MCP Zap Server

🚀 MCP-ZAP Server

An application based on Spring Boot that exposes OWASP ZAP as an MCP (Model Context Protocol) server. It allows any MCP-compatible AI agents (e.g., Claude Desktop, Cursor) to coordinate ZAP operations - crawling, active scanning, importing OpenAPI specifications, and generating reports.

⚠️ Important Note

This project is currently in the development phase and is not ready for production use. It is intended for educational purposes and to demonstrate the capabilities of the Model Context Protocol (MCP) with OWASP ZAP.

✨ Features

• MCP Server: Exposes ZAP operations as MCP tools.
• OpenAPI Integration: Imports remote or uploaded OpenAPI specifications into ZAP and initiates active scanning.
• Report Generation: Generates HTML/JSON reports and programmatically retrieves the content.
• Dockerization: Runs ZAP and MCP server containers via docker-compose.
• Security: Configures API keys for ZAP (ZAP_API_KEY) and the MCP server (MCP_API_KEY).

🔧 Technical Details

flowchart LR
  subgraph "Docker Compose"
    ZAP["OWASP ZAP (Container)"]
    MCP["MCP Server (Spring Boot)"]
    Client["MCP Client (Open Web-UI)"]
  end
  OtherClient["MCP Client (Claude, Cursor)"] --> |HTTP/SSE + Bearer| MCP
  Client -->|HTTP/SSE + Bearer| MCP
  MCP -->|ZAP REST API| ZAP
  ZAP -->|Scanning, Alerts, Reports| MCP

🚀 Quick Start

Prerequisites

• Install Docker.
• Install Docker Compose.

Running the Services

1. Open a terminal.
2. Navigate to the project directory containing the docker-compose.yml file.
3. Run the following command to start the containers in detached mode:

docker-compose up -d

4. To view the logs of a specific service, run:

docker-compose logs <service_name>

Service Overview

zap

• Image: zaproxy/zap-stable
• Purpose: Runs the OWASP ZAP daemon on port 8090.
• Configuration:
  • Disables the API key.
  • Accepts requests from all addresses.
  • Maps the host directory ${LOCAL_ZAP_WORKPLACE_FOLDER} to the container path /zap/wrk.

open-webui

• Image: ghcr.io/open-webui/open-webui
• Purpose: Provides a web interface for managing ZAP and the MCP server.
• Configuration:
  • Exposes port 3000.
  • Uses a named volume to persist backend data.

mcpo

• Image: ghcr.io/open-webui/mcpo:main
• Purpose: Exposes any MCP tool as an OpenAPI-compatible HTTP server. Only used for Open Web-UI.
• Configuration:
  • Maps port 9000.

mcp-zap

• Image: ghcr.io/mcpgpt/mcp-zap:latest
• Purpose: Runs the MCP-ZAP project.
• Configuration:
  • Sets the environment variable ${MCP_ZAP_OPENAPI} to point to the OpenAPI file path.
  • Sets the environment variable ${MCP_ZAP_API_KEY} to configure the API key.

💻 Usage Examples

Starting with Docker Compose

# Run the following command in the project directory to start the services:
docker-compose up -d

# Access the interfaces:
# Open Web-UI: http://localhost:3000

Environment Variable Configuration

MCP-ZAP Server

# Configure the OpenAPI file path (Required)
MCP_ZAP_OPENAPI=/path/to/openapi.json

# Optional, set the API key
MCP_ZAP_API_KEY=your_api_key_here

Use Cases

1. Create a simple OpenAPI specification file openapi.json

{
  "openapi": "3.0.0",
  "info": {
    "title": "Example API",
    "version": "1.0"
  },
  "servers": [
    {
      "url": "http://localhost:8080"
    }
  ]
}

2. Start the MCP-ZAP server

# Run the following command in the project directory to start the services:
docker-compose up -d

# Confirm the service running status:
docker-compose ps

📚 Documentation

Glossary

• MCP: Model Context Protocol
• ZAP: OWASP ZAP (Active Security Tool for Zugzwang)
• OpenAPI: Open Application Programming Interface Specification