🔒

OWASP ZAP MCP

Updated June 2026

The OWASP ZAP MCP MCP server, built by community, provides oWASP ZAP security scanner — launch active scans, spider URLs, and retrieve vulnerability findings via MCP. It is community-built and best for Security.

by community

About

OWASP ZAP security scanner — launch active scans, spider URLs, and retrieve vulnerability findings via MCP.

Installation

pip
pip install owasp-zap-mcp

Categories

Frequently Asked Questions

What is OWASP ZAP MCP?
OWASP ZAP MCP is an MCP server built by community. OWASP ZAP security scanner — launch active scans, spider URLs, and retrieve vulnerability findings via MCP.
Who built OWASP ZAP MCP?
OWASP ZAP MCP was built by community.
Is OWASP ZAP MCP free?
Yes, OWASP ZAP MCP has a free option. This MCP server is free and open-source. Check the GitHub repository for details.
How do I install OWASP ZAP MCP?
Install OWASP ZAP MCP with pip: pip install owasp-zap-mcp
What does OWASP ZAP MCP integrate with?
OWASP ZAP MCP integrates with Claude Desktop, Cursor, VS Code.

Repo Health

Local install

Local/stdio install — runs on your machine, so there is no remote endpoint to verify live. Trust signal below is from the source repo.

Repo recency not yet available for this server.

Quick Info

Install Type
pip
Author
community
Categories
1
Integrations
3

Related Servers

🔒

Snyk MCP Server (Community)

There is no official, Snyk-published Model Context Protocol server as of this writing — a commonly referenced `snyk/mcp-server` repo does not exist. The most active real alternative is sammcj/mcp-snyk, a community-built, MIT-licensed MCP server that wraps Snyk's API and CLI for agentic security scanning (marked alpha by its author, so expect rough edges). It exposes tools to scan a GitHub or GitLab repository by URL for vulnerabilities, scan an existing Snyk project by ID, and verify that a configured API token is valid, returning the associated user and organization info. Authentication uses a Snyk API token and an org ID, supplied via `SNYK_API_KEY`/`SNYK_ORG_ID` environment variables, falling back to the locally configured Snyk CLI org if one isn't set explicitly. Install with `npx -y github:sammcj/mcp-snyk` in your MCP client config (Claude Desktop, Cursor, etc.). Typical use: ask Claude to "scan https://github.com/org/repo for security vulnerabilities using Snyk" and get back a structured findings summary instead of switching to the Snyk web console. Snyk's own engineering org separately maintains snyk/agentic-integration-wrappers, a set of wrappers for plugging Snyk scanning into agentic workflows more broadly — worth checking if this community MCP server doesn't cover your use case, since it isn't an official Snyk product and has no guaranteed support or roadmap.

Local
🔒

SonarQube MCP Server

The official SonarQube MCP Server, built and maintained by SonarSource, connects AI agents like Claude, Cursor, and VS Code Copilot to SonarQube Server or SonarQube Cloud so code quality and security become part of the agent's workflow rather than a separate CI step. Through it an assistant can pull the projects a token can see, retrieve open issues and code smells, inspect quality gate status and project metrics, and — notably — analyze a code snippet directly inside the agent context without the code first being committed and scanned by a pipeline, which lets Claude check its own just-written code against SonarQube's rules before you ever push. Authentication is a SonarQube user token supplied via the `SONARQUBE_TOKEN` environment variable; SonarQube Cloud users also set `SONARQUBE_ORG` (organization key), and self-hosted SonarQube Server users set `SONARQUBE_URL` to point at their instance (SonarQube Cloud US uses `https://sonarqube.us`). The server is distributed as a Java-based OCI container image at `sonarsource/sonarqube-mcp` on Docker Hub — run it with `docker run --pull=always -i --rm -e SONARQUBE_TOKEN -e SONARQUBE_ORG sonarsource/sonarqube-mcp`, or pin a version tag for reproducible deployments — and works with any OCI-compatible runtime such as Podman or nerdctl. SonarSource also provides an interactive Configuration Generator at mcp.sonarqube.com that emits ready-to-paste client config. Ideal for teams that want AI-assisted code review grounded in the same rules and quality gates their SonarQube project already enforces.

Local
🔒

CrowdStrike Falcon

Connects AI agents with the CrowdStrike Falcon platform for intelligent security analysis.

Local
🔒

Auth0 MCP Server

The official Auth0 MCP server lets Claude, Cursor, and Windsurf manage an Auth0 tenant end-to-end through natural language instead of the dashboard — create applications, deploy Actions, debug logs, and manage resource servers just by asking. Its standout feature is the guided onboarding flow: the auth0_onboarding tool detects your project framework, creates a correctly configured Auth0 application, writes credentials straight into a .env file (auto-added to .gitignore), and hands off to auth0_get_quickstart_guide, which resolves callback URLs and returns framework-specific SDK integration code — taking a project from zero to a working Auth0 login in one guided conversation. Beyond onboarding, the tool surface spans Applications (list/get/create/update, plus credential export), Resource Servers/APIs (create and manage scopes, token lifetimes, signing algorithms), Application Grants (authorize M2M apps against specific APIs with defined scopes), Actions (create, update, and deploy post-login/pre-token logic), Logs (search and inspect authentication events, e.g. failed logins from a given IP), and Forms (build and publish branded login/signup/password-reset forms). Installs via npx with a device-authorization OAuth flow that stores credentials in your system keychain, supports Claude Desktop, Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, and Codex, and exposes --tools/--read-only flags to scope down which operations an AI agent can perform — important given its Beta status and full read/write tenant access by default.

Local
💻

Semgrep MCP Server

The official Semgrep MCP server lets an AI assistant run Semgrep — a fast, deterministic static analysis engine that semantically understands 30+ languages and ships over 5,000 security rules — directly against the code it is writing or reviewing, so you can "secure your vibe coding" without leaving Claude, Cursor, VS Code, or Windsurf. It exposes a focused tool surface: `security_check` scans code for vulnerabilities, `semgrep_scan` runs a scan with a given rule config, `semgrep_scan_with_custom_rule` applies a custom Semgrep rule you supply inline, `get_abstract_syntax_tree` returns the AST of a snippet so an agent can reason about code structure, `supported_languages` lists the languages Semgrep can parse, and `semgrep_rule_schema` fetches the latest rule JSON Schema for writing new rules. With a Semgrep AppSec Platform login and token, `semgrep_findings` pulls findings from your organization's cloud account. The server runs three ways — as a Python package via `uvx semgrep-mcp` (PyPI: semgrep-mcp), as a Docker container `ghcr.io/semgrep/mcp`, or against Semgrep's hosted endpoint at mcp.semgrep.ai — and supports stdio, Streamable HTTP, and SSE transports. Note: the standalone semgrep/mcp repository is now deprecated, with ongoing development folded into the main `semgrep` binary (semgrep/semgrep, under cli/src/semgrep/mcp), so future updates ship through the official Semgrep CLI itself.

Auth required

Sponsored

1Password

14-day Free Trial

Store and inject API keys, payment credentials, tokens, and file access secrets into your MCP server configs. Trusted by 150K+ developers.

Try 1Password free →