mcp-zap-server
Verified Safeby dtkmn
Overview
Exposes OWASP ZAP actions as Model Context Protocol (MCP) tools, enabling AI agents (e.g., Claude Desktop, Cursor) to orchestrate security scanning operations, import OpenAPI specs, and generate reports.
Installation
./dev.shEnvironment Variables
- ZAP_API_KEY
- MCP_API_KEY
- LOCAL_ZAP_WORKPLACE_FOLDER
- JWT_SECRET
Security Notes
The server implements robust security measures including three authentication modes (none, API Key, JWT), comprehensive URL validation (blocking private networks and localhost by default), and configurable scan limits. JWT authentication leverages Spring Security OAuth2 with token expiration, refresh, and blacklisting. CSRF protection is intentionally disabled and justified by OWASP API security best practices, as the server is API-only and uses token-based authentication (not cookies). Environment variables are used for sensitive configurations, with clear warnings for 'none' security mode. It is safe to run when configured with secure API keys and JWT secrets in appropriate security modes.
Similar Servers
kubernetes-mcp-server
Provides a Model Context Protocol (MCP) server for AI agents to interact with Kubernetes and OpenShift clusters, enabling AI-driven cluster management and diagnosis.
VibeShift
VibeShift is an intelligent security agent that integrates with AI coding assistants to analyze AI-generated code for vulnerabilities, suggest remediations, and facilitate web test recording, crawling, and execution.
azure-devops-mcp-server
Exposes Azure DevOps operations as tools for AI assistants, enabling AI agents to automate tasks like creating work items, managing pull requests, and queuing builds.
MCP-Agent
An AI agent for discovering, connecting to, and interacting with Model Context Protocol (MCP) servers and their provided tools, resources, and prompts.