mcpindex.aiv0
← Index

MCP ZAP Server

io.github.dtkmn/mcp-zap-server·v0.8.0·Security
Quality Score
91
/100

Safe, self-hosted OWASP ZAP operator for guided AI security scans and reports.

Repository →Website →
§00  Trust verdict · v1 advisory ·  method
UNVERIFIEDno verdict on file

Verdict not yet evaluated for this tool. The hybrid eval runs adversarial cases first; coverage rolls out as the corpus expands. Until a verdict is recorded, an agent should treat this tool as not-yet-cleared and fall back to its own checks. Method: hybrid eval, four-state verdict, honest limits.

§01  Install
Claude Desktop (Docker)
{
  "mcpServers": {
    "mcp-zap-server": {
      "command": "docker",
      "args": [
        "run",
        "--rm",
        "-i",
        "ghcr.io/dtkmn/mcp-zap-server:v0.8.0"
      ],
      "env": {
        "ZAP_API_URL": "mcp-zap-zap",
        "ZAP_API_PORT": "8090",
        "ZAP_API_KEY": "<your-zap_api_key>",
        "MCP_API_KEY": "<your-mcp_api_key>",
        "MCP_SERVER_TOOLS_SURFACE": "guided",
        "MCP_SECURITY_MODE": "<mcp_security_mode>",
        "MCP_SECURITY_ENABLED": "<mcp_security_enabled>",
        "MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY": "<mcp_security_allow_placeholder_api_key>"
      }
    }
  }
}
§02  Environment variables
ZAP_API_URL

Hostname or URL of a separately running OWASP ZAP daemon reachable from this container.

ZAP_API_PORT

OWASP ZAP API port.

ZAP_API_KEY
requiredsecret

API key configured on the OWASP ZAP daemon.

MCP_API_KEY
requiredsecret

API key clients must send as X-API-Key.

MCP_SERVER_TOOLS_SURFACE

Tool surface to expose. Use guided for the safer default workflow, or expert when clients need raw ZAP tools such as zap_report_read.

MCP_SECURITY_MODE

no description

MCP_SECURITY_ENABLED

no description

MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY

no description

ZAP_API_URL

Hostname or URL of a separately running OWASP ZAP daemon reachable from this container.

ZAP_API_PORT

OWASP ZAP API port.

ZAP_API_KEY
requiredsecret

API key configured on the OWASP ZAP daemon.

MCP_API_KEY
requiredsecret

API key clients must send as X-API-Key.

MCP_SERVER_TOOLS_SURFACE

Tool surface to expose. Use guided for the safer default workflow, or expert when clients need raw ZAP tools such as zap_report_read.

MCP_SECURITY_MODE

no description

MCP_SECURITY_ENABLED

no description

MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY

no description

§03  MCP Quality Score  ·  methodology
freshness
25
completeness
25
installability
25
documentation
11
stability
5
§04  Alternatives in Security
Helixar Security
ai.helixar/mcp

Security tools for AI agents: scan MCP servers, validate HDP delegation chains, audit releases.

ai.smithery/Nekzus-npm-sentinel-mcp
ai.smithery/Nekzus-npm-sentinel-mcp

Provide AI-powered real-time analysis and intelligence on NPM packages, including security, depend…

app.zenable/zenable
app.zenable/zenable

Zenable cleans up sloppy AI code and prevents vulnerabilities with deterministic guardrails