ZeroPath MCP Server
The ZeroPath MCP Server bridges the gap between security scanning and the development environment by allowing developers to interact with security findings using natural language. Instead of manually navigating complex dashboards or triaging tickets, teams can now chat directly with their security data within AI-assisted tools. This makes it easy …
About this Protocol
How to Use
1. Installation
To install the ZeroPath MCP Server, follow these steps:
- Generate API Key: Obtain an API key from your ZeroPath organization settings at https://zeropath.com/app/settings/api.
- Configure Environment Variables: Set your initial credentials in your terminal:
bash export ZEROPATH_TOKEN_ID=your_token_id export ZEROPATH_TOKEN_SECRET=your_token_secret - Retrieve Organization ID: Run the following command to find your organization ID:
bash curl -X POST https://zeropath.com/api/v1/orgs/list \ -H "X-ZeroPath-API-Token-Id: $ZEROPATH_TOKEN_ID" \ -H "X-ZeroPath-API-Token-Secret: $ZEROPATH_TOKEN_SECRET" \ -H "Content-Type: application/json" \ -d '{}' - Install
uv: The server usesuvfor dependency management:
bash curl -LsSf https://astral.sh/uv/install.sh | sh - Clone and Setup:
bash git clone https://github.com/ZeroPathAI/zeropath-mcp-server.git cd zeropath-mcp-server uv sync export ZEROPATH_ORG_ID=your_org_id
2. Configuration
Add the following entry to your MCP configuration file (e.g., for Claude Desktop or Cursor). Note: Replace <absolute cloned directory path> with the actual absolute path to the repository on your machine.
{
"mcpServers": {
"zeropath-mcp-server": {
"command": "uv",
"args": [
"run",
"--project",
"<absolute cloned directory path>/zeropath-mcp-server",
"<absolute cloned directory path>/zeropath-mcp-server/main.py"
],
"env": {
"ZEROPATH_TOKEN_ID": "your_token_id",
"ZEROPATH_TOKEN_SECRET": "your_token_secret",
"ZEROPATH_ORG_ID": "your_org_id"
}
}
}
}
3. Available Tools
search_vulnerabilities(search_query: str): Query SAST issues by keyword.get_issue(issue_id: str): Fetch full metadata, patch suggestions, and code context for a specific issue.approve_patch(issue_id: str): Approve a specific patch (write action).
4. Example Prompts
- "Show me all SSRF vulnerabilities in the user service."
- "Give me the details for issue
abc123." - "Approve the patch for
xyz456."
Use Cases
Use Case 1: Streamlined Security Triage within the IDE
Problem: Developers often have to leave their coding environment and log into a separate security dashboard (like ZeroPath) to find, read, and understand security vulnerabilities. This context switching breaks focus and slows down the remediation process.
Solution: The ZeroPath MCP server brings security findings directly into the AI-assisted editor. Developers can use natural language to ask about current issues without ever leaving their workspace.
Example: A developer asks Claude Desktop: "Show me all high-severity SSRF vulnerabilities in the payment-processing service." The AI uses search_vulnerabilities to list the issues, allowing the developer to prioritize them immediately within their coding flow.
Use Case 2: Interactive Vulnerability Remediation and Patching
Problem: Understanding the root cause of a SAST (Static Application Security Testing) finding and determining the correct fix can be time-consuming, even with a security report.
Solution: By using get_issue, the AI assistant can fetch the full metadata, code context, and suggested patches for a specific vulnerability. The AI can then explain the fix in the context of the existing codebase and even apply the patch.
Example: After identifying an issue, the user says: "Give me the details for issue SEC-123 and explain why the suggested patch is necessary." The AI retrieves the context, explains the risk, and asks the user if they want to apply the fix. Once confirmed, the user can say: "Approve the patch for SEC-123," using the approve_patch tool.
Use Case 3: Targeted Security Audits of Specific Microservices
Problem: In large monorepos or complex microservice architectures, it's difficult to get a consolidated view of security risks affecting just one specific component or functional area.
Solution: The natural language search capability allows developers to filter vulnerabilities by keyword or service name, providing a focused view of the security posture of a specific part of the application.
Example: During a sprint focused on the "User Auth" module, a developer asks: "Are there any open SQL injection or secret leak issues in the src/auth directory?" The AI queries ZeroPath and presents a filtered list of relevant findings, enabling a "mini-audit" before new features are deployed.
Use Case 4: Rapid "Secrets" Discovery and Remediation
Problem: Leaked secrets (API keys, database credentials) are high-priority incidents that require immediate action, but finding exactly where they are buried in the code via a dashboard can be clunky.
Solution: This MCP allows for immediate natural language lookup of secret-related findings, providing the exact code context to the AI assistant so it can help rotate the secret or move it to a secure environment variable.
Example: A developer notices a security alert and asks: "Where are the hardcoded API keys located in the repository?" The AI identifies the issues, shows the specific lines of code, and then helps the developer refactor the code to use an environment variable manager instead.