MCP
A MCP server for using Semgrep to scan code for security vulnerabilities.
Install / Use
/learn @semgrep/MCPQuality Score
Category
Development & EngineeringSupported Platforms
README
⚠️ The Semgrep MCP server has been moved from a standalone repo to the main semgrep repository! ⚠️
This repository has been deprecated, and further updates to the Semgrep MCP server will be made via the official semgrep binary.
Semgrep MCP Server
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️
[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the
#mcpcommunity Slack channel!
Contents
- Semgrep MCP Server
Getting started
Run the Python package as a CLI command using uv:
uvx semgrep-mcp # see --help for more options
Or, run as a Docker container:
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
Cursor
Example mcp.json
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"],
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
}
}
}
Add an instruction to your .cursor/rules to use automatically:
Always scan code generated using Semgrep for security vulnerabilities
ChatGPT
- Go to the Connector Settings page (direct link)
- Name the connection
Semgrep - Set MCP Server URL to
https://mcp.semgrep.ai/sse - Set Authentication to
No authentication - Check the I trust this application checkbox
- Click Create
See more details at the official docs.
Hosted Server
[!WARNING] mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀
Cursor
- Cmd + Shift + J to open Cursor Settings
- Select MCP Tools
- Click New MCP Server.
{
"mcpServers": {
"semgrep": {
"type": "streamable-http",
"url": "https://mcp.semgrep.ai/mcp"
}
}
}
Demo
<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>
API
Tools
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
Scan Code
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
Understand Code
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
Cloud Platform (login and Semgrep token required)
semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API
Meta
supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Prompts
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Resources
Expose data and content to LLMs
semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schemasemgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry
Usage
This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.
$ pipx install semgrep-mcp
$ semgrep-mc
