mirror of
https://github.com/BillyOutlast/sec-mcp.git
synced 2026-07-01 12:50:00 -04:00
Add safer default configurations for ZAP in .env and docker-compose
This commit is contained in:
@@ -3,5 +3,10 @@ MSF_PASSWORD=changeme
|
||||
# Replace both values below with strong random keys before production use.
|
||||
ZAP_API_KEY=changeme-zap-api-key
|
||||
MCP_ZAP_API_KEY=changeme-mcp-zap-api-key
|
||||
ZAP_SAFE_MODE=true
|
||||
ZAP_ASCAN_THREAD_PER_HOST=2
|
||||
ZAP_SPIDER_THREADS=2
|
||||
# 40026 commonly maps to DOM XSS active scan rule in ZAP builds.
|
||||
ZAP_DISABLED_SCANNERS=40026
|
||||
MD_SHARE_DIR=/opt/mcps/shared-markdown
|
||||
OLLAMA_BASE_URL=http://ollama:11434
|
||||
|
||||
@@ -62,6 +62,17 @@ ZAP_API_KEY=<paste-generated-zap-key>
|
||||
MCP_ZAP_API_KEY=<paste-generated-mcp-zap-key>
|
||||
```
|
||||
|
||||
Optional (recommended) safer ZAP defaults in `.env`:
|
||||
|
||||
```dotenv
|
||||
ZAP_SAFE_MODE=true
|
||||
ZAP_ASCAN_THREAD_PER_HOST=2
|
||||
ZAP_SPIDER_THREADS=2
|
||||
ZAP_DISABLED_SCANNERS=40026
|
||||
```
|
||||
|
||||
This reduces noisy/aggressive behavior (especially browser/DOM-XSS related scan noise). Set `ZAP_SAFE_MODE=false` to restore default ZAP behavior.
|
||||
|
||||
2. Start base stack:
|
||||
|
||||
```powershell
|
||||
@@ -142,6 +153,7 @@ Important compatibility note:
|
||||
|
||||
- First startup is slower because dependencies are built/installed.
|
||||
- `kali-mcp-sse` and `triv3-kali-api` install web audit binaries on startup (`nikto`, `gobuster`, `sqlmap`, `dirb`, `seclists`), so first boot can take several extra minutes.
|
||||
- `zap` runs in a safer default profile when `ZAP_SAFE_MODE=true`.
|
||||
- `markdownify-mcp` is built at `mcpo` container startup.
|
||||
- `mcp-zap-server` auth values are injected via `.env` into `mcpo-config.template.json` at runtime.
|
||||
- `MD_SHARE_DIR` controls markdown file access scope for `markdownify-mcp`.
|
||||
|
||||
+15
-4
@@ -104,12 +104,23 @@ services:
|
||||
image: zaproxy/zap-stable:latest
|
||||
environment:
|
||||
- ZAP_API_KEY=${ZAP_API_KEY:-changeme-zap-api-key}
|
||||
- ZAP_SAFE_MODE=${ZAP_SAFE_MODE:-true}
|
||||
- ZAP_ASCAN_THREAD_PER_HOST=${ZAP_ASCAN_THREAD_PER_HOST:-2}
|
||||
- ZAP_SPIDER_THREADS=${ZAP_SPIDER_THREADS:-2}
|
||||
- ZAP_DISABLED_SCANNERS=${ZAP_DISABLED_SCANNERS:-40026}
|
||||
command: >-
|
||||
sh -lc "
|
||||
/zap/zap.sh -daemon -host 0.0.0.0 -port 8090
|
||||
-config api.addrs.addr.name=.*
|
||||
-config api.addrs.addr.regex=true
|
||||
-config api.key=${ZAP_API_KEY:-changeme-zap-api-key}
|
||||
EXTRA_OPTS='';
|
||||
if [ \"${ZAP_SAFE_MODE:-true}\" = \"true\" ]; then
|
||||
EXTRA_OPTS=\"$EXTRA_OPTS -config ascan.threadPerHost=${ZAP_ASCAN_THREAD_PER_HOST:-2}\";
|
||||
EXTRA_OPTS=\"$EXTRA_OPTS -config spider.thread=${ZAP_SPIDER_THREADS:-2}\";
|
||||
EXTRA_OPTS=\"$EXTRA_OPTS -config ascan.disabledScanners=${ZAP_DISABLED_SCANNERS:-40026}\";
|
||||
fi;
|
||||
eval /zap/zap.sh -daemon -host 0.0.0.0 -port 8090 \
|
||||
-config api.addrs.addr.name=.* \
|
||||
-config api.addrs.addr.regex=true \
|
||||
-config api.key=${ZAP_API_KEY:-changeme-zap-api-key} \
|
||||
$EXTRA_OPTS
|
||||
"
|
||||
expose:
|
||||
- "8090"
|
||||
|
||||
Reference in New Issue
Block a user