MCP.so
ログイン

MCP ZAP Server

@dtkmn

MCP ZAP Server について

A Spring Boot application exposing OWASP ZAP as an MCP (Model Context Protocol) server. It lets any MCP‑compatible AI agent (e.g., Claude Desktop, Cursor) orchestrate ZAP actions—spider, active scan, import OpenAPI specs, and generate reports.

基本情報

カテゴリ

AI とエージェント

ライセンス

MIT license

ランタイム

java

トランスポート

stdio

公開者

dtkmn

設定

以下の設定を使って、このサーバーを MCP 対応クライアントに追加してください。

{
  "mcpServers": {
    "zap-mcp-server": {
      "type": "http",
      "url": "http://localhost:7456/sse"
    }
  }
}

ツール

ツールは検出されませんでした

ツールは README から自動的に抽出されます。メンテナーは ## Tools という見出しの下に記載することで、このタブに反映できます。

概要

What is MCP ZAP Server?

A Spring Boot application that exposes OWASP ZAP as an MCP (Model Context Protocol) server. It lets any MCP-compatible AI agent (e.g., Claude Desktop, Cursor) orchestrate ZAP actions—spider, active scan, import OpenAPI specs, and generate reports.

How to use MCP ZAP Server?

Clone the repository, set the environment variable LOCAL_ZAP_WORKPLACE_FOLDER, and run docker-compose up -d. Open http://localhost:3000 for the Open Web-UI interface. Alternatively, configure it with Claude Desktop, Cursor, or Windsurf by adding a JSON definition using either STDIO or SSE transport mode.

Key features of MCP ZAP Server

  • Exposes ZAP actions as MCP tools
  • OpenAPI integration for spec import and scanning
  • HTML and JSON report generation
  • Dockerized with orchestration via docker-compose
  • Secure configuration with API keys for ZAP and MCP server

Use cases of MCP ZAP Server

  • Automate security scanning through an AI agent conversation
  • Import a remote OpenAPI spec and trigger an active scan
  • Generate HTML or JSON security reports programmatically
  • Run spider scans and retrieve found alerts
  • Test ZAP’s capabilities with deliberately vulnerable apps (Juice Shop, Petstore)

FAQ from MCP ZAP Server

Is MCP ZAP Server production-ready?

No, it is a work in progress and intended for educational purposes to demonstrate the capabilities of MCP with OWASP ZAP.

What are the prerequisites?

You need Docker >= 20.10, Docker Compose >= 1.29, and an LLM that supports tool calling (e.g., gpt-4o, Claude 3, Llama 3, mistral, phi3). For manual builds, Java 21+ is required.

How does MCP ZAP Server connect to AI agents?

It supports both STDIO mode (running the JAR with specific system properties) and SSE mode (exposing an HTTP endpoint at http://localhost:7456/sse).

How can I secure the server?

Configure API keys by setting environment variables ZAP_API_KEY for OWASP ZAP and MCP_API_KEY for the MCP server.

Is MCP ZAP Server affiliated with OWASP?

No, it is an independent implementation and not affiliated with or endorsed by OWASP or the OWASP ZAP project.

コメント

「AI とエージェント」の他のコンテンツ