zap-mcp-server: Integrate OWASP ZAP & AI, Support Containerized Deployment

Zap MCP Server

The OWASP ZAP MCP server is a protocol server that integrates the Zed Attack Proxy security scanning tool with an AI assistant. It supports multiple scan types and containerized deployment, enabling shift-left security testing in development.

Security Developer tools #Security Scanning #AI Integration #Containerization #Shift-Left Development .Python

rating : 2 points

downloads : 5.5K

update time : 2025-09-18

Open Site

What is ZAP MCP Server?

ZAP MCP Server is an innovative security testing tool that connects OWASP ZAP (the industry-leading vulnerability scanner) with an AI assistant through the Model Context Protocol. This allows developers to perform security testing while writing code, eliminating the need to wait for a professional security team to review.

How to use ZAP MCP Server?

Simply install and start the server, then configure the MCP connection in your AI assistant (such as Cursor IDE). You can request a security scan through simple natural language commands, and the system will automatically execute the scan and return a detailed security report.

Applicable Scenarios

Suitable for the entire software development lifecycle: local development testing, pre-commit security checks, CI/CD pipeline integration, and AI-assisted security vulnerability analysis and repair suggestions.

Main Features

Multiple Scan Types

Supports active scanning, passive scanning, AJAX spider scanning, and full scanning to meet different security testing needs

AI Intelligent Integration

Seamlessly integrates with the AI assistant through the MCP protocol, providing intelligent vulnerability analysis and repair suggestions

Automatic URL Transformation

Automatically converts localhost to the correct container host gateway address in a container environment

Asynchronous Processing

Executes scan tasks in the background, updates the status in real-time, and does not block the development workflow

Containerization Support

Provides Docker and Podman container deployment, simplifying the installation and configuration process

Rich Reporting

Generates detailed security reports, including risk scores, vulnerability classifications, and repair suggestions

Advantages

⚡ Quick Feedback: Discover security issues in the early stages of development, saving repair costs

🤖 AI Assistance: Obtain professional security analysis and suggestions through the AI assistant

🐳 Easy Deployment: Containerized deployment, start and use with one click

🔧 Developer-Friendly: Designed specifically for developers, no deep security background required

📊 Comprehensive Scanning: Supports multiple scan types, covering various security vulnerabilities

Limitations

⏱️ Slow Startup: It takes about 90 seconds to initialize the first time it starts

💻 Resource Requirements: Java and ZAP need to be installed, or a container environment is required

🌐 Network Dependency: A network connection is required to scan external websites

🛠️ Configuration Learning: Simple learning of MCP client configuration is required

How to Use

Choose a Deployment Method

It is recommended to use Docker container deployment (the simplest), or local installation

Wait for the Server to Start

The server takes about 90 seconds to complete the ZAP initialization and start the MCP service

Configure the MCP Client

Add the MCP server configuration to your AI assistant (such as Cursor IDE)

Start the Security Scan

Send a scan command through the AI assistant and view the real-time results

Usage Examples

Local Development Security Testing

When developing a React application, test the security vulnerabilities of localhost:3000 in real-time

Pre-Commit Security Check

Automatically perform a security scan before committing code to ensure no new vulnerabilities are introduced

CI/CD Pipeline Integration

Add a security testing step to the automated deployment process

Educational Learning Scenario

Use a deliberately vulnerable application (such as OWASP Juice Shop) to learn security knowledge

Frequently Asked Questions

Why does the server take 90 seconds to start?

How do I scan a locally running application?

Which AI assistants are supported?

Will the scan affect my development environment?

How do I view the scan progress and results?

Related Resources

Official GitHub Repository

Get the latest code, submit issues, and participate in contributions

Docker Deployment Guide

Detailed Docker container deployment and configuration instructions

Podman Deployment Guide

A complete guide to deploying with Podman containers

OWASP ZAP Official Website

Learn about the detailed functions and technologies of the underlying ZAP scanner

Model Context Protocol

Learn the technical specifications and implementation principles of the MCP protocol

🚀 ZAP MCP Server

A powerful Model Context Protocol (MCP) Server that integrates OWASP ZAP (Zed Attack Proxy) with AI assistants and MCP clients. Enable AI-powered security testing through automated vulnerability scanning.

