The ZeroPath MCP Server enables AI agents to interact with ZeroPath's application security platform through MCP-compatible tools, calling the tRPC V2 API directly for vulnerability management and security operations.
Key Capabilities:
Vulnerability Management - Search for vulnerabilities with queries, retrieve detailed issue information including patch data, mark issues as true/false positives, and archive/unarchive issues for workflow management
Patch Operations - Generate automated security fixes for vulnerabilities and approve patches for deployment
Security Scanning - Start new scans on repositories and list existing scans with filtering by repository, type (FullScan, PrScan, SCAScan), and pagination
Software Composition Analysis (SCA) - Search and list vulnerabilities in third-party dependencies across ecosystems (npm, pip, maven, etc.), get detailed SCA vulnerability information including transitivity (direct vs transitive), and filter by repository, ecosystem, and dependency type
Repository Management - List all repositories in the organization and view repositories with dependency inventory information
Security Analytics - Access overall security posture metrics (scores, trends, risk assessment), view issue statistics grouped by vulnerability class (XSS, SQLi, etc.), and get aggregated summary statistics (total issues, patches, repositories, KPIs)
Direct API Integration - Calls ZeroPath tRPC V2 procedures directly without REST wrappers, returning structured JSON responses with client-side input validation
Offers a community space for users to ask questions, provide feedback, and discuss the ZeroPath MCP server
Enables bug reporting and contribution to the ZeroPath MCP server through GitHub issues and pull requests
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ZeroPath MCP Servershow me all SSRF vulnerabilities in the user service"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ZeroPath MCP Server
Interact with ZeroPath security findings via MCP-compatible tools.
This MCP server calls ZeroPath tRPC V2 procedures directly (no REST wrappers) and returns structured JSON responses suitable for agent consumption.
Blog Post
Learn more about why we built this and how it fits into the evolving AI development ecosystem:
Chat With Your AppSec Scans: Introducing the ZeroPath MCP Server
Related MCP server: ExploitDB MCP Server
Installation
Quick Install (Recommended)
Install directly from GitHub:
You can also pin to a specific version:
From Source
From PyPI (Optional)
If the package is published to PyPI, you can also install via:
Setup
1. Generate API Key
Generate a user-scoped or admin API key from ZeroPath Settings.
2. Configure Environment Variables
Use ZEROPATH_BASE_URL to target staging or another environment, for example:
Configuration
Add the following to your MCP config file (Claude Desktop, Cursor, etc.):
Using GitHub URL (Recommended)
Using source install
Using PyPI install (Optional)
Tool Surface (tRPC V2)
Tools are loaded dynamically from the ZeroPath frontend's MCP manifest at startup.
All tool calls use tRPC V2 procedures directly using tRPC v10 HTTP conventions:
Queries:
GET /trpc/<procedure>?input=<url-encoded-json>Mutations:
POST /trpc/<procedure>with the raw JSON input object as the body (not wrapped).
Successful responses are returned as structured JSON with the { "result": { "data": ... } } wrapper removed. Errors return the tRPC error object directly.
The server also performs best-effort client-side input validation using each tool's inputSchema from the manifest and returns a BAD_REQUEST error before calling tRPC when inputs are invalid. If a schema uses unsupported JSON Schema features, client-side validation is skipped for that call (server-side validation remains authoritative).
Example Calls
List issues:
Archive issues:
Create a rule:
Fetch stats summary:
Development
Running Tests
Building the Package
Publishing to PyPI (Optional)
Contributing
We welcome contributions from the security, AI, and developer tools communities.
Found a bug? Open an issue
Want to improve a tool or add a new one? Submit a pull request
Have feedback or questions? Join us on Discord
License
MIT License - see LICENSE for details.