Cognitive DAST Testing Automation
Automated Dynamic Application Security Testing (DAST) using OWASP ZAP proxy with cognitive analysis powered by Google Gemini AI via MCP.
Features
- Automated DAST Scanning: Full integration with OWASP ZAP proxy
- Cognitive Analysis: AI-powered analysis of security findings using Gemini
- MCP Server: Model Context Protocol implementation for AI tool integration
- CLI Interface: Command-line tools for scan execution and management
- Risk Scoring: Automated risk assessment and prioritization
- Multiple Formats: JSON and SARIF output for CI/CD and industry-standard reporting
- SARIF Support: Compatible with GitHub Security, Defender for Cloud, SonarQube
Components
MCP DAST Server
- Core server implementing Model Context Protocol
- Coordinates ZAP scanning and Gemini analysis
- Async/await support for non-blocking operations
ZAP Integration
- OWASP ZAP proxy client
- API-based scanning automation
- Alert aggregation and classification
Gemini AI Analyzer
- Security finding analysis
- Cognitive assessment of vulnerabilities
- Remediation recommendations
- Business impact analysis
CLI Tools
scan: Run complete DAST assessmentstatus: Check scan progressconfigure: Setup configuration
Quick Start
1. Install Dependencies
pip install -r requirements.txt
2. Configure Environment
cp config/.env.example .env
# Edit .env with your API keys
3. Start OWASP ZAP
# Docker
docker run -p 8080:8080 owasp/zap2docker-stable zap.sh -config api.disablekey=true
# Or local installation
zaproxy -config api.disablekey=true
4. Run Scan
python -m mcp_dast.cli.main scan \
--target http://example.com \
--gemini-key YOUR_GEMINI_KEY \
--output results.json \
--format json
Architecture
The system implements a 4-layer layered architecture with clear separation of concerns:
┌─────────────────────────────────────────┐
│ Presentation Layer (CLI Interface) │
│ User commands & interaction point │
└─────────────────────────────────────────┘
↓
┌─────────────────────────────────────────┐
│ Application Layer (Orchestration) │
│ Scan, analysis, reporting orchestration │
└─────────────────────────────────────────┘
↓
┌─────────────────────────────────────────┐
│ Integration Layer (Adapters) │
│ ZAP, Gemini, Output formatting │
└─────────────────────────────────────────┘
↓
┌─────────────────────────────────────────┐
│ Infrastructure Layer (Storage) │
│ Config, cache, persistent storage │
└─────────────────────────────────────────┘
Architecture Diagrams:
Start with reference-architecture.puml - then explore:
- system-architecture.puml - Component overview
- component-interaction.puml - Detailed interactions
- scan-sequence.puml - Execution flow
- data-flow.puml - Data transformations
- class-diagram.puml - OOP design
- deployment.puml - Infrastructure
- workflow.puml - Process flow
MCP DAST Server
├── ZAP Client (OWASP Proxy)
│ └── Scan Management & Alert Collection
├── Gemini Analyzer (AI Analysis)
│ └── Cognitive Assessment & Recommendations
└── CLI Interface
└── User-facing Commands
Usage Examples
Basic Scan (JSON output)
python -m mcp_dast.cli.main scan --target http://target.com --gemini-key $GEMINI_KEY --output results.json
SARIF Output (GitHub Actions compatible)
python -m mcp_dast.cli.main scan --target http://target.com --gemini-key $GEMINI_KEY --output results.sarif --format sarif
Check Scan Status
python -m mcp_dast.cli.main status --scan-id abc123
With Custom Configuration
python -m mcp_dast.cli.main scan \
--target http://target.com \
--zap-host 192.168.1.100 \
--zap-port 8080 \
--gemini-key $GEMINI_KEY \
--output scan-results.json \
--format json
Output Formats
JSON Format
Results include:
- Raw ZAP scan findings (alerts, risk levels)
- Cognitive analysis from Gemini AI
- Risk scores and severity assessments
- Remediation priorities
- Recommended actions
SARIF Format
Industry-standard format (OWASP/SARIF 2.1.0):
- Compatible with GitHub Security Code Scanning
- Compatible with Microsoft Defender for Cloud
- Compatible with SonarQube and other tools
- Full vulnerability metadata and remediation guidance
For detailed format information, see OUTPUT_FORMATS.md
{
"scan_id": "12345",
"target_url": "http://example.com",
"raw_results": {
"high_alerts": 2,
"medium_alerts": 5,
"low_alerts": 8
},
"cognitive_analysis": {
"risk_score": 72.5,
"severity_assessment": "High",
"remediation_priority": [...],
"recommended_actions": [...]
}
}
Configuration
ZAP Configuration
ZAP_HOST: Proxy host (default: localhost)ZAP_PORT: Proxy port (default: 8080)ZAP_API_KEY: Optional API keyZAP_TIMEOUT: Request timeout
Gemini Configuration
GEMINI_API_KEY: Your Google Gemini API keyGEMINI_MODEL: Model selection (default: gemini-1.5-flash)
Requirements
- Python 3.9+
- OWASP ZAP 2.12+
- Google Gemini API key (free tier available)
- Required packages: see requirements.txt
Testing
pytest tests/
pytest tests/ --cov=src
Development
Project Structure
├── src/mcp_dast/
│ ├── zap/ # OWASP ZAP integration
│ ├── gemini/ # Gemini AI analyzer
│ ├── cli/ # CLI interface
│ └── server.py # MCP server
├── tests/ # Test suite
├── config/ # Configuration files
├── docs/ # Documentation
└── pyproject.toml # Poetry configuration
Running Locally
# Install in development mode
pip install -e .
# Run tests
pytest
# Format code
black src/
# Lint
ruff check src/
Security Considerations
- Never commit API keys to version control
- Use environment variables for sensitive configuration
- Validate and sanitize all inputs
- Keep ZAP and dependencies updated
License
MIT
Support
For issues and feature requests, please open an issue on the project repository.