ZAP MCP Proxy
Provides tools for interacting with OWASP ZAP's REST API, enabling automated security scanning including spider scans, active scans, alert management, and report generation.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ZAP MCP Proxystart an active scan on https://example.com"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ZAP MCP Proxy
A lightweight MCP server that wraps OWASP ZAP's REST API as Model Context Protocol tools. Connect your AI agent to OWASP ZAP for automated security scanning.
Prerequisites
OWASP ZAP running in daemon mode (or the mcp-zap-server Docker stack)
Python 3.10+
Related MCP server: OWASP Agentic MCP
Quick Start
# Install dependencies
pip install -r requirements.txt
# Start ZAP in daemon mode (one time)
/Applications/ZAP.app/Contents/MacOS/ZAP.sh -daemon -port 8090 -host 127.0.0.1 -config api.key=changeme
# Start the MCP proxy
python3 zap_mcp_proxy.pyTools
Tool | Description |
| Check connection to ZAP daemon |
| Get ZAP version info |
| List available ZAP API endpoints |
| List scan policies (Default, API, Pen Test, etc.) |
| List contexts |
| Create a new context with URL regex patterns |
| Delete a context |
| List discovered sites/URLs |
| Start a traditional spider scan |
| Check spider scan progress |
| Start an AJAX spider scan (JS-heavy sites) |
| Check AJAX spider status |
| Start an active scan with policy selection |
| List all active scans |
| Check active scan progress |
| Alert counts by risk level |
| Total alert count |
| List alerts with risk/context filtering |
| Generate HTML report |
| Generate XML report |
| Generate Markdown report |
Configuration
Environment variables:
ZAP_HOST— ZAP daemon host (default: 127.0.0.1)ZAP_PORT— ZAP daemon port (default: 8090)ZAP_API_KEY— ZAP API key (default: changeme)
Adding to Hermes
hermes mcp add zap -- python3 /path/to/zap_mcp_proxy.pyOr add to ~/.hermes/config.yaml:
mcp_servers:
zap:
enabled: true
command: python3
args:
- /path/to/zap_mcp_proxy.pyThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/madmystic/zap-mcp-proxy'
If you have feedback or need assistance with the MCP directory API, please join our Discord server