Logic scanner now available! Try it out
Back
Engineering - 6 min read

Introducing ZeroPath’s Open-Source MCP Server

Query your product security findings with natural language. ZeroPath’s open-source MCP server integrates with Claude, Cursor, Windsurf, and other tools to surface SAST issues, secrets, and patches—right where developers work.

ZeroPath Security Research

ZeroPath Security Research

2025-03-27
Introducing ZeroPath’s Open-Source MCP Server

In a moment where AI-powered development environments are rapidly evolving, we're excited to introduce the ZeroPath MCP Server — a lightweight integration that connects ZeroPath's LLM-powered product security platform with Model Context Protocol (MCP) clients like Claude Desktop and Cursor.

This release brings static analysis, secret scanning, and infrastructure-as-code (IaC) security directly into your conversational or IDE-native AI workflows. Want to ask Claude which vulnerabilities are open in your backend repo? Or query dependency issues from inside Cursor without leaving your editor? Now you can.

What We Built

We created an open-source MCP server that connects to the ZeroPath API and exposes tools for interacting with your organization's security posture:

  • List organizations connected to your ZeroPath account
  • Query vulnerability issues from SAST scans
  • Pull down patches and proposed fixes
  • Search for exposed secrets or insecure configurations

This server is compatible with any standard MCP client—including Claude, Cursor, and WindSurf.

GitHub repo: https://github.com/ZeroPathAI/zeropath-mcp-server

Why This Matters

AppSec teams have been automating their CI/CD pipelines for years. But with the rise of AI-native tools like Claude and Cursor, we're seeing an opportunity to bring security insights into the places developers now spend time thinking and building.

Instead of switching tabs or pasting scan results into Jira manually, you can now:

  • Ask your AI assistant to summarize security issues
  • Pull in patch diffs for a PR
  • Get context about infrastructure misconfigurations, secrets, and logic flaws

Security tooling should feel like part of your natural development flow. With MCP, it does.

What is MCP?

Model Context Protocol (MCP) is an open specification for connecting AI tools to external resources and services. It enables local tools (called MCP servers) to expose resources and actions to AI clients over stdin/stdout or other transports.

In practical terms, MCP makes it possible to say:

"Hey Claude, ask ZeroPath to find all XSS vulnerabilities in app/main.py."

...and have it work.

MCP is rapidly becoming the standard way for developer tools, LLMs, and agents to communicate securely and predictably. It enables local tools (called MCP servers) to expose resources and actions to AI clients over stdin/stdout or other transports.

Why MCP?

MCP embraces the same spirit of open standards that underpins much of modern infrastructure. It avoids vendor lock-in and allows developers to bring their favorite tools (like ZeroPath) into their own workflows—be it in an IDE, chat window, or agent loop.

For AppSec and platform engineers, it opens up the opportunity to query security data contextually and on-demand, without leaving your coding environment.

What Can You Do With the ZeroPath MCP Server?

  • Query SAST issues by repo, path, or type using search_vulnerabilities, one of the included tools. You can also retrieve issue details with get_issue or approve patches (read-only) via approve_patch.
  • View dependency scan results and exploitability reports
  • Search for IaC misconfigurations
  • Check for hardcoded secrets across repos
  • Get suggested patches and remediations (read-only)

All through natural language, within your IDE or AI assistant.

Why Read-Only

For now, the server is read-only by design. While MCP does allow write actions (like patching code or triggering scans), we've focused this initial implementation on safe exploration and data retrieval.

This minimizes risk while making the server useful out-of-the-box. You can still explore your scan data, pull in insights, and generate patch recommendations without risk of altering your codebase accidentally.

As the ecosystem matures, we plan to support safe, permissioned write actions.

Getting Started

To get started, you'll need to:

  1. Generate an API key from your ZeroPath organization settings at https://zeropath.com/app/settings/api
  2. Configure your environment variables with the API key:
export ZEROPATH_TOKEN_ID=your_token_id
export ZEROPATH_TOKEN_SECRET=your_token_secret
  1. Retrieve your organization ID (you can find this by running the following command):
curl -X POST https://zeropath.com/api/v1/orgs/list \
    -H "X-ZeroPath-API-Token-Id: $ZEROPATH_TOKEN_ID" \
    -H "X-ZeroPath-API-Token-Secret: $ZEROPATH_TOKEN_SECRET" \
    -H "Content-Type: application/json" \
    -d '{}'

Once you have these credentials, clone the repository and set up the environment:

  1. Clone the repository
  2. Install dependencies using uv

Next, clone the repo and sync dependencies using uv and creating the environment variables with the API information and org id:

git clone https://github.com/ZeroPathAI/zeropath-mcp-server.git
cd zeropath-mcp-server
uv sync
export ZEROPATH_ORG_ID=your_org_id

Once running, you can connect the server to Claude Desktop, Cursor, or WindSurf via the MCP configuration (we include setup instructions in the repo). (we include setup instructions in the repo).

Add this entry to your MCP config (Claude Desktop, Windsurf, Cursor, etc.):

{
  "mcpServers": {
    "zeropath-mcp-server": {
      "command": "uv",
      "args": [
        "run",
        "--project",
        "<absolute cloned directory path>/zeropath-mcp-server",
        "<absolute cloned directory path>/zeropath-mcp-server/main.py"
      ]
    }
  }
}

Replace <absolute cloned directory path> with the absolute path to the repo.

Example Prompts to Try

  • "List all organizations connected to my ZeroPath account"
  • "What are the open SAST issues in our payments-service repo?"
  • "Show me any secrets found in our IaC files Get the details for issue abc123 Approve the patch for issue xyz789"
  • "Fetch proposed patches for the latest XSS issue in web/"

These work across any tool that supports MCP — whether you're chatting with Claude or using an IDE like Cursor.

Why Conversational Interfaces for AppSec?

Security shouldn't live off in a separate dashboard. With MCP, you can:

  • Ask specific security questions in natural language
  • Explore your codebase's risks and remediations on-demand
  • Reduce triage and manual lookup overhead

This isn't just about convenience—it's about embedding security in the development experience.

Get Involved

The ZeroPath MCP Server is fully open-source and available on GitHub: https://github.com/ZeroPathAI/zeropath-mcp-server

We're actively looking for contributors and feedback as we extend capabilities. Drop into our Discord or open an issue on GitHub if you want to help shape what modern product security looks like in AI-native dev environments.

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo