Semgrep
An MCP server that provides a comprehensive interface to Semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the Model Context Protocol.
semgrep
Tools
start_scan_from_content
Starts a Semgrep scan with code content provided directly Args: ctx: MCP context for sending notifications code_files: List of dictionaries with 'filename' and 'content' keys config: Semgrep configuration (e.g. "auto" or absolute path to rule file) Returns: Dictionary with scan information
get_scan_status
Gets the current status of a scan Args: scan_id: Identifier for the scan Returns: Dictionary with scan status information
get_scan_results
Gets the results of a completed scan Args: scan_id: Identifier for the scan Returns: Dictionary with scan results
get_supported_languages
Returns a list of supported languages by Semgrep Returns: List of supported languages
semgrep_scan
Runs a Semgrep scan on provided code content and returns the findings in JSON format Args: code_files: List of dictionaries with 'filename' and 'content' keys config: Semgrep configuration (e.g. "auto" or absolute path to rule file) Returns: Dictionary with scan results in Semgrep JSON format
start_scan
Starts a Semgrep scan with progress updates via notifications Args: ctx: MCP context for sending notifications target_path: Absolute path to the file or directory to scan config: Semgrep configuration (e.g. "auto" or absolute path to rule file) Returns: Dictionary with scan information
README
<p align="center"> <a href="https://semgrep.dev"> <picture> <source media="(prefers-color-scheme: light)" srcset="images/semgrep-logo-light.svg"> <source media="(prefers-color-scheme: dark)" srcset="images/semgrep-logo-dark.svg"> <img src="https://raw.githubusercontent.com/semgrep/mcp/main/images/semgrep-logo-light.svg" height="60" alt="Semgrep logo"/> </picture> </a> </p> <p align="center"> <a href="https://semgrep.dev/docs/"> <img src="https://img.shields.io/badge/Semgrep-docs-2acfa6?style=flat-square" alt="Documentation" /> </a> <a href="https://go.semgrep.dev/slack"> <img src="https://img.shields.io/badge/Slack-4.5k%20-4A154B?style=flat-square&logo=slack&logoColor=white" alt="Join Semgrep community Slack" /> </a> <a href="https://www.linkedin.com/company/semgrep/"> <img src="https://img.shields.io/badge/LinkedIn-follow-0a66c2?style=flat-square" alt="Follow on LinkedIn" /> </a> <a href="https://x.com/intent/follow?screen_name=semgrep"> <img src="https://img.shields.io/badge/semgrep-000000?style=flat-square&logo=x&logoColor=white?style=flat-square" alt="Follow @semgrep on X" /> </a> </p>
Semgrep MCP Server
An MCP server for using Semgrep to scan code for security vulnerabilies. Secure your vibe coding! 😅
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, context, and harness the power of tools. Semgrep is a fast, deterministic static analysis semantically understands many languages and comes with with over 5,000 rules. 🛠️
[!NOTE] This beta project is under active development, we would love your feedback, bug reports, feature requests, and code. Join the
#mcpcommunity slack channel!
Contents
- Getting Started
- Demo
- API
- Usage
- Semgrep AppSec Platform
- Integrations
- Contributing, Community, and Running From Source
Getting started
Run the python package as a CLI command using uv:
uvx semgrep-mcp # see --help for more options
or as a docker container:
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
Cursor
example mcp.json
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"],
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
}
}
}
Add an instruction to your .cursor/rules to use automatically
Always scan code generated using Semgrep for security vulnerabilities
Hosted Server
[!WARNING] This is an experimental server that may break. Once the MCP spec gains support for HTTP Streaming and OAuth in the near future, it will gain new functionality. 🚀
mcp.json
{
"mcpServers": {
"semgrep": {
"url": "https://mcp.semgrep.ai/sse"
}
}
}
Demo
<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>
API
Tools
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
Scanning Code
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
Understanding Code
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
Meta
supported_languages: Return the list of langauges Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Prompts
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Usage
This python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any python package manager.
$ pipx install semgrep-mcp
$ semgrep-mcp --help
Usage: semgrep-mcp [OPTIONS]
Entry point for the MCP server
Supports both stdio and sse transports. For stdio, it will read from stdin
and write to stdout. For sse, it will start an HTTP server on port 8000.
Options:
-v, --version Show version and exit.
