Skip to main content
Glama
madmystic

ZAP MCP Proxy

by madmystic

ZAP MCP Proxy

A lightweight MCP server that wraps OWASP ZAP's REST API as Model Context Protocol tools. Connect your AI agent to OWASP ZAP for automated security scanning.

Prerequisites

  • OWASP ZAP running in daemon mode (or the mcp-zap-server Docker stack)

  • Python 3.10+

Related MCP server: OWASP Agentic MCP

Quick Start

# Install dependencies
pip install -r requirements.txt

# Start ZAP in daemon mode (one time)
/Applications/ZAP.app/Contents/MacOS/ZAP.sh -daemon -port 8090 -host 127.0.0.1 -config api.key=changeme

# Start the MCP proxy
python3 zap_mcp_proxy.py

Tools

Tool

Description

zap_health

Check connection to ZAP daemon

zap_version

Get ZAP version info

zap_api_info

List available ZAP API endpoints

zap_list_scan_policies

List scan policies (Default, API, Pen Test, etc.)

zap_list_contexts

List contexts

zap_create_context

Create a new context with URL regex patterns

zap_delete_context

Delete a context

zap_list_sites

List discovered sites/URLs

zap_spider_scan

Start a traditional spider scan

zap_spider_status

Check spider scan progress

zap_ajax_spider_scan

Start an AJAX spider scan (JS-heavy sites)

zap_ajax_spider_status

Check AJAX spider status

zap_start_active_scan

Start an active scan with policy selection

zap_list_active_scans

List all active scans

zap_active_scan_progress

Check active scan progress

zap_alert_summary

Alert counts by risk level

zap_alert_count

Total alert count

zap_list_alerts

List alerts with risk/context filtering

zap_generate_html_report

Generate HTML report

zap_generate_xml_report

Generate XML report

zap_generate_markdown_report

Generate Markdown report

Configuration

Environment variables:

  • ZAP_HOST — ZAP daemon host (default: 127.0.0.1)

  • ZAP_PORT — ZAP daemon port (default: 8090)

  • ZAP_API_KEY — ZAP API key (default: changeme)

Adding to Hermes

hermes mcp add zap -- python3 /path/to/zap_mcp_proxy.py

Or add to ~/.hermes/config.yaml:

mcp_servers:
  zap:
    enabled: true
    command: python3
    args:
      - /path/to/zap_mcp_proxy.py
F
license - not found
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/madmystic/zap-mcp-proxy'

If you have feedback or need assistance with the MCP directory API, please join our Discord server