CI/CD Security Scanning Platform - Feature Documentation The CI/CD Security Scanning Platform is a comprehensive enterprise security solution providing 406 MCP tools across 58 functional categories . This platform integrates vulnerability scanning, code quality analysis, software composition analysis, compliance reporting, policy enforcement, AI-powered analysis, container security, multi-cloud security, GitOps integration, and zero-trust security into a unified security automation framework.
Platform Version: 1.31.0
Category Group
Tools
Description
Core Scanning 37
Trivy, SonarQube, Dependency-Track scanning
DevOps Integration 21
Gitea, Drone CI, registry scanning
Security Operations 30
Dashboard, SARIF, scheduler, remediation
Enterprise Security 45
SSO, RBAC, API keys, teams, audit
Analytics & Reporting 35
Dashboard, trends, risk, reports, export
Compliance & Governance 22
Frameworks, governance, evidence, SLA
Notifications & Alerts 17
Channels, rules, escalation, webhooks
Container Security 41
K8s, runtime, signing, supply chain
AI-Powered Security 26
AI analysis, threat intel, NL queries
Infrastructure 22
Cache, metrics, scan history, assets
Multi-Cloud Security 16
AWS, Azure, GCP scanning
Enterprise Scale 30
HA, backup, quotas, performance
GitOps & Zero-Trust 64
GitOps, Zero-Trust, Service Mesh, API Security, K8s Operators, SIEM
Total: 406 MCP Tools
Enterprise Authentication : SAML/OIDC SSO, RBAC, API key managementAI-Powered Analysis : Claude-based vulnerability analysis and insightsContainer Security : Kubernetes, runtime monitoring, image signingThreat Intelligence : CVE enrichment, threat feeds, IOC managementCompliance Automation : SOC2, HIPAA, PCI-DSS, CIS, NIST frameworksNatural Language Queries : Ask security questions in plain EnglishMulti-Cloud Security : AWS ECR/ECS/Lambda, Azure ACR/AKS, GCP GCR/GKE (v1.30.0)High Availability : Cluster management, failover, split-brain detection (v1.30.0)Backup & DR : Automated backups, scheduling, offsite export (v1.30.0)Resource Quotas : Usage limits, breach tracking, alerts (v1.30.0)Performance Optimization : Metrics, slow query analysis, index suggestions (v1.30.0)GitOps Integration : ArgoCD/Flux security gates, drift detection (v1.31.0)Zero-Trust Security : Sigstore/cosign, SLSA provenance, attestations (v1.31.0)Service Mesh Security : Istio/Linkerd/Cilium mTLS, authorization policies (v1.31.0)API Security Gateway : OpenAPI/GraphQL scanning, OWASP API Top 10 (v1.31.0)K8s Operators Security : CRD validation, RBAC analysis, webhook auditing (v1.31.0)Audit/SIEM Integration : Splunk, Elasticsearch, Azure Sentinel forwarding (v1.31.0)
Vulnerability Scanning (Trivy) Code Quality Analysis (SonarQube) Software Composition Analysis (Dependency-Track) Source Control (Gitea) CI/CD Automation (Drone) Container Registry Scanning Security Dashboard SARIF Reporting Scheduled Scanning Remediation Engine Compliance Reporting OPA/Rego Policy Engine Offline Vulnerability Database Distributed Caching Architecture Overview Integration Patterns
1. Vulnerability Scanning (Trivy) Trivy integration provides comprehensive security scanning for containers, filesystems, IaC configurations, secrets, and licenses. The platform supports both online (Trivy server) and offline scanning modes.
