MCP ZAP Server

Name: MCP ZAP Server
Author: dtkmn

dtkmn/mcp-zap-server

Run guided OWASP ZAP security scans and reports through MCP while keeping ZAP self-hosted and separated from the MCP container for safer agent-driven testing.

Overview

MCP ZAP Server is a Ship-phase MCP server for security that operates a self-hosted OWASP ZAP instance for guided AI-driven scans and reports.

What is this MCP server?

Safe, self-hosted OWASP ZAP operator with guided AI scan flows and report retrieval
Registry v0.8.0 with streamable-http on localhost:7456 and required X-API-Key header
Docker Compose documented as easiest path; ZAP runs as external daemon on shared network volume
Publisher notes: mount mcp-zap-wrk:/zap/wrk so MCP can read ZAP-generated reports (UID/GID 1000:1000)
Server registry version 0.8.0
Default MCP URL: http://localhost:7456/mcp (streamable-http)
OWASP ZAP is an external dependency—not bundled in the MCP image

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 55 GitHub stars.

What problem does it solve?

Solo devs know they should run ZAP before launch but stall on Docker networking, volumes, and safe agent access to the scanner.

Who is it for?

Indie builders self-hosting OWASP ZAP who want agent-guided DAST with separated MCP and ZAP containers before shipping.

Skip if: Teams wanting fully managed cloud pentest, or anyone unwilling to run and maintain an external ZAP daemon and shared wrk volume.

What do I get? / Deliverables

After Compose setup, API key config, and linked ZAP daemon, your agent can request guided scans and read reports via MCP instead of manual ZAP UI-only workflows.

Agent-triggered guided OWASP ZAP scans
Security reports readable via MCP from ZAP wrk volume
Keyed streamable-http MCP surface on port 7456

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

Dynamic app scanning belongs in Ship before you launch untested endpoints, not in early idea research. Security subphase covers DAST-style verification and vulnerability reporting workflows solo builders run pre-release.

How it compares

Self-hosted OWASP ZAP MCP operator, not a passive secure-coding linter skill.

Common Questions / FAQ

Who is MCP ZAP Server for?

It is for developers who run OWASP ZAP locally or in Docker and want Claude Code or similar agents to trigger guided scans and fetch reports through MCP.

When should I use MCP ZAP Server?

Use it in ship and security workflows before launch or after major API changes when you need DAST evidence, not during initial product ideation.

How do I add MCP ZAP Server to my agent?

Follow the repo docker-compose and llms-install.md path, start ZAP separately on the configured network, set X-API-Key on http://localhost:7456/mcp, mount the shared /zap/wrk volume, then register the HTTP MCP server in your client.

MCP ZAP Server

dtkmn/mcp-zap-server

Run guided OWASP ZAP security scans and reports through MCP while keeping ZAP self-hosted and separated from the MCP container for safer agent-driven testing.

Overview

MCP ZAP Server is a Ship-phase MCP server for security that operates a self-hosted OWASP ZAP instance for guided AI-driven scans and reports.

What is this MCP server?

Safe, self-hosted OWASP ZAP operator with guided AI scan flows and report retrieval
Registry v0.8.0 with streamable-http on localhost:7456 and required X-API-Key header
Docker Compose documented as easiest path; ZAP runs as external daemon on shared network volume
Publisher notes: mount mcp-zap-wrk:/zap/wrk so MCP can read ZAP-generated reports (UID/GID 1000:1000)
Server registry version 0.8.0
Default MCP URL: http://localhost:7456/mcp (streamable-http)
OWASP ZAP is an external dependency—not bundled in the MCP image

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Community signal: 55 GitHub stars.

What problem does it solve?

Solo devs know they should run ZAP before launch but stall on Docker networking, volumes, and safe agent access to the scanner.

Who is it for?

Indie builders self-hosting OWASP ZAP who want agent-guided DAST with separated MCP and ZAP containers before shipping.

Skip if: Teams wanting fully managed cloud pentest, or anyone unwilling to run and maintain an external ZAP daemon and shared wrk volume.

What do I get? / Deliverables

After Compose setup, API key config, and linked ZAP daemon, your agent can request guided scans and read reports via MCP instead of manual ZAP UI-only workflows.

Agent-triggered guided OWASP ZAP scans
Security reports readable via MCP from ZAP wrk volume
Keyed streamable-http MCP surface on port 7456

Recommended MCP Servers

1Claw Vault1clawAI/1claw-mcp

1Claw Vault exposes a stdio MCP server (@1claw/mcp) that connects AI agents to HSM-backed secret storage with just-in-ti…2 stars

1passwordCakeRepository/1Password-MCP

The 1Password MCP server lets solo builders wire service-account access into Claude Code, Cursor, or other stdio MCP hos…16 stars

402sentinel Mcpkaditang/402sentinel-mcp

402 Sentinel MCP gives solo builders and agent authors a pre-flight check before honoring x402 payment flows on Base. In…1 stars

A2adependencyinspector Mcpclauxel/a2a-dependency-inspector-mcp

A2A Dependency Inspector MCP is a hosted Clauxel server for builders shipping agent-to-agent (A2A) workflows who must pr…

A2a Governance Bridge Mcp

A2A Governance Bridge is a Model Context Protocol server that exposes governance-oriented tools for multi-agent setups: …

A2aidentitytoll Mcpclauxel/a2a-identity-toll-mcp

A2A Identity Toll MCP is a Clauxel-hosted remote MCP server that acts as an identity and policy toll booth for agent-to-…

Journey fit

Primary fit

How it compares

Self-hosted OWASP ZAP MCP operator, not a passive secure-coding linter skill.

Common Questions / FAQ

Who is MCP ZAP Server for?

It is for developers who run OWASP ZAP locally or in Docker and want Claude Code or similar agents to trigger guided scans and fetch reports through MCP.

When should I use MCP ZAP Server?

Use it in ship and security workflows before launch or after major API changes when you need DAST evidence, not during initial product ideation.

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is MCP ZAP Server for?

When should I use MCP ZAP Server?

How do I add MCP ZAP Server to my agent?

This week for builders

Overview

What is this MCP server?

What problem does it solve?

Who is it for?

What do I get? / Deliverables

Recommended MCP Servers

Journey fit

Who is MCP ZAP Server for?

When should I use MCP ZAP Server?

How do I add MCP ZAP Server to my agent?