Skip to content
/ zeropath-mcp-server Public

Open-source MCP server for querying ZeroPath security issues, patches, and scans using Claude, Cursor, Windsurf, or any AI assistant.

zeropath.com/blog/chat-with-your-appsec-scans

License

MIT license
4 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ZeroPathAI/zeropath-mcp-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
__pycache__
__pycache__
 
 
src/zeropath_mcp_server
src/zeropath_mcp_server
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cursor_config.json
cursor_config.json
 
 
dev_mode.bash
dev_mode.bash
 
 
main.py
main.py
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

ZeroPath MCP Server

License: MIT

Interact with your product security findings using natural language.

This open-source MCP server allows developers to query SAST issues, secrets, patches, and more from ZeroPath directly inside AI-assisted tools like Claude Desktop, Cursor, Windsurf, and other MCP-compatible environments.

No dashboards. No manual ticket triage. Just security context where you're already working.

Blog Post

Learn more about why we built this and how it fits into the evolving AI development ecosystem:

Chat With Your AppSec Scans: Introducing the ZeroPath MCP Server

Installation

Quick Install (Recommended)

Install directly from GitHub:

# Using pip
pip install git+https://github.com/ZeroPathAI/zeropath-mcp-server.git

# Using uvx (run without installing)
uvx --from git+https://github.com/ZeroPathAI/zeropath-mcp-server zeropath-mcp-server

You can also pin to a specific version:

# Specific version tag
pip install git+https://github.com/ZeroPathAI/zeropath-mcp-server.git@v0.1.0

# Latest from main branch
uvx --from "git+https://github.com/ZeroPathAI/zeropath-mcp-server@main" zeropath-mcp-server

From Source

git clone https://github.com/ZeroPathAI/zeropath-mcp-server.git
cd zeropath-mcp-server
uv sync

From PyPI (Optional)

If the package is published to PyPI, you can also install via:

pip install zeropath-mcp-server

Setup

1. Generate API Key

Generate an API key from your ZeroPath organization settings at https://zeropath.com/app/settings/api

2. Configure Environment Variables

Set up your environment variables with the API key:

export ZEROPATH_TOKEN_ID=your_token_id
export ZEROPATH_TOKEN_SECRET=your_token_secret

3. Retrieve Your Organization ID

Run the following command to get your organization ID:

curl -X POST https://zeropath.com/api/v1/orgs/list \
    -H "X-ZeroPath-API-Token-Id: $ZEROPATH_TOKEN_ID" \
    -H "X-ZeroPath-API-Token-Secret: $ZEROPATH_TOKEN_SECRET" \
    -H "Content-Type: application/json" \
    -d '{}'

Then set it as an environment variable:

export ZEROPATH_ORG_ID=your_org_id

Configuration

Add the following to your MCP config file (Claude Desktop, Cursor, etc.):

Using GitHub URL (Recommended)

{
  "mcpServers": {
    "zeropath": {
      "command": "uvx",
      "args": [
        "--from",
        "git+https://github.com/ZeroPathAI/zeropath-mcp-server",
        "zeropath-mcp-server"
      ],
      "env": {
        "ZEROPATH_TOKEN_ID": "your_token_id",
        "ZEROPATH_TOKEN_SECRET": "your_token_secret",
        "ZEROPATH_ORG_ID": "your_org_id"
      }
    }
  }
}

To pin to a specific version, append @v0.1.0 or @main to the URL.

Using source install

If you cloned the repository locally:

{
  "mcpServers": {
    "zeropath": {
      "command": "uv",
      "args": [
        "run",
        "--project",
        "/path/to/zeropath-mcp-server",
        "python",
        "-m",
        "zeropath_mcp_server"
      ],
      "env": {
        "ZEROPATH_TOKEN_ID": "your_token_id",
        "ZEROPATH_TOKEN_SECRET": "your_token_secret",
        "ZEROPATH_ORG_ID": "your_org_id"
      }
    }
  }
}

Using PyPI install (Optional)

If installed from PyPI:

{
  "mcpServers": {
    "zeropath": {
      "command": "zeropath-mcp-server",
      "env": {
        "ZEROPATH_TOKEN_ID": "your_token_id",
        "ZEROPATH_TOKEN_SECRET": "your_token_secret",
        "ZEROPATH_ORG_ID": "your_org_id"
      }
    }
  }
}

Replace the environment variable values with your actual credentials.

Available Tools

Once connected, the following tools are exposed to your AI assistant:

Search & Issue Details

search_vulnerabilities(search_query: str)

Search for vulnerabilities using a keyword query.

Parameters:

  • search_query (optional): Search term to filter vulnerabilities

Prompt example:

"Show me all SSRF vulnerabilities in the user service."

get_issue(issue_id: str)

Get full details for a specific vulnerability issue, including patch information if available.