-t, --transport [stdio|sse] Transport protocol to use (stdio or sse)
-h, --help Show this message and exit.
Standard Input/Output (stdio)
The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.
Python
semgrep-mcp
By default, the python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any print outs but this is normal.
Docker
This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
By default, the docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.
Server-Sent Events (SSE)
SSE transport enables server-to-client streaming with HTTP POST requests for client-to-server communication. See the spec for more details.
By default, the server wil listen on 0.0.0.0:8000/sse for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.
Python
semgrep-mcp -t sse
By default, the python package will run in stdio mode, so you will have to include -t sse.
Docker
docker run -p 8000:0000 ghcr.io/semgrep/mcp
Semgrep AppSec Platform
To optionally connect to Semgrep AppSec Platform:
- Login or sign up
- Generate a token from Settings page
- Add it to your environment variables
-
CLI (
export SEMGREP_APP_TOKEN=<token>) -
Docker (
docker run -e SEMGREP_APP_TOKEN=<token>) -
MCP Config JSON
"env": { "SEMGREP_APP_TOKEN": "<token>" }
-
[!TIP] Please reach out to support@semgrep.com if needed. ☎️
Integrations
Cursor IDE
Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
See cursor docs for more info.
VS Code / Copilot
Click the install buttons at the top of this README for the quickest installation.
Manual Configuration
Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
{
"mcp": {
"servers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
}
Optionally, you can add it to a file called .vscode/mcp.json in your workspace:
{
"servers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
Using Docker
{
"mcp": {
"servers": {
"semgrep": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"ghcr.io/semgrep/mcp",
"-t",
"stdio"
]
}
}
}
}
See VS Code docs for more info.
Windsurf
Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
See Windsurf docs for more info.
Claude Desktop
Add the following JSON block to your claude_desktop_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
See Anthropic docs for more info.
OpenAI
async with MCPServerStdio(
params={
"command": "uvx",
"args": ["semgrep-mcp"],
}
) as server:
tools = await server.list_tools()
See OpenAI Agents SDK docs for more info.
Custom Clients
Example Python SSE Client
from mcp.client import Client
client = Client()
client.connect("localhost:8000")
# Scan code for security issues
results = client.call_tool("semgrep_scan",
{
"code_files": [
{
"filename": "hello_world.py",
"content": "def hello(): ..."
}
]
})
See offical SDK docs for more info.
Contributing, Community, and Running From Source
[!NOTE] We love your feedback, bug reports, feature requests, and code. Join the
#mcpcommunity slack channel!
See CONTRIBUTING.md for more info and details how to run from the MCP server from source code.
Similar Tools 🔍
- semgrep-vscode - Official VS Code extension
- semgrep-intellij - IntelliJ plugin
Community Projects 🌟
- semgrep-rules - The official collection of Semgrep rules
- mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan
MCP Server Registries
-
<a href="https://glama.ai/mcp/servers/4iqti5mgde"> <img width="380" height="200" src="https://glama.ai/mcp/servers/4iqti5mgde/badge" alt="Semgrep Server MCP server" /> </a>
Made with ❤️ by the Semgrep Team
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
MCP Package Docs Server
Facilitates LLMs to efficiently access and fetch structured documentation for packages in Go, Python, and NPM, enhancing software development with multi-language support and performance optimization.
Claude Code MCP
An implementation of Claude Code as a Model Context Protocol server that enables using Claude's software engineering capabilities (code generation, editing, reviewing, and file operations) through the standardized MCP interface.
@kazuph/mcp-taskmanager
Model Context Protocol server for Task Management. This allows Claude Desktop (or any MCP client) to manage and execute tasks in a queue-based system.
Linear MCP Server
Enables interaction with Linear's API for managing issues, teams, and projects programmatically through the Model Context Protocol.
mermaid-mcp-server
A Model Context Protocol (MCP) server that converts Mermaid diagrams to PNG images.
Jira-Context-MCP
MCP server to provide Jira Tickets information to AI coding agents like Cursor
Linear MCP Server
A Model Context Protocol server that integrates with Linear's issue tracking system, allowing LLMs to create, update, search, and comment on Linear issues through natural language interactions.
Sequential Thinking MCP Server
This server facilitates structured problem-solving by breaking down complex issues into sequential steps, supporting revisions, and enabling multiple solution paths through full MCP integration.