Tool
Description
trivy_scan_pathScan local filesystem for vulnerabilities
trivy_scan_imageScan Docker image for vulnerabilities
trivy_generate_sbomGenerate SBOM for local path (CycloneDX/SPDX)
trivy_generate_sbom_imageGenerate SBOM for Docker image
trivy_scan_iacScan IaC files (Terraform, K8s, Docker, CloudFormation)
trivy_scan_secretsScan local path for hardcoded secrets
trivy_scan_secrets_imageScan Docker image for hardcoded secrets
trivy_scan_licensesScan local path for license information
trivy_scan_licenses_imageScan Docker image for licenses
trivy_scan_image_fullComprehensive image scan (vulns + secrets + licenses + SBOM)
trivy_scan_path_fullComprehensive path scan (vulns + secrets + licenses + IaC + SBOM)
+------------------+ +------------------+ +------------------+
| Path Scanning | | Image Scanning | | IaC Scanning |
+------------------+ +------------------+ +------------------+
| | | | | |
| - Dependencies | | - OS Packages | | - Terraform |
| - package.json | | - App Deps | | - Kubernetes |
| - requirements | | - Base Image | | - Dockerfiles |
| - go.mod | | - Multi-stage | | - CloudFormation |
+------------------+ +------------------+ +------------------+
Pre-commit Scanning : Scan code before pushing to repositoryCI Pipeline Gate : Block builds with critical vulnerabilitiesContainer Registry Audit : Scan all images in registryIaC Security Review : Validate infrastructure configurations
{
"tool" : " trivy_scan_image_full" "input" : {
"image" : " nginx:1.25" "severity" : " HIGH,CRITICAL" "sbomFormat" : " cyclonedx" // Response includes:
// - vulnerabilities: Full CVE list
// - secrets: Hardcoded credentials
// - licenses: License information
// - sbom: CycloneDX SBOM 2. Code Quality Analysis (SonarQube) SonarQube integration provides static application security testing (SAST), code quality metrics, and security hotspot detection for continuous code inspection.
Tool
Description
sonar_list_projectsList all analyzed projects
sonar_get_issuesGet bugs, vulnerabilities, code smells
sonar_get_security_hotspotsGet security hotspots requiring review
sonar_get_metricsGet quality metrics (coverage, duplication, etc.)
Bugs : Code defects that may cause runtime failuresVulnerabilities : Security issues in codeCode Smells : Maintainability issuesCoverage : Test coverage percentageDuplicated Lines : Code duplication metricsSecurity Hotspots : Areas requiring security review
Example: Get Project Issues {
"tool" : " sonar_get_issues" "input" : {
"projectKey" : " ci-co" "types" : " VULNERABILITY,BUG" 3. Software Composition Analysis (Dependency-Track) Dependency-Track integration provides software composition analysis (SCA) with continuous monitoring of component vulnerabilities and license compliance.
Tool
Description
dtrack_list_projectsList all Dependency-Track projects
dtrack_get_vulnerabilitiesGet vulnerabilities for project
dtrack_get_findingsGet detailed security findings
dtrack_get_componentsList all components/dependencies
dtrack_upload_sbomUpload SBOM for analysis
Generate SBOM (trivy_generate_sbom)
|
v
Upload to D-Track (dtrack_upload_sbom)
|
v
Continuous Monitoring
|
v
Get Findings (dtrack_get_findings)
4. Source Control (Gitea) Gitea integration provides Git repository management including repository creation, branch management, and commit history.
Tool
Description
gitea_list_reposList all repositories
gitea_get_repoGet repository details
gitea_get_branchesList branches
gitea_get_commitsGet commit history
gitea_create_repoCreate new repository
gitea_migrate_repoMigrate from GitHub
5. CI/CD Automation (Drone) Drone CI integration enables pipeline management, build triggering, and log retrieval for continuous integration and deployment workflows.
Tool
Description
drone_list_reposList synced repositories
drone_get_buildsGet build history
drone_get_buildGet specific build details
drone_get_build_logsGet build step logs
drone_trigger_buildTrigger new build
6. Container Registry Scanning Multi-registry scanning supports Docker Registry, Amazon ECR, Azure ACR, Google GCR, GitHub GHCR, and Harbor with batch scanning capabilities.
Tool
Description
registry_list_imagesList images in registry
registry_get_tagsGet image tags
registry_scanScan registry with filters
registry_detect_typeAuto-detect registry type
registry_configureConfigure registry authentication
registry_list_configsList configured registries
registry_get_configGet registry configuration
registry_remove_configRemove registry configuration
registry_test_connectionTest registry connectivity
registry_scan_multipleScan across multiple registries
Registry
Type
Authentication
Docker Registry
dockerBasic auth
Amazon ECR
ecrAWS credentials
Azure ACR
acrService principal
Google GCR
gcrService account
GitHub GHCR
ghcrPersonal access token
Harbor
harborBasic auth
Example: Multi-Registry Scan {
"tool" : " registry_scan_multiple" "input" : {
"registries" : [" production-ecr" " staging-acr" "includePatterns" : [" **/production-*" "severity" : " CRITICAL" Unified security dashboard aggregating findings from Trivy, SonarQube, and Dependency-Track into a single view.