Parameters:

  • issue_id (required): The ID of the issue to retrieve

Prompt example:

"Give me the details for issue abc123."

approve_patch(issue_id: str)

Approve a patch for a specific vulnerability issue.

Parameters:

  • issue_id (required): The ID of the issue whose patch should be approved

Prompt example:

"Approve the patch for xyz456."

Bug Triage

mark_true_positive(issue_id: str)

Mark a security issue as a true positive (confirmed vulnerability).

Parameters:

  • issue_id (required): The ID of the issue to mark

Prompt example:

"Mark issue abc123 as a true positive."

mark_false_positive(issue_id: str)

Mark a security issue as a false positive (not a real vulnerability).

Parameters:

  • issue_id (required): The ID of the issue to mark

Prompt example:

"Mark issue abc123 as a false positive."

archive_issue(issue_id: str)

Archive a security issue to remove it from active view.

Parameters:

  • issue_id (required): The ID of the issue to archive

Prompt example:

"Archive issue abc123."

unarchive_issue(issue_id: str)

Restore a previously archived issue to active view.

Parameters:

  • issue_id (required): The ID of the issue to unarchive

Prompt example:

"Unarchive issue abc123."

generate_patch(issue_id: str)

Generate an automated patch/fix for a security issue.

Parameters:

  • issue_id (required): The ID of the issue to generate a patch for

Prompt example:

"Generate a patch for issue abc123."

Scan Management

start_scan(repository_ids: list[str])

Start a new security scan on one or more repositories.

Parameters:

  • repository_ids (required): List of repository IDs to scan

Prompt example:

"Start a scan on repository repo_123."

list_scans(search_query, repository_ids, scan_type, page, page_size)

List security scans with optional filtering and pagination.

Parameters:

  • search_query (optional): Search term to filter scans
  • repository_ids (optional): List of repository IDs to filter by
  • scan_type (optional): Filter by scan type (FullScan, PrScan, SCAScan)
  • page (optional): Page number (default: 1)
  • page_size (optional): Results per page (default: 10)

Prompt example:

"Show me all scans for the last week." "List the most recent PR scans."

Repository Management

list_repositories(search_query: str)

List all repositories in the organization.

Parameters:

  • search_query (optional): Search term to filter repositories

Prompt example:

"List all repositories." "Find repositories with 'api' in the name."

Statistics & Analytics

get_security_posture()

Get the overall security posture metrics for the organization, including security score, vulnerability trends, and risk assessment.

Parameters: None

Prompt example:

"What's our current security posture?"

get_issues_by_vuln_class()

Get issue statistics grouped by vulnerability class/type. Shows distribution of vulnerabilities by category (XSS, SQLi, etc.).

Parameters: None

Prompt example:

"Show me a breakdown of vulnerabilities by type."

get_summary_statistics()

Get aggregated summary statistics across the organization, including total issues, patches, repositories, and key metrics.

Parameters: None

Prompt example:

"Give me a summary of our security statistics."

SCA (Software Composition Analysis)

list_sca_vulnerabilities(search_query, repository_ids, ecosystems, transitivity, page, page_size)

Search for SCA vulnerabilities in dependencies.

Parameters:

  • search_query (optional): Search term to filter vulnerabilities
  • repository_ids (optional): List of repository IDs to filter by
  • ecosystems (optional): List of ecosystems to filter (npm, pip, maven, etc.)
  • transitivity (optional): Filter by dependency type (direct, transitive)
  • page (optional): Page number (default: 1)
  • page_size (optional): Results per page (default: 50)

Prompt example:

"Show me all critical npm vulnerabilities." "List direct dependency vulnerabilities in the backend repo."

get_sca_vulnerability(vulnerability_id: str)

Get detailed information about a specific SCA vulnerability.

Parameters:

  • vulnerability_id (required): The ID of the vulnerability to retrieve

Prompt example:

"Get details for SCA vulnerability vuln_456."

list_sca_repositories()

List repositories with their aggregated dependency inventory information.

Parameters: None

Prompt example:

"Which repos have the most vulnerable dependencies?"

Development

Running Tests

ZEROPATH_TOKEN_ID=your_id \
ZEROPATH_TOKEN_SECRET=your_secret \
ZEROPATH_ORG_ID=your_org \
uv run pytest tests/ -v

Building the Package

uv build

Publishing to PyPI (Optional)

If you want to publish to PyPI:

uv publish

Contributing

We welcome contributions from the security, AI, and developer tools communities.

  • Found a bug? Open an issue
  • Want to improve a tool or add a new one? Submit a pull request
  • Have feedback or questions? Join us on Discord

License

MIT License - see LICENSE for details.

About

Open-source MCP server for querying ZeroPath security issues, patches, and scans using Claude, Cursor, Windsurf, or any AI assistant.

zeropath.com/blog/chat-with-your-appsec-scans

Topics

security appsec security-automation devsecops mcp-server

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

4 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages