ZAP-MCP exposes a Python-based MCP server that bridges AI models with OWASP ZAP. Once the server is running, AI clients can call ZAP-specific tools through the MCP protocol to initiate scans, monitor progress, fetch alerts, and generate summaries. The available tools include start_scan to kick off a scan against a target URL, get_scan_status to poll the scan's progress, get_alerts to retrieve identified issues from the current scan, and get_scan_summary to obtain a high-level overview of findings. The server communicates in real time over a WebSocket endpoint, enabling AI models to receive live updates during long-running scans. To connect, configure the Claude (or any MCP-compatible) client to point to the WebSocket URL ws://localhost:7456/ws and ensure the same MCP model configuration used by the server is loaded in the client. The claude_desktop_config.json (or equivalent) is used to synchronize model settings with ZAP-MCP, including the Zap API key and URL.

Prerequisites:

• Python 3.8+
• OWASP ZAP installed and running
• pip (comes with Python 3.8+)

Installation steps:

1. Clone the repository git clone https://github.com/tazer/ZAP-MCP.git cd ZAP-MCP

2. Install Python dependencies pip install -r requirements.txt

3. Set up the MCP server

   This script configures and starts the MCP server components

   ./setup_mcp.sh

4. Run the MCP server mcp-server --config claude_desktop_config.json --model-dir ./models Note: The README indicates the server is started via the mcp-server CLI; ensure claude_desktop_config.json is properly configured with your ZAP API key and URL.

5. Verify the WebSocket endpoint is reachable

   • WebSocket URL: ws://localhost:7456/ws

Optional: Ensure ZAP is accessible (Zap API key and URL in claude_desktop_config.json) and that the local environment allows localhost connections on the required port.

Tips and common issues:

• Ensure OWASP ZAP is running and its API key is correctly configured in claude_desktop_config.json (zap_api_key).
• The MCP server communicates via WebSocket (port 7456 by default); if you change ports, update claude_desktop_config.json accordingly.
• If the server fails to start, check that Python 3.8+ is installed and that dependencies in requirements.txt are satisfied.
• Keep the ZAP scan timeout and max_concurrent_scans settings aligned with your environment capabilities to avoid overloading ZAP.
• When testing with Claude or other MCP clients, ensure they are configured to use the same model and WebSocket endpoint exposed by ZAP-MCP.