# MCP ZAP Server MCP server

Safe, self-hosted OWASP ZAP operator for guided AI security scans and reports.

## Links
- Registry page: https://www.getdrio.com/mcp/io-github-dtkmn-mcp-zap-server
- Repository: https://github.com/dtkmn/mcp-zap-server
- Website: https://danieltse.org/mcp-zap-server/

## Install
- Auth: Auth required by registry metadata

## Setup notes
- Package: Oci ghcr.io/dtkmn/mcp-zap-server:v0.8.0
- Environment variable: ZAP_API_URL (default mcp-zap-zap)
- Environment variable: ZAP_API_PORT (default 8090)
- Environment variable: ZAP_API_KEY (required; secret)
- Environment variable: MCP_API_KEY (required; secret)
- Environment variable: MCP_SERVER_TOOLS_SURFACE (default guided)
- Environment variable: MCP_SECURITY_MODE
- Environment variable: MCP_SECURITY_ENABLED
- Environment variable: MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY
- Package: Oci docker.io/dtkmn/mcp-zap-server:v0.8.0
- Environment variable: ZAP_API_URL (default mcp-zap-zap)
- Environment variable: ZAP_API_PORT (default 8090)
- Environment variable: ZAP_API_KEY (required; secret)
- Environment variable: MCP_API_KEY (required; secret)
- Environment variable: MCP_SERVER_TOOLS_SURFACE (default guided)
- Environment variable: MCP_SECURITY_MODE
- Environment variable: MCP_SECURITY_ENABLED
- Environment variable: MCP_SECURITY_ALLOW_PLACEHOLDER_API_KEY
- The upstream registry signals required auth or secrets.

## Tools
Not captured

## Resources
Not captured

## Prompts
Not captured

## Metadata
- Owner: io.github.dtkmn
- Version: 0.8.0
- Runtime: Oci
- Transports: HTTP
- License: Not captured
- Language: Not captured
- Stars: Not captured
- Updated: May 10, 2026
- Source: https://registry.modelcontextprotocol.io