Integrates with OWASP ZAP (Zed Attack Proxy) to provide AI-powered security testing capabilities including active scans, passive analysis, AJAX spider scans, vulnerability reporting, and session management for web application security assessment.
ZAP MCP Server
A powerful Model Context Protocol (MCP) Server that integrates OWASP ZAP (Zed Attack Proxy) with AI assistants and MCP clients. Enable AI-powered security testing through automated vulnerability scanning.
🎯 Why ZAP MCP Server?
Shift Left Security - Empower developers to integrate security testing early in the development lifecycle. Instead of waiting for security reviews at the end of development, developers can now:
- 🔧 Test during development - Run security scans on localhost applications
- 🤖 AI-assisted security - Get intelligent vulnerability analysis through AI assistants
- ⚡ Rapid feedback - Identify security issues before they reach production
- 🔄 CI/CD integration - Automate security testing in development workflows
- 📊 Developer-friendly - Simple MCP interface for non-security experts
🚀 Features
- 🔍 Multiple Scan Types: Active, Passive, AJAX Spider, and Complete scans
- ⚡ Asynchronous Processing: Background scan execution with real-time status updates
- 🐳 Docker Support: Easy deployment with Docker Compose
- 🤖 AI Integration: Seamless integration with MCP-compatible AI assistants
- 📊 Rich Reporting: Detailed vulnerability reports with risk scoring
- 🔄 Session Management: Flexible session handling strategies
- 🛡️ Production Ready: Robust error handling and logging
📋 Prerequisites
- Python 3.8+
- OWASP ZAP installed and accessible via PATH
- Java (required by ZAP)
- Docker or Podman (optional, for containerized deployment)
📖 For container-specific prerequisites, see:
🛠️ Installation
Option 1: Local Installation
- Clone the repository
- Install OWASP ZAP
- Download from OWASP ZAP Downloads
- Ensure
zap.batis accessible via PATH - Test:
where zap.bat(Windows) orwhich zap.sh(Linux/Mac)
- Install Python dependencies
Option 2: Docker/Podman Deployment (Recommended)
🐳 Docker/Podman is the easiest and most reliable method!
📖 For detailed Docker/Podman setup and localhost scanning instructions, see:
⚠️ CRITICAL: When using containers, localhost applications must be accessed via host.docker.internal (Docker) or host.containers.internal (Podman) instead of localhost. This is the only supported method for localhost scanning.
⚙️ Configuration
The server uses environment variables for configuration. Key settings:
| Variable | Default | Description |
|---|---|---|
ZAP_BASE | http://127.0.0.1:8080 | ZAP API port - Change port by modifying URL |
ZAP_MCP_PORT | 8082 | MCP server port - Port for MCP client connections |
ZAP_MCP_HOST | 127.0.0.1 | MCP server host (use 0.0.0.0 for all interfaces) |
ZAP_AUTOSTART | true | Auto-start ZAP if not running |
ZAP_LOG_LEVEL | INFO | Logging level |
Custom Port Configuration
Using .env file (Recommended):
Using environment variables:
📖 For complete configuration details, see:
🚀 Quick Start
🐳 Docker/Podman (Recommended)
Fastest start with containers:
📖 For detailed setup instructions and localhost scanning, see:
⚠️ CRITICAL: For localhost scanning, use host.docker.internal (Docker) or host.containers.internal (Podman) instead of localhost. This is the only supported method.
💻 Local Installation
1. Start the Server
The server will automatically:
- ✅ Check if ZAP is running
- ✅ Start ZAP if needed (via PATH)
- ✅ Create/load a session
- ✅ Start the MCP server
⏱️ Important: The server takes approximately 90 seconds to become fully operational after startup. This includes:
- ZAP initialization and startup
- Session creation
- MCP server initialization
- All components becoming ready
2. Connect Your MCP Client
Connect to: http://localhost:8082/mcp
MCP Configuration Example
For Cursor IDE, add to your mcp.json:
For other MCP clients, use the same URL endpoint.
3. Available Tools
| Tool | Description |
|---|---|
start_active_scan | Run active security scan (Spider + Active) |
start_complete_scan | Run complete scan (AJAX + Spider + Active + Passive) |
start_passive_scan | Run passive security analysis |
start_ajax_scan | Run AJAX spider for modern web apps |
get_scan_status | Get real-time scan status |
cancel_scan | Cancel running scan |
list_scans | List all active scans |
create_new_session | Create new ZAP session |
📖 Usage Examples
Development Workflow Integration
Local Development Testing:
Pre-Commit Security Check:
📖 For Docker/Podman localhost scanning examples, see:
Basic Security Scan
Quick Passive Scan
Custom Active Scan
🔄 Shift Left Security Integration
Development Workflows
1. Local Development
- Test your localhost application during development
- Get immediate feedback on security issues
- Fix vulnerabilities before committing code
2. Pre-Commit Hooks
- Integrate security scans into git pre-commit hooks
- Prevent insecure code from entering the repository
- Automated security validation
3. CI/CD Pipeline Integration
- Add security testing to your build pipeline
- Scan staging environments automatically
- Generate security reports for each deployment
4. AI-Assisted Security
- Use AI assistants to interpret scan results
- Get recommendations for fixing vulnerabilities
- Learn security best practices through AI guidance
Benefits for Development Teams
- ⚡ Faster feedback - Catch issues in minutes, not weeks
- 💰 Cost reduction - Fix issues early when they're cheaper to resolve
- 🎯 Developer education - Learn security through hands-on testing
- 🛡️ Proactive security - Build secure applications from the start
- 📊 Continuous improvement - Regular security assessments
🐳 Container Deployment
📖 For complete container setup and usage instructions, see:
- DOCKER.md - Complete Docker setup guide with localhost scanning
- PODMAN.md - Complete Podman setup guide with localhost scanning
Quick container commands:
📊 Scan Results
Scans return structured results including:
🔧 Troubleshooting
Server Takes Too Long to Start
The server requires approximately 90 seconds to become fully operational. This is normal and includes:
- ZAP startup and initialization
- Session creation
- MCP server initialization
Wait for the startup process to complete before attempting to connect.
ZAP Won't Start
Connection Issues
MCP Client Connection Issues
If your MCP client cannot connect:
- Ensure the server has been running for at least 90 seconds
- Verify the URL is correct:
http://localhost:8082/mcp - Check that no firewall is blocking port 8082
- For Cursor IDE, ensure your
mcp.jsonconfiguration is correct
Container Issues
📖 For detailed container troubleshooting, see:
🤝 Contributing
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Commit changes:
git commit -am 'Add feature' - Push to branch:
git push origin feature-name - Submit a Pull Request
📄 License
This project is licensed under the MIT License - see the LICENSE file for details.
🙏 Acknowledgments
- OWASP ZAP - The amazing security testing tool
- Model Context Protocol - The protocol that makes AI integration possible
- Sovereign Engineering - SEC-05 cohort for inspiring freedom tech and self-sovereign applications
Special Thanks
This project was inspired by the Sovereign Engineering Community and their commitment to building tools for a self-sovereign future. The SEC-05 cohort's dedication to freedom tech, censorship resistance, and permissionless access aligns perfectly with the goals of making security testing tools more accessible and decentralized.
"Build applications and services for a self-sovereign future." — Sovereign Engineering
📞 Support
Vibe coded with ❤️ for the self sovereign engineer - YOLO!
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
Integrates OWASP ZAP security testing with AI assistants through MCP, enabling automated vulnerability scanning and AI-powered security analysis during development. Supports multiple scan types including active, passive, and AJAX spider scans with real-time status updates.