ZeroPath MCP Server

Interact with your product security findings using natural language.

This open-source MCP server allows developers to query SAST issues, secrets, patches, and more from ZeroPath directly inside AI-assisted tools like Claude Desktop, Cursor, Windsurf, and other MCP-compatible environments.

No dashboards. No manual ticket triage. Just security context where you're already working.

---

Blog Post

Learn more about why we built this and how it fits into the evolving AI development ecosystem:

📄 Chat With Your AppSec Scans: Introducing the ZeroPath MCP Server

---

Installation

1. Generate API Key

Generate an API key from your ZeroPath organization settings at https://zeropath.com/app/settings/api

2. Configure Environment Variables

Set up your environment variables with the API key:

export ZEROPATH_TOKEN_ID=your_token_id
export ZEROPATH_TOKEN_SECRET=your_token_secret

3. Retrieve Your Organization ID

Run the following command to get your organization ID:

curl -X POST https://zeropath.com/api/v1/orgs/list \
    -H "X-ZeroPath-API-Token-Id: $ZEROPATH_TOKEN_ID" \
    -H "X-ZeroPath-API-Token-Secret: $ZEROPATH_TOKEN_SECRET" \
    -H "Content-Type: application/json" \
    -d '{}'

4. Install uv

We use uv for dependency management:

curl -LsSf https://astral.sh/uv/install.sh | sh

5. Clone and Setup

git clone https://github.com/ZeroPathAI/zeropath-mcp-server.git
cd zeropath-mcp-server
uv sync
export ZEROPATH_ORG_ID=your_org_id

---

Configuration

Add this entry to your MCP config (Claude Desktop, Cursor, etc.):

{
  "mcpServers": {
    "zeropath-mcp-server": {
      "command": "uv",
      "args": [
        "run",
        "--project",
        "<absolute cloned directory path>/zeropath-mcp-server",
        "<absolute cloned directory path>/zeropath-mcp-server/main.py"
      ]
    }
  }
}

Replace <absolute cloned directory path> with the absolute path to the repo.

---

Environment Variables

Before running the server, export the following:

export ZEROPATH_TOKEN_ID=your_token_id
export ZEROPATH_TOKEN_SECRET=your_token_secret
export ZEROPATH_ORG_ID=your_org_id

These can be generated from your ZeroPath dashboard.

---

Available Tools

Once connected, the following tools are exposed to your AI assistant:

search_vulnerabilities(search_query: str)

Query SAST issues by keyword.

Prompt example:

"Show me all SSRF vulnerabilities in the user service."

---

get_issue(issue_id: str)

Fetch full metadata, patch suggestions, and code context for a specific issue.

Prompt example:

"Give me the details for issue abc123."

---

approve_patch(issue_id: str)

Approve a patch (write action). Optional depending on your setup.

Prompt example:

"Approve the patch for xyz456."

---

Development Mode

Use ./dev_mode.bash to test the tools locally without a client connection.

---

Contributing

We welcome contributions from the security, AI, and developer tools communities.

• Found a bug? Open an issue
• Want to improve a tool or add a new one? Submit a pull request
• Have feedback or questions? Join us on Discord

---