🚀 Quick Start

🐳 Docker/Podman (Recommended)

Fastest start with containers:

# 1. Clone repository
git clone https://github.com/LisBerndt/zap-custom-mcp.git
cd zap-custom-mcp

# 2. Start (auto-detects Docker/Podman)
# Linux/Mac:
./build.sh && ./start.sh

# Windows:
build.bat
start.bat

# 3. Wait (approx. 90 seconds) and then connect:
# http://localhost:8082/mcp

📖 For detailed setup instructions and localhost scanning, see:

DOCKER.md - Complete Docker guide
PODMAN.md - Complete Podman guide

✅ AUTOMATIC URL TRANSFORMATION: The server automatically detects Docker/Podman environments and transforms localhost/127.0.0.1 URLs to the appropriate host gateway. You can use localhost URLs directly - no manual mapping needed!

💻 Local Installation

1. Start the Server

Recommended method (as package):

python -m zap_custom_mcp

Alternative methods:

# As specific module
python -m zap_custom_mcp.http_server

# Direct execution (legacy, may have import issues)
python zap_custom_mcp/http_server.py

💡 Best Practice: Always use python -m zap_custom_mcp for the most reliable execution.

The server will automatically:

✅ Check if ZAP is running
✅ Start ZAP if needed (via PATH)
✅ Create/load a session
✅ Start the MCP server

⏱️ Important: The server takes approximately 90 seconds to become fully operational after startup. This includes:

ZAP initialization and startup
Session creation
MCP server initialization
All components becoming ready

2. Connect Your MCP Client

Connect to: http://localhost:8082/mcp

MCP Configuration Example

For Cursor IDE, add to your mcp.json:

{
  "mcpServers": {
    "zap-mcp": {
      "url": "http://localhost:8082/mcp"
    }
  }
}

For other MCP clients, use the same URL endpoint.

3. Available Tools

Tool	Description
`start_active_scan`	Run active security scan (Spider + Active)
`start_complete_scan`	Run complete scan (AJAX + Spider + Active + Passive)
`start_passive_scan`	Run passive security analysis
`start_ajax_scan`	Run AJAX spider for modern web apps
`get_scan_status`	Get real-time scan status
`cancel_scan`	Cancel running scan
`list_scans`	List all active scans
`create_new_session`	Create new ZAP session

✨ Features

🔍 Multiple Scan Types: Active, Passive, AJAX Spider, and Complete scans
⚡ Asynchronous Processing: Background scan execution with real-time status updates
🐳 Docker Support: Easy deployment with Docker Compose
🤖 AI Integration: Seamless integration with MCP-compatible AI assistants
📊 Rich Reporting: Detailed vulnerability reports with risk scoring
🔄 Session Management: Flexible session handling strategies
🛡️ Production Ready: Robust error handling and logging
🔄 Automatic URL Transformation: Automatically maps localhost URLs to container host gateways

📦 Installation

Package Structure

This project uses a proper Python package structure (zap_custom_mcp/) which provides several benefits:

✅ Clean imports - Proper module organization
✅ Docker compatibility - Works seamlessly in containers
✅ PyPI ready - Can be published as a proper Python package

Execution methods:

python -m zap_custom_mcp (recommended)
python -m zap_custom_mcp.http_server (alternative method)

Option 1: Local Installation

Clone the repository

git clone https://github.com/LisBerndt/zap-custom-mcp.git
cd zap-custom-mcp

Install OWASP ZAP
- Download from OWASP ZAP Downloads
- Ensure zap.bat is accessible via PATH
- Test: where zap.bat (Windows) or which zap.sh (Linux/Mac)
Install Python dependencies
```
pip install -r requirements.txt
```

Linux-specific notes

Install Java (OpenJDK 11+ recommended):

# Debian/Ubuntu
sudo apt-get update && sudo apt-get install -y default-jre

# Fedora
sudo dnf install -y java-11-openjdk

Install OWASP ZAP:

# Debian/Ubuntu (from official repos)
sudo apt-get update && sudo apt-get install -y zaproxy

# If not available in your distro repos, download from ZAP website:
# https://www.zaproxy.org/download/

Verify ZAP is on PATH (Linux/Mac):

which zap.sh || echo "zap.sh not found in PATH"

Option 2: Docker/Podman Deployment (Recommended)

🐳 Docker/Podman is the easiest and most reliable method!

