Integration

Connect Truvant to your CI/CD pipelines, SIEM platforms, and identity providers.

CI/CD Integration

Truvant integrates with CI/CD pipelines to catch supply-chain risks before they reach developer machines. Scan results can be emitted in SARIF format for native integration with GitHub Code Scanning, GitLab SAST, and any other SARIF-compatible viewer.

GitHub Actions

Add the following workflow to your repository to scan MCP server packages on every push and pull request. Results are uploaded to GitHub Code Scanning and appear inline in the pull request diff.

# .github/workflows/mcp-security.yaml
name: MCP Security Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install mcpctl
        run: |
          curl -fsSL https://registry.truvant.ai/install.sh | sh
          echo "$HOME/.local/bin" >> $GITHUB_PATH

      - name: Scan MCP servers
        env:
          MCPCTL_CLI_REGISTRY_URL: https://registry.truvant.ai
        run: mcpctl scan --format sarif -o results.sarif --no-import

      - name: Upload SARIF to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

No credentials required for scanning Local scanning does not require a Truvant account or authentication token. The --no-import flag prevents scan results from being sent to the trust service, keeping the workflow fully self-contained. Remove --no-import and add a MCPCTL_TOKEN secret to also import results into your organization's dashboard.

Standards mapping

Truvant scan findings are mapped to established security standards and frameworks. SARIF output includes rule metadata with standards references so findings appear in the correct category in your security tooling.

Standard	Coverage
MITRE ATLAS	Findings map to adversarial ML tactics including supply chain compromise, model poisoning via tool injection, and data exfiltration via agent tools.
OWASP Top 10 for LLMs	Covers LLM01 (Prompt Injection), LLM03 (Training Data Poisoning), LLM05 (Supply Chain), and LLM06:2025 (Excessive Agency) — the primary risk class addressed by tool schema scanning and policy enforcement.
OWASP Top 10 for Agentic Applications	Addresses agentic-specific risks including unconstrained tool use, privilege escalation via chained tool calls, and insufficient sandboxing of agent actions.

SIEM Integration

The mcpctl agent writes structured signal files to a local directory after each enforcement decision. These files are designed for ingestion by Microsoft Defender for Endpoint (MDE) and any SIEM that can read JSON from a watched directory (Splunk UF, Elastic Agent, Cribl, Filebeat, etc.).

Signal files have the following characteristics:

Format — Newline-delimited JSON, one event per line.
Deduplication — Identical events within a 60-second window are collapsed into a single signal with an incremented count field.
Rotation — Files are rotated daily. The active file is always named mcpctl-signals.jsonl; rotated files use the pattern mcpctl-signals-YYYY-MM-DD.jsonl.
Retention — Rotated files older than 30 days are removed automatically by the agent.

Configuration

The signal file directory defaults to ~/.config/mcpctl/signals/. Override it by setting the MCPCTL_SIGNALS_DIR environment variable, or by editing signals_dir in config.yaml. Point your SIEM agent or custom ingest pipeline at the configured directory.

# Override the signal directory via environment variable
export MCPCTL_SIGNALS_DIR=/var/log/mcpctl/signals

# Or set it in config.yaml
# signals_dir: /var/log/mcpctl/signals

mcpctl restart

Identity Providers

Truvant uses OpenID Connect (OIDC) for authentication. The following identity providers are supported out of the box. Any standards-compliant OIDC provider can be configured using the custom OIDC setup below.

Provider	Support
Google Workspace	Built-in. Select Google at the login prompt — no additional configuration required.
Microsoft Entra ID	Built-in. Select Microsoft at the login prompt — no additional configuration required.
Okta	Configure an OIDC application in your Okta tenant and supply the issuer URL and client ID during `mcpctl login`.
Auth0	Configure an OIDC application in your Auth0 tenant and supply the issuer URL and client ID during `mcpctl login`.
OneLogin	Configure an OIDC application in your OneLogin account and supply the issuer URL and client ID during `mcpctl login`.
Keycloak	Configure an OIDC client in your Keycloak realm and supply the issuer URL and client ID during `mcpctl login`.
Any OIDC Provider	Any provider that exposes a standards-compliant OIDC discovery document (`/.well-known/openid-configuration`) can be configured using the enterprise SSO setup below.

Enterprise SSO setup

To connect a custom OIDC provider, follow these steps:

Create a new OIDC application (sometimes called an "OAuth 2.0 client" or "app registration") in your identity provider's admin console.
Set the redirect URI to https://trust.truvant.ai/auth/callback.
Note the issuer URL (e.g., https://your-domain.okta.com) and client ID from the application settings.
Run mcpctl login --provider custom on each developer machine that will authenticate through this provider.
When prompted, enter the issuer URL and client ID. mcpctl stores these in the config file so subsequent logins require only mcpctl login.

Group and role claims If your OIDC provider emits group or role claims, Truvant can use them to automatically assign hosts to policy roles based on team membership. Contact mike@truvant.ai to configure claim-based role assignment for your organization.