ZeroPath MCP Server
Interact with your product security findings using natural language.
ZeroPath MCP Server
Interact with ZeroPath security findings via MCP-compatible tools.
This MCP server calls ZeroPath tRPC V2 procedures directly (no REST wrappers) and returns structured JSON responses suitable for agent consumption.
Blog Post
Learn more about why we built this and how it fits into the evolving AI development ecosystem:
Chat With Your AppSec Scans: Introducing the ZeroPath MCP Server
Installation
Quick Install (Recommended)
Install directly from GitHub:
# Using pip
pip install git+https://github.com/ZeroPathAI/zeropath-mcp-server.git
# Using uvx (run without installing)
uvx --from git+https://github.com/ZeroPathAI/zeropath-mcp-server zeropath-mcp-server
You can also pin to a specific version:
# Specific version tag
pip install git+https://github.com/ZeroPathAI/[email protected]
# Latest from main branch
uvx --from "git+https://github.com/ZeroPathAI/zeropath-mcp-server@main" zeropath-mcp-server
From Source
git clone https://github.com/ZeroPathAI/zeropath-mcp-server.git
cd zeropath-mcp-server
uv sync
From PyPI (Optional)
If the package is published to PyPI, you can also install via:
pip install zeropath-mcp-server
Setup
1. Generate API Key
Generate a user-scoped or admin API key from ZeroPath Settings.
2. Configure Environment Variables
export ZEROPATH_BASE_URL="https://zeropath.com" # optional (defaults to https://zeropath.com)
export ZEROPATH_TOKEN_ID=your_token_id
export ZEROPATH_TOKEN_SECRET=your_token_secret
export ZEROPATH_ORG_ID=your_org_id
Use ZEROPATH_BASE_URL to target staging or another environment, for example:
export ZEROPATH_BASE_URL="https://staging.branch.zeropath.com"
Configuration
Add the following to your MCP config file (Claude Desktop, Cursor, etc.):
Using GitHub URL (Recommended)
{
"mcpServers": {
"zeropath": {
"command": "uvx",
"args": [
"--from",
"git+https://github.com/ZeroPathAI/zeropath-mcp-server",
"zeropath-mcp-server"
],
"env": {
"ZEROPATH_BASE_URL": "https://zeropath.com",
"ZEROPATH_TOKEN_ID": "your_token_id",
"ZEROPATH_TOKEN_SECRET": "your_token_secret",
"ZEROPATH_ORG_ID": "your_org_id"
}
}
}
}
Using source install
{
"mcpServers": {
"zeropath": {
"command": "uv",
"args": [
"run",
"--project",
"/path/to/zeropath-mcp-server",
"python",
"-m",
"zeropath_mcp_server"
],
"env": {
"ZEROPATH_BASE_URL": "https://zeropath.com",
"ZEROPATH_TOKEN_ID": "your_token_id",
"ZEROPATH_TOKEN_SECRET": "your_token_secret",
"ZEROPATH_ORG_ID": "your_org_id"
}
}
}
}
Using PyPI install (Optional)
{
"mcpServers": {
"zeropath": {
"command": "zeropath-mcp-server",
"env": {
"ZEROPATH_BASE_URL": "https://zeropath.com",
"ZEROPATH_TOKEN_ID": "your_token_id",
"ZEROPATH_TOKEN_SECRET": "your_token_secret",
"ZEROPATH_ORG_ID": "your_org_id"
}
}
}
}
Tool Surface (tRPC V2)
Tools are loaded dynamically from the ZeroPath frontend's MCP manifest at startup.
All tool calls use tRPC V2 procedures directly using tRPC v10 HTTP conventions:
- Queries:
GET /trpc/<procedure>?input=<url-encoded-json> - Mutations:
POST /trpc/<procedure>with the raw JSON input object as the body (not wrapped).
Successful responses are returned as structured JSON with the { "result": { "data": ... } } wrapper removed. Errors return the tRPC error object directly.
The server also performs best-effort client-side input validation using each tool's inputSchema from the manifest and returns a BAD_REQUEST error before calling tRPC when inputs are invalid. If a schema uses unsupported JSON Schema features, client-side validation is skipped for that call (server-side validation remains authoritative).
Example Calls
List issues:
{
"tool": "issues.list",
"input": {
"page": 1,
"pageSize": 25,
"statuses": ["PENDING_REVIEW"],
"sortBy": "score",
"sortOrder": "desc"
}
}
Archive issues:
{
"tool": "issues.archive",
"input": {
"issueIds": ["issue_123", "issue_456"],
"reason": "Confirmed duplicate"
}
}
Create a rule:
{
"tool": "rules.create",
"input": {
"name": "Detect unsafe eval",
"rule": "Detect any use of eval() on user input",
"globPattern": "**/*.js",
"sourceTypes": ["FILE_HANDLER"],
"repositoryIds": ["repo_123"]
}
}
Fetch stats summary:
{
"tool": "stats.summary",
"input": {
"organizationId": "org_123"
}
}
Development
Running Tests
uv run pytest tests/ -v
Building the Package
uv build
Publishing to PyPI (Optional)
uv publish
Contributing
We welcome contributions from the security, AI, and developer tools communities.
- Found a bug? Open an issue
- Want to improve a tool or add a new one? Submit a pull request
- Have feedback or questions? Join us on Discord
License
MIT License - see LICENSE for details.
관련 서버
Alpha Vantage MCP Server
스폰서Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Local Context MCP
A collection of reference implementations for the Model Context Protocol (MCP), giving LLMs secure access to tools and data.
Agent Forge
A platform for creating and managing AI agents with specific personalities and simulating their responses. Requires a DeepSeek API key.
vastlint
VAST XML validation MCP server for programmatic video ad pipelines. Tools: validate_vast, validate_vast_url, list_rules, explain_rule, fix_vast. Hosted at vastlint.org/mcp or self-hostable.
Databutton App MCP
Call your Databutton app endpoints as LLM tools with MCP.
Snowfort Circuit MCP
Automate web browsers and Electron desktop applications for AI coding agents.
Claude Desktop
An MCP server for interacting with Anthropic's Claude on the desktop, based on a DeepLearning.ai course example.
OpenAPI to MCP Server
A tool to create MCP servers from OpenAPI/Swagger specifications, allowing AI assistants to interact with your APIs.
mockd
Multi-protocol API mock server with 18 MCP tools — mock HTTP, GraphQL, gRPC, WebSocket, MQTT, SSE, and SOAP APIs with chaos engineering, stateful CRUD, and deterministic seeded responses.
vigile-mcp
Security scanner for MCP servers and agent skills — query trust scores, check for vulnerabilities, and search the Vigile trust registry
AppStore-MCP-Server
App store optimization ASO research, metadata, keyword rankings and more