dotnet-zap-mcp

MCP (Model Context Protocol) server for OWASP ZAP. Enables AI agents (Claude, GitHub Copilot, etc.) to drive ZAP vulnerability scanning via MCP.

Features

• 45 MCP tools for controlling OWASP ZAP (scanning, alerts, spider, ajax spider, context, authentication, reports, etc.)
• Built-in Docker Compose management (start/stop ZAP with a single tool call)
• Zero-config setup: auto-generates API keys and extracts Docker assets
• Works with any MCP-compatible client (Claude Desktop, VS Code, etc.)

Installation

dotnet tool install -g dotnet-zap-mcp

Prerequisites

• .NET 10 SDK
• Docker (Docker Engine or Docker Desktop) with docker compose support (for built-in ZAP container management)

Configuration

Zero-config (recommended)

No configuration needed. The agent calls DockerComposeUp which automatically:

1. Extracts Docker assets to ~/.zap-mcp/docker/
2. Generates a random API key
3. Starts the ZAP container on localhost:8090
4. Waits for ZAP to become healthy

Data persistence

The ZAP container uses two Docker named volumes:

Volume	Container Path	Purpose
zap-home	/home/zap/.ZAP	ZAP settings, contexts, sessions, scan policies (persisted across restarts)
zap-data	/zap/wrk/data	Shared directory for reports, session files, and context import/export

On the first launch, the template config.xml is copied into zap-home. On subsequent launches, only the API key is updated — any changes made through ZAP (contexts, authentication settings, scan policies, etc.) are preserved.

The zap-data volume contains:

• reports/ — generated scan reports
• sessions/ — saved ZAP sessions
• contexts/ — exported context files

Claude Desktop / Claude Code

Add to your MCP configuration:

{
  "mcpServers": {
    "zap": {
      "command": "zap-mcp"
    }
  }
}

VS Code (Copilot)

Add to .vscode/mcp.json:

{
  "servers": {
    "zap": {
      "command": "zap-mcp"
    }
  }
}

With existing ZAP instance

If you already have a ZAP instance running, pass connection details via environment variables:

{
  "mcpServers": {
    "zap": {
      "command": "zap-mcp",
      "env": {
        "ZAP_BASE_URL": "http://localhost:8090",
        "ZAP_API_KEY": "your-api-key"
      }
    }
  }
}

Available Tools

Docker Management

Tool	Parameters	Description
DockerComposeUp	—	Start the ZAP container and wait for healthy
DockerComposeDown	—	Stop and remove the ZAP container
DockerComposeStatus	—	Check container status
DockerComposeLogs	tail	Get recent container logs

ZAP Core

Tool	Parameters	Description
GetVersion	—	Verify ZAP connectivity
GetHosts	—	List recorded hosts
GetSites	—	List recorded sites
GetUrls	baseUrl	List recorded URLs for a base URL

Spider

Tool	Parameters	Description
StartSpider	url, maxChildren, recurse, subtreeOnly, contextName	Start a spider scan to crawl and discover pages
GetSpiderStatus	scanId	Check spider progress (0-100%)
GetSpiderResults	scanId	Get URLs discovered by spider
StopSpider	scanId	Stop a running spider scan

Active Scan

| Tool | Parameters | Descrip

... View full README on GitHub