mcp-zap

The MCP ZAP Server exposes OWASP ZAP functionality as MCP tools so an MCP-compatible AI agent can orchestrate security testing flows without direct CLI usage. It supports actions like spidering a target, running active scans, importing API specifications, and generating reports. It also includes a token-friendly findings summary feature for concise, LLMS-friendly output. You can interact via MCP endpoints over HTTP/Streamable channels and receive structured results (scans, alerts, and reports) from ZAP through the MCP server. Typical usage involves configuring authentication, pointing the server at a target application, and invoking the available MCP tools such as zap_spider, zap_active_scan, zap_import_openapi, and zap_generate_reports. The documentation also covers how to run ZAP health checks, fetch findings, and generate markdown summaries for quick reviews.

Prerequisites:

• Docker and Docker Compose installed on the host
• Optional: Java 17+ for building the Spring Boot MCP server outside Docker (not required when using the Docker image)

Install and run using Docker:

1. Ensure environment variables are set (example):

   • ZAP_API_KEY=your-generated-zap-api-key-here
   • MCP_API_KEY=your-generated-mcp-api-key-here
   • LOCAL_ZAP_WORKPLACE_FOLDER=/path/to/your/zap-workplace
   • MCP_SECURITY_MODE=api-key

2. Start the MCP ZAP Server with Docker (using the recommended image and a minimal docker-run command): docker run -d --name mcp-zap-server
   -e ZAP_API_KEY=$ZAP_API_KEY
   -e MCP_API_KEY=$MCP_API_KEY
   -e LOCAL_ZAP_WORKPLACE_FOLDER=$LOCAL_ZAP_WORKPLACE_FOLDER
   -e MCP_SECURITY_MODE=$MCP_SECURITY_MODE
   -p 7456:7456
   dtkmn/mcp-zap-server:latest

3. If you prefer Docker Compose (recommended for production):

   • Use the provided docker-compose.yml in the repository (or create one) to orchestrate ZAP and MCP ZAP Server together with MCP File System Server and a client UI if needed.
   • Run: docker-compose up -d

4. Optional: Build from source (not required if using the Docker image)

   • Prereqs: Java 17+, Gradle 9+
   • Clone the repo, then: ./gradlew clean build
   • Run the Spring Boot server locally (if you built outside Docker): java -jar build/libs/mcp-zap-server-*.jar

Notes:

• Always ensure your API keys are kept secret and not committed to version control.
• When running in production, prefer the JWT authentication mode and secure storage for keys.

Hints and tips:

• The server supports three auth modes: none, api-key, and jwt. For production, use jwt with a proper JWT secret and token exchange flow.
• Set ZAP_API_KEY in the environment to authorize ZAP REST API calls from the MCP server.
• Set MCP_API_KEY to authorize requests to the MCP server endpoints.
• The LOCAL_ZAP_WORKPLACE_FOLDER path should point to a persistent directory where ZAP can store state and reports.
• If using Docker, ensure Docker permissions allow network access to the target application and ZAP REST endpoints. Expose necessary ports (e.g., 7456 for MCP endpoints).
• For health checks, look for ZapHealthIndicator integration in the server to verify ZAP API connectivity.
• When upgrading, review CHANGELOG.md and release notes for breaking changes or required config updates.