Tool
Description
security_scan_allRun comprehensive scan using all tools
get_security_dashboardGet unified security dashboard
Dashboard Response Structure {
"summary" : {
"critical" : 5 ,
"high" : 12 ,
"medium" : 45 ,
"low" : 100 ,
"total" : 162
},
"sources" : {
"trivy" : { "vulnerabilities" : 50 , "secrets" : 2 },
"sonarqube" : { "bugs" : 3 , "vulnerabilities" : 5 , "hotspots" : 10 },
"dependencyTrack" : { "findings" : 50 }
},
"findings" : [... ]
} SARIF (Static Analysis Results Interchange Format) support enables integration with GitHub Code Scanning and other SARIF-compatible tools.
Tool
Description
sarif_generateGenerate SARIF report from scan results
sarif_upload_githubUpload SARIF to GitHub Code Scanning
Scan Results --> sarif_generate --> SARIF 2.1.0 JSON
|
v
sarif_upload_github
|
v
GitHub Code Scanning
Security Alerts Tab
Automated security scanning with cron-based scheduling, webhook notifications, and execution history tracking.
Tool
Description
schedule_createCreate scheduled scan job
schedule_listList all scheduled jobs
schedule_getGet schedule details
schedule_updateUpdate schedule configuration
schedule_deleteDelete scheduled job
schedule_triggerManually trigger scan
schedule_historyGet execution history
cron_validateValidate cron expression
scheduler_controlStart/stop scheduler
Alias
Expression
Description
@hourly0 * * * *Every hour
@daily0 0 * * *Every day at midnight
@weekly0 0 * * 0Every Sunday
@monthly0 0 1 * *First of month
Example: Create Nightly Scan {
"tool" : " schedule_create" "input" : {
"name" : " production-nightly" "cron" : " 0 2 * * *" "target" : {
"type" : " image" "value" : " production:latest" "notifications" : {
"webhooks" : [{
"url" : " https://hooks.slack.com/services/xxx" "type" : " slack" Intelligent remediation suggestions with fix commands, priority ranking, and safe upgrade identification.
Tool
Description
generate_remediationsGenerate fix commands for vulnerabilities
get_remediation_summaryGet text summary of remediations
get_remediation_markdownGet Markdown-formatted report
get_high_priority_fixesGet CRITICAL/HIGH severity fixes
get_safe_fixesGet non-breaking upgrades only
npm : npm update, npm audit fixpip : pip install --upgradego : go get -umaven : POM version updatesgradle : Build file updates
{
"tool" : " get_safe_fixes" "input" : {
"image" : " myapp:latest" "excludeBreaking" : true
}
}
// Response
{
"fixes" : [
{
"package" : " lodash" "currentVersion" : " 4.17.20" "fixedVersion" : " 4.17.21" "breaking" : false ,
"command" : " npm update lodash" Map security findings to compliance frameworks with trend tracking and audit-ready HTML reports.
Tool
Description
compliance_get_frameworksList available frameworks
compliance_get_controlsGet framework controls
compliance_check_statusCheck compliance pass/fail
compliance_generate_reportGenerate JSON/HTML report
compliance_trend_recordRecord compliance snapshot
compliance_trend_getGet trends over time
compliance_trend_list_targetsList tracked targets
Framework
Controls
Use Cases
SOC2 6
SaaS providers, cloud services
HIPAA 6
Healthcare, PHI handling
PCI-DSS 6
Payment processing
CIS 5
General security hardening
CVE-2024-1234 (CRITICAL)
|
+--> SOC2 CC7.1 (System Security)
+--> PCI-DSS 6.2 (Secure Development)
+--> HIPAA 164.312(e)(1) (Technical Safeguards)
Example: Generate Compliance Report {
"tool" : " compliance_generate_report" "input" : {
"image" : " production:latest" "frameworks" : [" SOC2" " PCI-DSS" "format" : " html" "title" : " Q4 2024 Compliance Report" "organization" : " Acme Corp" 12. OPA/Rego Policy Engine Open Policy Agent (OPA) integration enables declarative security policies using the Rego policy language for flexible, auditable policy enforcement.
