The Zero-X Cursor plugin brings Zero-X's security and analysis capabilities directly into your Cursor IDE via a Python-based Model Context Protocol (MCP) server.
This repository contains:
- Cursor plugin configuration, rules, and commands
- A Python MCP server (
zerox_mcp) that communicates with the Zero-X backend
.cursor-plugin/plugin.json– Cursor plugin manifest (metadata, logo, keywords, component paths)mcp.json– MCP configuration that installs (if needed) and starts thezeroxMCP serverrules/zerox-best-practices.mdc– Always-on rules explaining when and how to use Zero-X toolscommands/– Cursor command definitions for running Zero-X scans and explanationsassets/zerox-logo.svg– Plugin logo for display inside Cursorzerox_mcp/– Python package implementing the Zero-X MCP serverrequirements.txt– Python dependencies for the MCP server
The MCP server requires access to the Zero-X backend and an API key.
Environment variables:
ZEROX_API_KEY– API key for authenticating with the Zero-X backendZEROX_BASE_URL– Base URL for the Zero-X API (default:https://in.zero-x.cloud)ZEROX_REQUEST_TIMEOUT– Optional request timeout in seconds (default:30.0)ZEROX_DEBUG– Optional flag (1,true,yes,on) to enable debug logging
You can configure these either in your system environment, or by editing the env section of mcp.json (recommended for local development).
It is recommended to run the MCP server inside a virtual environment.
python3 -m venv venv
source venv/bin/activate # Linux/macOS
# On Windows:
# venv\Scripts\activate
pip install -r requirements.txtAfter installing dependencies and setting the required environment variables, you can run the MCP server directly:
python -m zerox_mcp.serverThis will start the MCP server on stdin/stdout, which is how Cursor communicates with MCP servers.
- Open Cursor.
- Go to Plugins → Load Local Plugin.
- Select this project folder (
zero-x-cursor). - Cursor will read
.cursor-plugin/plugin.jsonto display the Zero-X plugin, then readmcp.json.- The MCP command uses
pythoninstdiomode. - The MCP command checks whether
zerox_mcpis installed. - If not installed, it installs from the Zero-X GitHub repository.
- It then starts the server via
python -m zerox_mcp.server.
- The MCP command uses
- The
rules/zerox-best-practices.mdcfile guides the AI agent on when to call tools such aszerox_full_scan. - The commands under
commands/define high-level actions:zerox.scanProject– scan the current project usingzerox_full_scanzerox.scanFile– scan the active file usingzerox_full_scanzerox.explainFinding– explain a specific finding usingzerox_explain_finding
The Zero-X MCP server exposes several tools:
zerox_full_scan– run a full Zero-X scan on one or more fileszerox_secrets_scan– secrets-focused scan (hardcoded secrets, API tokens, private keys, JWT secrets)zerox_sast_scan– SAST-focused scan for insecure code patternszerox_dependency_scan– dependency-focused scan for vulnerable packageszerox_get_scan_summary– retrieve a summary of findings for a given scanzerox_explain_finding– retrieve a detailed explanation and remediation guidance for a specific finding
- Setup
- Create and activate a virtual environment.
- Install dependencies with
pip install -r requirements.txt. - Set
ZEROX_API_KEY(and optionallyZEROX_BASE_URL) in your environment or inmcp.json.
- Run in Cursor
- Load the local plugin as described above.
- Open a file that contains obvious security issues (e.g., hardcoded secrets) and run the
zerox.scanFilecommand. - Run
zerox.scanProjecton a workspace to exercise multi-file scanning. - Use
zerox.explainFindingon one of the returned findings to see detailed remediation guidance.
- If the plugin does not appear in Cursor:
- Ensure
.cursor-plugin/plugin.jsonis valid JSON and has a lowercase, kebab-casename. - Verify the plugin folder was selected correctly when loading the local plugin.
- Ensure
- If the MCP server does not start:
- Confirm that
python(Python 3.9+) is available on your PATH. - On Linux, install
python-is-python3if onlypython3exists. - Check that
mcp.jsoncan run its install/start command without local shell restrictions. - Run
python -m zerox_mcp.servermanually and watch for errors in the terminal.
- Confirm that
- If scans return no findings or fail:
- Confirm
ZEROX_API_KEYandZEROX_BASE_URLare set correctly. - Ensure that the
filesargument passed to tools likezerox_full_scancontains bothpathandcontent. - Enable debug logging by setting
ZEROX_DEBUG=1and re-running the server.
- Confirm
- The Python MCP server lives under
zerox_mcp/and is structured for modularity:config.py– configuration and environment handlingmodels.py– Pydantic models for request/response payloadsclient.py– HTTP client for the Zero-X backendtools/– individual MCP tool implementations (scanning,reports,explain, etc.)server.py– MCP server bootstrap and tool registration
Refer to the source files in zerox_mcp/ for more details.
- The plugin manifest version is defined in
.cursor-plugin/plugin.jsonunder theversionfield. - When preparing a new release:
- Update the
versionfield. - Commit your changes and push to your Git repository.
- Test the plugin locally in Cursor.
- Update the
- To publish to the Cursor Marketplace:
- Push this repository to a public Git hosting provider (for example, GitHub).
- Visit
https://cursor.com/marketplace/publishand submit the repository URL, plugin name (zero-x-cursor), version, and a short description.