Add safer default configurations for ZAP in .env and docker-compose

This commit is contained in:
John Doe
2026-02-28 21:35:46 -05:00
parent e723092bb1
commit 68a260733c
3 changed files with 32 additions and 4 deletions
+5
View File
@@ -3,5 +3,10 @@ MSF_PASSWORD=changeme
# Replace both values below with strong random keys before production use.
ZAP_API_KEY=changeme-zap-api-key
MCP_ZAP_API_KEY=changeme-mcp-zap-api-key
ZAP_SAFE_MODE=true
ZAP_ASCAN_THREAD_PER_HOST=2
ZAP_SPIDER_THREADS=2
# 40026 commonly maps to DOM XSS active scan rule in ZAP builds.
ZAP_DISABLED_SCANNERS=40026
MD_SHARE_DIR=/opt/mcps/shared-markdown
OLLAMA_BASE_URL=http://ollama:11434
+12
View File
@@ -62,6 +62,17 @@ ZAP_API_KEY=<paste-generated-zap-key>
MCP_ZAP_API_KEY=<paste-generated-mcp-zap-key>
```
Optional (recommended) safer ZAP defaults in `.env`:
```dotenv
ZAP_SAFE_MODE=true
ZAP_ASCAN_THREAD_PER_HOST=2
ZAP_SPIDER_THREADS=2
ZAP_DISABLED_SCANNERS=40026
```
This reduces noisy/aggressive behavior (especially browser/DOM-XSS related scan noise). Set `ZAP_SAFE_MODE=false` to restore default ZAP behavior.
2. Start base stack:
```powershell
@@ -142,6 +153,7 @@ Important compatibility note:
- First startup is slower because dependencies are built/installed.
- `kali-mcp-sse` and `triv3-kali-api` install web audit binaries on startup (`nikto`, `gobuster`, `sqlmap`, `dirb`, `seclists`), so first boot can take several extra minutes.
- `zap` runs in a safer default profile when `ZAP_SAFE_MODE=true`.
- `markdownify-mcp` is built at `mcpo` container startup.
- `mcp-zap-server` auth values are injected via `.env` into `mcpo-config.template.json` at runtime.
- `MD_SHARE_DIR` controls markdown file access scope for `markdownify-mcp`.
+15 -4
View File
@@ -104,12 +104,23 @@ services:
image: zaproxy/zap-stable:latest
environment:
- ZAP_API_KEY=${ZAP_API_KEY:-changeme-zap-api-key}
- ZAP_SAFE_MODE=${ZAP_SAFE_MODE:-true}
- ZAP_ASCAN_THREAD_PER_HOST=${ZAP_ASCAN_THREAD_PER_HOST:-2}
- ZAP_SPIDER_THREADS=${ZAP_SPIDER_THREADS:-2}
- ZAP_DISABLED_SCANNERS=${ZAP_DISABLED_SCANNERS:-40026}
command: >-
sh -lc "
/zap/zap.sh -daemon -host 0.0.0.0 -port 8090
-config api.addrs.addr.name=.*
-config api.addrs.addr.regex=true
-config api.key=${ZAP_API_KEY:-changeme-zap-api-key}
EXTRA_OPTS='';
if [ \"${ZAP_SAFE_MODE:-true}\" = \"true\" ]; then
EXTRA_OPTS=\"$EXTRA_OPTS -config ascan.threadPerHost=${ZAP_ASCAN_THREAD_PER_HOST:-2}\";
EXTRA_OPTS=\"$EXTRA_OPTS -config spider.thread=${ZAP_SPIDER_THREADS:-2}\";
EXTRA_OPTS=\"$EXTRA_OPTS -config ascan.disabledScanners=${ZAP_DISABLED_SCANNERS:-40026}\";
fi;
eval /zap/zap.sh -daemon -host 0.0.0.0 -port 8090 \
-config api.addrs.addr.name=.* \
-config api.addrs.addr.regex=true \
-config api.key=${ZAP_API_KEY:-changeme-zap-api-key} \
$EXTRA_OPTS
"
expose:
- "8090"