Tool
Description
opa_list_policiesList built-in policies
opa_get_policy_infoGet policy details and Rego source
opa_validate_policyValidate Rego syntax
opa_evaluate_policyEvaluate scan against policy
Policy
Description
Default Thresholds
vulnerability-thresholdEnforce vuln count limits
critical: 0, high: 5
license-complianceBlock forbidden licenses
GPL, AGPL, SSPL
secrets-detectionFail if secrets found
Zero tolerance
container-securityContainer best practices
Root user, privileged
quality-gateCode quality requirements
Coverage > 80%
package security.vulnerability
default allow = false
allow {
input .scan.critical == 0
input .scan.high < = input .thresholds.high
}
violations[msg] {
input .scan.critical > 0
msg := sprintf (" Found %d critical vulnerabilities" input .scan.critical])
}{
"tool" : " opa_evaluate_policy" "input" : {
"image" : " production:latest" "policy" : " vulnerability-threshold" "thresholds" : {
"critical" : 0 ,
"high" : 0 ,
"medium" : 10
}
}
}
// Response
{
"allow" : false ,
"violations" : [
" Found 3 critical vulnerabilities (threshold: 0)" 13. Offline Vulnerability Database Local vulnerability database for air-gapped environments with SQLite storage, Trivy DB synchronization, and offline scanning capabilities.
Tool
Description
vuln_db_syncDownload/update vulnerability database
vuln_db_statusGet database status and statistics
vuln_db_lookupLook up CVE by ID
vuln_db_searchSearch vulnerabilities by criteria
trivy_scan_offlineScan using local database
vuln_db_annotateAnnotate vulnerability status
Metric
Typical Value
Total CVEs
200,000+
Ecosystems
npm, pypi, go, maven, etc.
Database Size
~500MB
Status
Description
activeRequires attention
acknowledgedReviewed, scheduled for fix
false_positiveNot applicable
mitigatedRisk mitigated
Internet Zone: Air-Gapped Zone:
vuln_db_sync vuln_db_status
| |
v v
Export DB ====== Transfer ======> Import
|
v
trivy_scan_offline
|
v
vuln_db_annotate
Redis-backed distributed caching with automatic fallback to in-memory storage when Redis is unavailable. Configurable TTL per scan type enables optimal cache freshness for different data sources.
Tool
Description
cache_initInitialize distributed caching with optional Redis backend
cache_statusGet cache health and connection status
cache_statsGet hit/miss statistics by scan type
cache_clearClear all cached data
cache_invalidateInvalidate cache entries by pattern
cache_configGet current cache configuration
+------------------+ +------------------+
| Cache Request | | Redis Server |
| |---->| (Optional) |
+------------------+ +--------+---------+
|
Connected?
|
+-------------------+-------------------+
| |
v v
+------------------+ +------------------+
| Redis Backend | | Memory Backend |
| (Distributed) | | (In-Process) |
+------------------+ +------------------+
Default TTL Configuration
Scan Type
Default TTL
Description
trivy5 minutes
Container/dependency scans
sonarqube10 minutes
Code quality analysis
dtrack10 minutes
SCA findings
registry30 minutes
Registry image lists
Variable
Description
Default
REDIS_HOSTRedis server hostname
localhost
REDIS_PORTRedis server port
6379
REDIS_PASSWORDRedis authentication
-
REDIS_DBRedis database number
0
REDIS_KEY_PREFIXKey namespace prefix
cicd:
CACHE_TTL_TRIVYTrivy scan TTL (seconds)
300
CACHE_TTL_SONARQUBESonarQube scan TTL
600
CACHE_TTL_DTRACKDependency-Track TTL
600
CACHE_TTL_REGISTRYRegistry scan TTL
1800
Example: Initialize with Redis {
"tool" : " cache_init" "input" : {
"useRedis" : true ,
"config" : {
"host" : " redis.example.com" "port" : 6379 ,
"password" : " secret" "keyPrefix" : " prod:" // Response
{
"success" : true ,
"mode" : " redis" "connected" : true
} Example: Get Cache Statistics {
"tool" : " cache_stats" "input" : {}
}
// Response
{
"trivy" : { "hits" : 150 , "misses" : 25 , "hitRate" : 0.857 },
"sonarqube" : { "hits" : 80 , "misses" : 10 , "hitRate" : 0.889 },
"dtrack" : { "hits" : 45 , "misses" : 5 , "hitRate" : 0.900 },
"registry" : { "hits" : 200 , "misses" : 20 , "hitRate" : 0.909 }
} Example: Invalidate by Pattern {
"tool" : " cache_invalidate" "input" : {
"pattern" : " trivy:production-*" // Response
{
"invalidated" : 15 ,
"pattern" : " trivy:production-*" 15. Architecture Overview +============================================================================+
