# MCP ZAP Server — OWASP ZAP for Agents (Safe) > MCP ZAP Server exposes OWASP ZAP through MCP with operator guardrails (auth, policies, scopes) and Docker Compose setup for guided scans and reports. ## Install Merge the JSON below into your `.mcp.json`: ## Quick Use ```bash git clone https://github.com/dtkmn/mcp-zap-server.git cd mcp-zap-server ./bin/bootstrap-local.sh ./dev.sh ./bin/self-serve-doctor.sh # Open WebUI: http://localhost:3000 ; MCP: http://localhost:7456/mcp ``` ## Intro MCP ZAP Server exposes OWASP ZAP through MCP with operator guardrails (auth, policies, scopes) and Docker Compose setup for guided scans and reports. **Best for:** teams who want agentic web scanning with operator-controlled defaults **Works with:** Docker + Compose, MCP clients (Cursor example), Open WebUI client (bundled) **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub: 53 stars · 9 forks · pushed 2026-05-13. - License: Apache-2.0 · owner avatar + repo URL verified via GitHub API. - README-verified entrypoint: `./bin/bootstrap-local.sh`. ## Main - Use the supported local happy path: bootstrap → dev → self-serve doctor (README explains what each script does). - Keep the default bind safe: README notes the Compose stack publishes host ports on 127.0.0.1 by default and warns about exposing to 0.0.0.0. - For agent clients, configure the MCP endpoint (`/mcp`) and follow the README Cursor config example path. ### Source-backed notes - README Quick Start lists `./bin/bootstrap-local.sh`, `./dev.sh`, and `./bin/self-serve-doctor.sh` as the supported local flow. - README states the Open WebUI UI is at `http://localhost:3000` and the MCP endpoint at `http://localhost:7456/mcp`. - README links a Cursor config example at `examples/cursor/mcp.json`. ### FAQ - **Is it affiliated with OWASP?**: No — README includes a note that it is not endorsed by OWASP/ZAP. - **Do I need Kubernetes?**: No — README says Docker Compose is the easiest install; Helm is for Kubernetes. - **Where is the MCP endpoint?**: README lists `http://localhost:7456/mcp` for host-side clients. ## Source & Thanks > Source: https://github.com/dtkmn/mcp-zap-server > License: Apache-2.0 > GitHub stars: 53 · forks: 9 --- ## Quick Use ```bash git clone https://github.com/dtkmn/mcp-zap-server.git cd mcp-zap-server ./bin/bootstrap-local.sh ./dev.sh ./bin/self-serve-doctor.sh # Open WebUI: http://localhost:3000 ; MCP: http://localhost:7456/mcp ``` ## Intro MCP ZAP Server 通过 MCP 暴露 OWASP ZAP,并提供鉴权/策略/权限范围等运维护栏;README 给出 Docker Compose 的本地一键路径用于引导式扫描与报告。 **Best for:** 想把 Web 扫描交给 agent,但仍要运维可控的团队 **Works with:** Docker + Compose;MCP 客户端(README 含 Cursor 示例);自带 Open WebUI 客户端 **Setup time:** 10-20 minutes ### Key facts (verified) - GitHub:53 stars · 9 forks;最近更新 2026-05-13。 - 许可证:Apache-2.0;作者头像与仓库链接均已通过 GitHub API 复核。 - README 中核对过的入口命令:`./bin/bootstrap-local.sh`。 ## Main - 按 README 推荐路径跑:bootstrap → dev → self-serve doctor(README 解释了每个脚本做什么)。 - 默认绑定更安全:README 说明 Compose 默认只在 127.0.0.1 暴露端口,并提示不要随意改成 0.0.0.0。 - 给 agent 客户端接入时,配置 MCP endpoint(`/mcp`),并参考 README 的 Cursor 配置示例。 ### Source-backed notes - README Quick Start 给出 `./bin/bootstrap-local.sh`、`./dev.sh`、`./bin/self-serve-doctor.sh` 的本地支持流程。 - README 写明 Open WebUI 地址 `http://localhost:3000`,MCP endpoint 为 `http://localhost:7456/mcp`。 - README 提供 Cursor 配置示例:`examples/cursor/mcp.json`。 ### FAQ - **这是 OWASP 官方项目吗?**:不是。README 明确说明不隶属/不背书 OWASP/ZAP。 - **必须上 Kubernetes 吗?**:不需要。README 推荐 Docker Compose;Helm 适用于 K8s。 - **MCP endpoint 是哪个?**:README 给出 `http://localhost:7456/mcp`。 ## Source & Thanks > Source: https://github.com/dtkmn/mcp-zap-server > License: Apache-2.0 > GitHub stars: 53 · forks: 9 --- Source: https://tokrepo.com/en/workflows/mcp-zap-server-owasp-zap-for-agents-safe Author: MCP Hub