io.github.dtkmn/mcp-zap-server icon
io.github.dtkmn

mcp-zap-server

MCP ZAP Server

Safe, self-hosted OWASP ZAP operator for guided AI security scans and reports.

Streamable HTTPcommunityapplication

Package Details

ghcr.io/dtkmn/mcp-zap-server:v0.8.0

https://github.com/dtkmn/mcp-zap-server/pkgs/container/mcp-zap-server
TransportStreamable HTTP
Runtimedocker

Runtime Arguments

Named
--network
mcp-zap-networkDocker network containing the separately running OWASP ZAP daemon.
--user
1000:1000Run with the standard zaproxy/zap-stable UID/GID so shared report workspace files remain writable by both containers.
-p
127.0.0.1:7456:7456Expose the streamable HTTP MCP endpoint on localhost.
-v
mcp-zap-wrk:/zap/wrkNamed report workspace volume. The external OWASP ZAP container must mount the same volume at /zap/wrk.

Environment Variables

ZAP_API_URL
Default:mcp-zap-zap

Hostname or URL of a separately running OWASP ZAP daemon reachable from this container.

ZAP_API_PORT
Default:8090

OWASP ZAP API port.

ZAP_API_KEY
RequiredSecret

API key configured on the OWASP ZAP daemon.

MCP_API_KEY
RequiredSecret

API key clients must send as X-API-Key.

MCP_SERVER_TOOLS_SURFACE
Default:guided

Tool surface to expose. Use guided for the safer default workflow, or expert when clients need raw ZAP tools such as zap_report_read.

MCP_SECURITY_MODE
MCP_SECURITY_ENABLED
MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY

docker.io/dtkmn/mcp-zap-server:v0.8.0

https://hub.docker.com/r/dtkmn/mcp-zap-server
TransportStreamable HTTP
Runtimedocker

Runtime Arguments

Named
--network
mcp-zap-networkDocker network containing the separately running OWASP ZAP daemon.
--user
1000:1000Run with the standard zaproxy/zap-stable UID/GID so shared report workspace files remain writable by both containers.
-p
127.0.0.1:7456:7456Expose the streamable HTTP MCP endpoint on localhost.
-v
mcp-zap-wrk:/zap/wrkNamed report workspace volume. The external OWASP ZAP container must mount the same volume at /zap/wrk.

Environment Variables

ZAP_API_URL
Default:mcp-zap-zap

Hostname or URL of a separately running OWASP ZAP daemon reachable from this container.

ZAP_API_PORT
Default:8090

OWASP ZAP API port.

ZAP_API_KEY
RequiredSecret

API key configured on the OWASP ZAP daemon.

MCP_API_KEY
RequiredSecret

API key clients must send as X-API-Key.

MCP_SERVER_TOOLS_SURFACE
Default:guided

Tool surface to expose. Use guided for the safer default workflow, or expert when clients need raw ZAP tools such as zap_report_read.

MCP_SECURITY_MODE
MCP_SECURITY_ENABLED
MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY