Confirm that the Trivy scanner adapter is registered; in Harbor 2.2 and later Trivy is the built-in default and its adapter is automatically available at the registration endpoint GET /api/v2.0/scanners
If running a custom external Trivy adapter, register it via POST /api/v2.0/scanners with the adapter URL, name, and auth configuration, then set it as default with PATCH /api/v2.0/scanners/<id> setting is_default: true
Trigger a scan of a specific artifact by POSTing to /api/v2.0/projects/<projectName>/repositories/<repoName>/artifacts/<reference>/scan (no body required)
Poll GET /api/v2.0/projects/<projectName>/repositories/<repoName>/artifacts/<reference> and check the scan_overview field until the status transitions from Running to Success
Retrieve the full vulnerability report by sending GET /api/v2.0/projects/<projectName>/repositories/<repoName>/artifacts/<reference>/additions/vulnerabilities and parse the report object keyed by scanner MIME type
Known gotchas
Trivy's built-in adapter in Harbor scans only on the Harbor server side; the scan is initiated by Harbor calling the adapter's internal endpoint, not directly through an external Trivy CLI
The /scan endpoint accepts scans for a specific digest or tag reference; scanning by mutable tag can yield stale results if the tag has been re-pushed since the scan completed
Scan results are registry-local; vulnerability reports are not automatically replicated when images are replicated to a remote registry, so scanning must be re-triggered at the destination
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp