Is io.github.dtkmn/mcp-zap-server safe to use?

io.github.dtkmn/mcp-zap-server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.dtkmn/mcp-zap-server?

io.github.dtkmn/mcp-zap-server can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with io.github.dtkmn/mcp-zap-server?

io.github.dtkmn/mcp-zap-server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.

Is io.github.dtkmn/mcp-zap-server actively maintained?

io.github.dtkmn/mcp-zap-server is actively maintained — last commit was 5 days ago. It has 53 GitHub stars.

io.github.dtkmn/mcp-zap-server

Safe, self-hosted OWASP ZAP operator for guided AI security scans and reports.

53 0 tools GitHub

No known CVEs

No license

Actively maintained

Last commit 5d ago

Works with most clients

Transport: stdio

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-dtkmn-mcp-zap-server": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-dtkmn-mcp-zap-server)](https://mcppedia.org/s/io-github-dtkmn-mcp-zap-server)

Read me

What io.github.dtkmn/mcp-zap-server does

Give AI agents a safe, self-hosted OWASP ZAP operator for guided web security scans, findings, reports, and production guardrails.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

37/100across 5 weighted dimensions

How we score →

0255075100

−63

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.dtkmn/mcp-zap-server safe to use?: io.github.dtkmn/mcp-zap-server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.dtkmn/mcp-zap-server?: io.github.dtkmn/mcp-zap-server can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with io.github.dtkmn/mcp-zap-server?: io.github.dtkmn/mcp-zap-server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is io.github.dtkmn/mcp-zap-server actively maintained?: io.github.dtkmn/mcp-zap-server is actively maintained — last commit was 5 days ago. It has 53 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

8.7k 3

Iam Policy Autopilot90

IAM Policy Autopilot is an open source static code analysis tool that helps you quickly create baseline AWS IAM policies that you can refine as your application evolves. This tool is available as a command-line utility and MCP server for use within AI coding assistants for quickly building IAM policies.

361 1

io.github.peacprotocol/peac90

Signed receipts for agent, API, and MCP interactions. Portable and offline-verifiable.

11 5

MCP Security Weekly

Get CVE alerts and security updates for io.github.dtkmn/mcp-zap-server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-dtkmn-mcp-zap-server": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-dtkmn-mcp-zap-server)](https://mcppedia.org/s/io-github-dtkmn-mcp-zap-server)

Read me

What io.github.dtkmn/mcp-zap-server does

Give AI agents a safe, self-hosted OWASP ZAP operator for guided web security scans, findings, reports, and production guardrails.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

README

MCP ZAP Server

Give AI agents a safe, self-hosted OWASP ZAP operator for guided web security scans, findings, reports, and production guardrails.

Note This project is not affiliated with or endorsed by OWASP or the OWASP ZAP project. It is an independent implementation.

mcp-zap-server exposes OWASP ZAP through MCP over streamable HTTP so agentic tools can run operator-controlled security workflows without brittle glue scripts or unsafe scanner access.

Use it when you want:

safe agentic scanning with guided defaults for spider, active scan, passive scan, API imports, findings, and reports
operator control through API-key or JWT auth, tool scopes, runtime policy bundles, rate limits, and audit events
self-hosted deployment with Docker Compose for local adoption and Helm for Kubernetes
expert ZAP access when you intentionally need lower-level ZAP context, user, scan, and report controls

Full documentation: danieltse.org/mcp-zap-server

Watch the demo: browser demo or YouTube

Quick Start

Prerequisites:

Docker 20.10+
Docker Compose v2 (docker compose)
an MCP-capable client, or the bundled Open WebUI client

git clone https://github.com/dtkmn/mcp-zap-server.git
cd mcp-zap-server

./bin/bootstrap-local.sh
./dev.sh
./bin/self-serve-doctor.sh

Those scripts are the supported local happy path, not hidden magic:

bootstrap-local.sh creates .env, generates local API keys, and prepares the ZAP workspace.
dev.sh starts the Docker Compose stack with the faster JVM image.
self-serve-doctor.sh checks Docker, auth, MCP initialize, tools/list, guided tools, and a harmless tool call.

Then open:

Open WebUI: http://localhost:3000
MCP endpoint for host-side clients: http://localhost:7456/mcp
Cursor config example: examples/cursor/mcp.json

When scanning the bundled demo targets, use the container URLs that ZAP can reach from inside Compose:

Juice Shop scan target: http://juice-shop:3000
Petstore scan target: http://petstore:8080

The default Compose stack publishes host ports on 127.0.0.1 only. Set MCP_ZAP_BIND_ADDRESS=0.0.0.0 only when you intentionally expose the stack behind trusted network controls.

Client setup:

Discovery Metadata

This repository includes MCP Registry metadata in .mcp/server.json. The v0.8.0 Docker images are labeled with the MCP server name expected by registry and catalog tooling.

Docker Compose remains the easiest installation path because the MCP server is designed to operate with an OWASP ZAP sidecar and expl

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

37/100across 5 weighted dimensions

How we score →

0255075100

−63

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.dtkmn/mcp-zap-server safe to use?: io.github.dtkmn/mcp-zap-server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.dtkmn/mcp-zap-server?: io.github.dtkmn/mcp-zap-server can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with io.github.dtkmn/mcp-zap-server?: io.github.dtkmn/mcp-zap-server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is io.github.dtkmn/mcp-zap-server actively maintained?: io.github.dtkmn/mcp-zap-server is actively maintained — last commit was 5 days ago. It has 53 GitHub stars.