat interface
To install the plugin you can use Trivy's plugin management system
trivy plugin install mcpThe will install the latest version of the plugin
You're now ready to start the plugin, this will launch an MCP server that Cursor or VSCode can interact with. For now, the instructions will focus on VSCode
trivy mcp| Option | Values | Default | Description |
|---|---|---|---|
--transport / -t |
sse, stdio |
stdio |
Transport protocol for the MCP Server |
--port / -p |
23456 | Port for SSE transport mode | |
--trivy-binary |
Custom Trivy binary path (optional) | ||
--use-aqua-platform / a |
true/false |
false |
Enable Aqua Platform integration |
--debug |
true/false |
false |
Enable debug logging |
The MCP Server supports integration with Aqua Platform through the auth subcommand:
# Save Aqua Platform credentials
trivy mcp auth login --key "YOUR_AQUA_KEY" --secret "YOUR_AQUA_SECRET" --region "YOUR_REGION"
# Clear saved credentials
trivy mcp auth logout
# Verify saved credentials
trivy mcp auth status| Option | Description |
|---|---|
--key |
Aqua Platform API key |
--secret |
Aqua Platform API secret |
--region |
Aqua Platform region (e.g., 'us-east-1') |
After configuring credentials, you can use Aqua Platform features by starting the server with the --use-aqua-platform flag:
trivy mcp --use-aqua-platformCredentials are securely stored in the platform specific key chain.
Now, we need to configure the server in VSCode to start using as an agent
- >= version 1.99.0 of VS Code
You can configure the Trivy mcp to start itself or use the sse http endpoint
- In VS Code, press
F1 - Search for
"Preferences: Open User Settings (JSON)" - Find or create the
"mcp"block and add a server as below"mcp": { "servers": { "Trivy MCP": { "command": "trivy", "args": [ "mcp", "-t", "stdio" ] } } }
- When you save, an annotation will appear to
Startthe server
- Start the MCP Server
trivy mcp -t sse -p 23456
- In VS Code, press
F1 - Search for
"Preferences: Open User Settings (JSON)" - Find or create the
"mcp"block and add a server as below"mcp": { "servers": { "Trivy SSE": { "type": "sse", "url": "http://localhost:23456/sse" } } }
- When you save, an annotation will appear to
Startthe server
Important
Make sure to use the chat window in Agent mode, not Ask mode
Are there any vulnerabilities or misconfigurations in this project?
Find all HIGH severity vulnerabilities in this codebase
Generate a CycloneDX SBOM for this project
Does the python:3.12 image have any vulnerabilities?
Show me all critical security issues in the nginx:latest image
What are the licenses used by dependencies in the node:18 image?
What are the vulnerabilities in github.com/aquasecurity/trivy-ci-test?
Check for misconfigurations in kubernetes/kubernetes repository
Scan this project for secrets and license issues only
Generate an SPDX SBOM and show me any dependency vulnerabilities
What security issues were fixed in the latest version of this image?