| CI/CD SECURITY SCANNING PLATFORM |
+============================================================================+
| |
| +----------------------------+ +----------------------------+ |
| | MCP Server | | CICD Agent | |
| | (82 Tools) | | (CLI) | |
| | | | | |
| | - Model Context Protocol | | - Anthropic SDK | |
| | - Claude Code Integration | | - CLI Automation | |
| | - JSON-RPC over stdio | | - GitHub Actions Ready | |
| +-------------+--------------+ +-------------+--------------+ |
| | | |
| +----------------+-------------------+ |
| | |
| v |
| +---------------------------------------------------------------------+ |
| | @cicd/shared LIBRARY | |
| +---------------------------------------------------------------------+ |
| | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | Trivy Engine | | SonarQube | | Dependency- | | |
| | | (11 tools) | | Engine | | Track Engine | | |
| | | | | (4 tools) | | (5 tools) | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | Registry | | Scheduler | | Compliance | | |
| | | Scanner | | Engine | | Engine | | |
| | | (10 tools) | | (9 tools) | | (7 tools) | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | OPA/Rego | | Vuln Database | | Remediation | | |
| | | Engine | | Manager | | Engine | | |
| | | (4 tools) | | (6 tools) | | (5 tools) | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | |
| | +----------------+ +----------------+ +----------------+ | |
| | | SARIF | | Cache Manager | | Core | | |
| | | Reporter | | (6 tools) | | Utilities | | |
| | | (2 tools) | | - Redis | | - Config | | |
| | | | | - Memory | | - Circuit | | |
| | +----------------+ | - Hybrid | | Breaker | | |
| | +----------------+ | - Rate Limiter | | |
| | | - Audit Logger | | |
| | +----------------+ | |
| +---------------------------------------------------------------------+ |
| |
+============================================================================+
| EXTERNAL SERVICES |
+============================================================================+
| |
| +----------+ +----------+ +-------------+ +----------+ +----------+ |
| | Trivy | | SonarQube| | Dependency- | | Docker | | Cloud | |
| | Server | | Server | | Track | | Registry | | Registries| |
| +----------+ +----------+ +-------------+ +----------+ +----------+ |
| |
| +----------+ +----------+ +-------------+ |
| | Gitea | | Drone CI | | GitHub | |
| | Server | | Server | | (SARIF) | |
| +----------+ +----------+ +-------------+ |
| |
+============================================================================+
User Request --> Tool Router --> Handler --> Cache --> External API
| |
v v
Policy Engine Result Aggregator
| |
v v
Compliance Mapper JSON Response
Pattern 1: CI/CD Pipeline Security Gate # .drone.ymlpipeline :
security-scan :
- trivy_scan_image (container)
- sonar_get_issues (code quality)
- opa_evaluate_policy (policy gate)
- compliance_check_status (compliance)
- sarif_upload_github (reporting)
- [GATE] Pass/Fail decision Pattern 2: Scheduled Registry Monitoring @daily (2AM)
|
v
schedule_trigger
|
v
registry_scan_multiple
|
+--> ECR
+--> ACR
+--> GHCR
|
v
compliance_trend_record
|
v
Webhook (Slack/Teams)
Pattern 3: Vulnerability Remediation Workflow trivy_scan_image
|
v
generate_remediations
|
+--> get_high_priority_fixes
+--> get_safe_fixes
|
v
get_remediation_markdown
|
v
PR with fixes --> Rescan --> Policy Gate
Pattern 4: Compliance Audit Preparation Daily: trivy_scan + sonar_get_issues + dtrack_get_findings
|
v
compliance_trend_record
|
v (90 days)
compliance_generate_report (HTML)
|
v
Audit-ready documentation
Pattern 5: Air-Gapped Deployment Internet Zone Transfer Air-Gapped Zone
vuln_db_sync -----> USB/DVD -----> vuln_db_status
|
v
trivy_scan_offline
|
v
vuln_db_annotate
|
v
compliance_generate_report
82 tools for comprehensive security automation
Unified view across all security sources
Policy-as-code for consistent enforcement
Historical trend analysis
Automated scheduled scans
CI/CD pipeline integration
Fast feedback on violations
Offline capability for restricted environments
Pre-built framework mappings (SOC2, HIPAA, PCI-DSS, CIS)
Audit-ready HTML reports
Trend tracking for continuous compliance
Evidence of remediation progress
Extensible OPA/Rego policy engine
Modular architecture
API-first design
Multi-cloud registry support