# 1. Clone repository
git clone https://github.com/LisBerndt/zap-custom-mcp.git
cd zap-custom-mcp

# 2. Build and start containers (auto-detects Docker/Podman)
# Linux/Mac:
./build.sh
./start.sh

# Windows:
build.bat
start.bat

# 3. Check status
docker-compose ps  # or podman-compose ps

📖 For detailed Docker/Podman setup and localhost scanning instructions, see:

DOCKER.md - Complete Docker setup guide
PODMAN.md - Complete Podman setup guide

✅ AUTOMATIC URL TRANSFORMATION: The server automatically detects Docker/Podman environments and transforms localhost/127.0.0.1 URLs to the appropriate host gateway:

Docker: localhost:3000 → host.docker.internal:3000
Podman: localhost:3000 → host.containers.internal:3000
Local: URLs remain unchanged

This means you can use localhost URLs directly - they will be automatically transformed when running in containers!

⚙️ Configuration

The server uses environment variables for configuration. Key settings:

Variable	Default	Description
`ZAP_BASE`	`http://127.0.0.1:8080`	ZAP API port - Change port by modifying URL
`ZAP_MCP_PORT`	`8082`	MCP server port - Port for MCP client connections
`ZAP_MCP_HOST`	`127.0.0.1`	MCP server host (use `0.0.0.0` for all interfaces)
`ZAP_AUTOSTART`	`true`	Auto-start ZAP if not running
`ZAP_LOG_LEVEL`	`INFO`	Logging level

Custom Port Configuration

Using .env file (Recommended):

# Copy the example file
cp env.example .env

# Edit .env file
ZAP_PORT=8081
ZAP_MCP_PORT=8083
ZAP_BASE=http://127.0.0.1:8081

Using environment variables:

# Set custom ports
export ZAP_PORT=8081
export ZAP_MCP_PORT=8083
export ZAP_BASE="http://127.0.0.1:8081"

# Then start containers
./start.sh

📖 For complete configuration details, see:

DOCKER.md - Docker configuration options
PODMAN.md - Podman configuration options

💻 Usage Examples

Development Workflow Integration

Local Development Testing:

{
  "tool": "start_passive_scan",
  "arguments": {
    "url": "http://localhost:3000",
    "timeout_seconds": 60
  }
}

Pre-Commit Security Check:

{
  "tool": "start_active_scan",
  "arguments": {
    "url": "http://localhost:8080",
    "ascan_max_wait_seconds": 300,
    "spider_max_wait_seconds": 120
  }
}

Localhost Scanning Examples

✅ AUTOMATIC URL TRANSFORMATION: The server automatically detects Docker/Podman environments and transforms localhost/127.0.0.1 URLs:

{
  "tool": "start_complete_scan",
  "arguments": {
    "url": "http://localhost:3000",
    "include_findings": true
  }
}

What happens automatically:

Docker: http://localhost:3000 → http://host.docker.internal:3000
Podman: http://localhost:3000 → http://host.containers.internal:3000
Local: http://localhost:3000 → http://localhost:3000 (unchanged)

📖 For Docker/Podman localhost scanning examples, see:

DOCKER.md - Docker localhost examples
PODMAN.md - Podman localhost examples

Basic Security Scan

💡 Example Target: OWASP Juice Shop - A deliberately vulnerable web application designed for security testing and training.

{
  "tool": "start_complete_scan",
  "arguments": {
    "url": "https://juice-shop.herokuapp.com/#/",
    "include_findings": true,
    "include_evidence": false
  }
}

Quick Passive Scan

💡 Perfect for: Quick security assessment without active testing.

{
  "tool": "start_passive_scan",
  "arguments": {
    "url": "https://juice-shop.herokuapp.com/#/",
    "timeout_seconds": 300
  }
}

AJAX Spider Scan

💡 Perfect for: Modern web applications with JavaScript/AJAX content.

{
  "tool": "start_ajax_scan",
  "arguments": {
    "url": "https://juice-shop.herokuapp.com/#/",
    "maxDuration": 5,
    "maxCrawlDepth": 5,
    "numberOfBrowsers": 1,
    "browserId": "firefox-headless"
  }
}

Note: AJAX scans require Firefox to be installed in the container (included by default). Firefox runs in headless mode without requiring any display server.

Custom Active Scan

💡 Advanced configuration: Custom timeouts and scan policies for thorough testing.

