Give AI agents a safe, self-hosted OWASP ZAP operator for guided web security scans, findings, reports, and production guardrails.
Note This project is not affiliated with or endorsed by OWASP or the OWASP ZAP project. It is an independent implementation.
mcp-zap-server exposes OWASP ZAP through MCP over streamable HTTP so agentic tools can run operator-controlled security workflows without brittle glue scripts or unsafe scanner access.
Use it when you want:
- safe agentic scanning with guided defaults for spider, active scan, passive scan, API imports, findings, and reports
- operator control through API-key or JWT auth, tool scopes, runtime policy bundles, rate limits, and audit events
- self-hosted deployment with Docker Compose for local adoption and Helm for Kubernetes
- expert ZAP access when you intentionally need lower-level ZAP context, user, scan, and report controls
Full documentation: danieltse.org/mcp-zap-server
Watch the demo: browser demo or YouTube
Prerequisites:
- Docker 20.10+
- Docker Compose v2 (
docker compose) - an MCP-capable client, or the bundled Open WebUI client
git clone https://github.com/dtkmn/mcp-zap-server.git
cd mcp-zap-server
./bin/bootstrap-local.sh
./dev.sh
./bin/self-serve-doctor.shThose scripts are the supported local happy path, not hidden magic:
bootstrap-local.shcreates.env, generates local API keys, and prepares the ZAP workspace.dev.shstarts the Docker Compose stack with the faster JVM image.self-serve-doctor.shchecks Docker, auth, MCP initialize,tools/list, guided tools, and a harmless tool call.
Then open:
- Open WebUI:
http://localhost:3000 - MCP endpoint for host-side clients:
http://localhost:7456/mcp - Cursor config example:
examples/cursor/mcp.json
When scanning the bundled demo targets, use the container URLs that ZAP can reach from inside Compose:
- Juice Shop scan target:
http://juice-shop:3000 - Petstore scan target:
http://petstore:8080
The default Compose stack publishes host ports on 127.0.0.1 only. Set MCP_ZAP_BIND_ADDRESS=0.0.0.0 only when you intentionally expose the stack behind trusted network controls.
Client setup:
- Self-Serve First Run
- MCP Access Authentication
- MCP Client Configuration
- Optional Target Form-Login
- Tool Surfaces
- Agent install notes
There are two independent authentication layers. The API key or JWT lets Cursor call MCP ZAP Server. An optional target-auth profile lets ZAP log in to an application you are authorized to scan. Most first runs need only the MCP API key; never put a target website password in Cursor or an MCP prompt.
This repository includes MCP Registry metadata in .mcp/server.json. The v0.10.0 Docker images are labeled with the MCP server name expected by registry and catalog tooling.
Docker Compose remains the easiest installation path because the MCP server is designed to operate with an OWASP ZAP sidecar and explicit auth keys. The OCI package metadata is for advanced standalone installs where OWASP ZAP is already running and reachable from the MCP container.
- Guided scans: intent-first tools for spider, active scan, passive scan, API imports, findings, reports, and scan history.
- Expert ZAP control: optional lower-level tools for advanced ZAP context, user, scan, and report workflows.
- Authentication: API key mode by default, optional JWT mode with refresh and revocation support.
- Runtime policy bundles: dry-run and enforcement support through
zap_policy_dry_runand policy-mode configuration. - Scan queue and history: queued active, spider, and AJAX Spider jobs with claim-based recovery, durable Postgres state, and evidence export.
- Extension contracts: experimental policy, protection, evidence metadata, and extension metadata APIs with sample extension packaging.
- Operational guardrails: request body limits, rate limits, workspace quotas, tool-scope authorization, structured logs, metrics, and audit events.
- Deployment paths: local Docker Compose, production-oriented Compose, and Helm charts for Kubernetes.
v0.10.0 secures guided target authentication and refreshes the runtime:
- operator-managed auth profiles bind credentials and login settings to one approved origin;
zap_auth_session_preparenow accepts onlyprofileIdandtargetUrl - form-login validation fails closed unless ZAP reports
likelyAuthenticated=true - Spring Boot
4.1.0, gateway-core and its WebFlux adapter0.7.1, Gradle9.6.1, and Spring AI retained at2.0.0 - Boot-managed Testcontainers
2.0.5with a separate Docker-backed test task before main and release image publication - a non-root UID/GID
1000runtime image plus first-timer Compose and Cursor guidance for optional form-login target authentication
Read the full notes:
The default posture is intentionally conservative:
api-keymode is the base runtime default.nonemode is for explicit local dev/test only.- Docker Compose binds published ports to loopback by default.
- URL validation blocks localhost, private networks, and link-local targets by default.
- Target authentication is optional and profiles default to an empty list. When enabled, guided auth binds an exact server-side credential reference and login settings to one approved origin; callers provide only
profileIdandtargetUrl. - Public auth exchange endpoints are rate-limited.
- MCP request bodies have a hard early size cap.
Production and shared deployments should review:
- Security Modes
- JWT Authentication
- Optional Target Form-Login
- Authenticated Scanning Reference
- Abuse Protection
- Production Readiness Checklist
- Security Policy
flowchart LR
Client["Open WebUI / MCP Client"] -->|"MCP over Streamable HTTP"| MCP["MCP ZAP Server"]
MCP -->|"ZAP API"| ZAP["OWASP ZAP"]
ZAP -->|"scan"| Target["Authorized target app"]
MCP -->|"reports / findings / history"| Evidence["Evidence + reports"]
For multi-replica queueing, durable Postgres state, claim recovery, and ingress affinity, use the operations docs instead of this README:
ZAP is the first scanner engine, not the whole product boundary. The current public extension work is intentionally small:
mcp-zap-extension-apipackages selected policy, protection, evidence, and metadata contracts without gateway runtime internals.- How extensions work explains the core versus extension boundary.
- Build your own extension shows the target standalone repository shape.
- Extension API release policy explains publication stages and compatibility gates.
- Standalone sample extension proves a separate project can compile against the API artifact.
This is not runtime multi-engine support yet. Additional scanner engines need an adapter design and explicit fail-closed capability boundaries before they become product claims.
Start here:
- Full documentation
- Self-Serve First Run
- OSS Extension Model
- MCP Access Authentication
- MCP Client Authentication
- Optional Target Form-Login
- Tool Surfaces
Scanning:
- MCP Client Scan To Evidence
- Scan Execution Modes
- Seeded API Gate Playbook
- API Schema Imports
- AJAX Spider
- Findings and Reports
Operations:
- Runtime Policy Bundles
- Observability
- Production Checklist
- Release Evidence Handoff
- Native Image Performance
mcp-zap-server is the Apache-2.0-licensed open-source core. It is intended to be useful on its own for self-hosted MCP and OWASP ZAP workflows.
Private or enterprise capabilities may be built as separate extensions around this core. Those extensions are not required to run the OSS project, and enterprise implementation code is not shipped in this repository.
The boundary is intentional:
- this repository remains the public OSS distribution
- extension points should be documented and kept stable where practical
- private extensions must not weaken the security, licensing, or usability of the OSS core
- security scanning and open-source program entitlements for this repository apply only to this public project
If this project saves you time or becomes part of your security workflow, you can sponsor the maintainer to support ongoing maintenance.
Agentic Lab offers optional paid support for teams adopting the public core in production. Commercial support is separate from the Apache-2.0-licensed OSS distribution, and the public core should remain usable without private extensions or paid services.
Apache License 2.0. Copyright 2025-2026 Daniel Tse. See LICENSE.
