pentestMCP

pentestMCP exposes a collection of offensive security tools (e.g., Nmap, Nuclei, ZAP, SQLMap, Gobuster, etc.) as MCP-compatible tools that can be invoked by an MCP client host. The server runs inside Docker and communicates with a client host via stdio, allowing AI agents and CLIs to request tool executions, monitor long-running scans asynchronously, and receive structured results. To use it, first launch the server (via the docker command above) so that MCP clients can discover and call tools such as run_nmap_scan, run_zap_active_scan, or run_sqlmap. Clients can enumerate available tools, decide which to run based on the target and context, and then issue tools/call requests with the appropriate parameters. The system is designed to handle long-running scans without blocking the interaction flow by using asynchronous launch/fetch patterns, and it manages concurrency with a semaphore to prevent resource contention. For workflow examples, you can chain tool calls (e.g., discover open ports with Nmap, then feed those results into a web vulnerability scanner like ZAP) within your MCP client host integrations (Claude Desktop, VS Code Copilot, etc.).

Prerequisites:

• Docker Desktop (Windows/macOS) or Docker Engine (Linux) installed and running
• (Optional) Git if you plan to build locally

Recommended method (pre-built Docker image):

1. Ensure Docker is running on your machine.
2. Pull and run the pre-built image: docker pull ramgameer/pentest-mcp:latest docker run -it --rm ramgameer/pentest-mcp:latest

Alternative method (build locally):

1. Install Git (if not already installed).
2. Clone the repository and navigate to it: git clone https://github.com/ramkansal/pentestMCP.git cd pentestMCP
3. Build a custom image: docker build -t pentest-mcp-server:custom .
4. Run the custom image: docker run -it --rm pentest-mcp-server:custom

Notes:

• If you plan to use wordlists for certain tools, you may need to clone the SecLists repository inside the container or mount it as a volume.
• Ensure any required external services (e.g., ZAP) are accessible from inside the container if you enable related tools.

Example docker run command (adjust according to your environment): docker run -i ramgameer/pentest-mcp:latest

Environment and configuration tips:

• The recommended run mode is via the pre-built Docker image for consistency and ease of use.
• You can control logging verbosity by setting MCP_LOG_LEVEL to debug/info/warn.
• If you need to access long-running scans, use the asynchronous launch/fetch patterns described in the README so the MCP client can poll results without blocking.
• When running locally, ensure the host has network access to any targets and to internal tools (e.g., ZAP) if they are enabled inside the container.
• For Claude Desktop or VS Code Copilot integrations, configure your MCP client host to connect to the container stdin channel as described in the client host integration section of the README.
• If you see permission or network issues, verify Docker permissions and that the container has access to required resources (e.g., wordlists).