{
  "tool": "start_active_scan",
  "arguments": {
    "url": "https://juice-shop.herokuapp.com/#/",
    "ascan_max_wait_seconds": 3600,
    "spider_max_wait_seconds": 900,
    "scanPolicyName": "Default Policy"
  }
}

📚 Documentation

🔄 Shift Left Security Integration

Development Workflows

1. Local Development

Test your localhost application during development
Get immediate feedback on security issues
Fix vulnerabilities before committing code

2. Pre-Commit Hooks

Integrate security scans into git pre-commit hooks
Prevent insecure code from entering the repository
Automated security validation

3. CI/CD Pipeline Integration

Add security testing to your build pipeline
Scan staging environments automatically
Generate security reports for each deployment

4. AI-Assisted Security

Use AI assistants to interpret scan results
Get recommendations for fixing vulnerabilities
Learn security best practices through AI guidance

Benefits for Development Teams

⚡ Faster feedback - Catch issues in minutes, not weeks
💰 Cost reduction - Fix issues early when they're cheaper to resolve
🎯 Developer education - Learn security through hands-on testing
🛡️ Proactive security - Build secure applications from the start
📊 Continuous improvement - Regular security assessments

🐳 Container Deployment

📖 For complete container setup and usage instructions, see:

DOCKER.md - Complete Docker setup guide with automatic URL transformation
PODMAN.md - Complete Podman setup guide with automatic URL transformation

Quick container commands:

# Start containers (auto-detects Docker/Podman)
# Linux/Mac:
./start.sh

# Windows:
start.bat

# Follow logs
docker-compose logs -f    # Docker
podman-compose logs -f    # Podman

# Stop containers
docker-compose down       # Docker
podman-compose down       # Podman

📊 Scan Results

Scans return structured results including:

{
  "scan_id": "abc12345",
  "target": "https://juice-shop.herokuapp.com/#/",
  "alerts": {
    "High": 2,
    "Medium": 5,
    "Low": 12,
    "Informational": 8
  },
  "totalAlerts": 27,
  "riskScore": 31,
  "vulnerabilityNames": [
    { "name": "SQL Injection", "risk": "High", "count": 1 },
    { "name": "XSS", "risk": "Medium", "count": 3 }
  ],
  "durations": {
    "ajax": 45.2,
    "spider": 120.5,
    "ascan": 1800.0,
    "pscan": 30.1
  }
}

🔧 Troubleshooting

Server Takes Too Long to Start

The server requires approximately 90 seconds to become fully operational. This is normal and includes:

ZAP startup and initialization
Session creation
MCP server initialization

Wait for the startup process to complete before attempting to connect.

ZAP Won't Start

# Check if ZAP is in PATH
where zap.bat  # Windows
which zap.sh   # Linux/Mac

# Check Java installation
java -version

# Enable debug logging
set ZAP_LOG_LEVEL=DEBUG
python -m zap_custom_mcp

Connection Issues

# Check if ZAP is running
curl http://localhost:8080/JSON/core/view/version/

# Check MCP server
curl http://localhost:8082/mcp

# Check firewall settings

MCP Client Connection Issues

If your MCP client cannot connect:

Ensure the server has been running for at least 90 seconds
Verify the URL is correct: http://localhost:8082/mcp
Check that no firewall is blocking port 8082
For Cursor IDE, ensure your mcp.json configuration is correct

Container Issues

📖 For detailed container troubleshooting, see:

DOCKER.md - Docker troubleshooting guide
PODMAN.md - Podman troubleshooting guide

🤝 Contributing

Fork the repository
Create a feature branch: git checkout -b feature-name
Install development dependencies: pip install -e ".[dev]"
Run tests: pytest
Commit changes: git commit -am 'Add feature'
Push to branch: git push origin feature-name
Submit a Pull Request

Development Setup

# Clone and setup
git clone https://github.com/LisBerndt/zap-custom-mcp.git
cd zap-custom-mcp

# Install in development mode
pip install -e ".[dev]"

# Run tests
pytest

# Start development server
python -m zap_custom_mcp

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

OWASP ZAP - The amazing security testing tool
Model Context Protocol - The protocol that makes AI integration possible
Sovereign Engineering - SEC-05 cohort for inspiring freedom tech and self-sovereign applications

Special Thanks

This project was inspired by the Sovereign Engineering Community and their commitment to building tools for a self-sovereign future. The SEC-05 cohort's dedication to freedom tech, censorship resistance, and permissionless access aligns perfectly with the goals of making security testing tools more accessible and decentralized.

"Build applications and services for a self-sovereign future." — Sovereign Engineering