Semgrep MCP Server
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️
[!NOTE]
This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the#mcpcommunity Slack channel!
Contents
- Semgrep MCP Server
Getting started
Install the Semgrep binary as described elsewhere in this repository, and use it to run the MCP server:
semgrep mcp # see --help for more optionsOr, run as a Docker container:
docker run -i --rm semgrep/semgrep semgrep mcpCursor
Example mcp.json
{
"mcpServers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"],
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
}
}
}
Add an instruction to your .cursor/rules to use automatically:
Always scan code generated using Semgrep for security vulnerabilitiesChatGPT
- Go to the Connector Settings page (direct link)
- Name the connection
Semgrep - Set MCP Server URL to
https://mcp.semgrep.ai/mcp - Set Authentication to
No authentication - Check the I trust this application checkbox
- Click Create
See more details at the official docs.
Hosted Server
[!WARNING]
mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀
Cursor
- Cmd + Shift + J to open Cursor Settings
- Select MCP Tools
- Click New MCP Server.
{
"mcpServers": {
"semgrep": {
"type": "streamable-http",
"url": "https://mcp.semgrep.ai/mcp"
}
}
}Demo
API
Tools
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
Scan Code
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
Understand Code
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
Cloud Platform (login and Semgrep token required)
semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API
Meta
supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Prompts
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Resources
Expose data and content to LLMs
semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schemasemgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry
Usage
In order to use the Semgrep MCP server, you must first have the Semgrep CLI:
$ brew install semgrepThe server can then be invoked via the mcp subcommand:
$ semgrep mcp --help
Usage: semgrep mcp [OPTIONS]
Entry point for the MCP server
Supports stdio and streamable-http transports. For stdio, it will read
from stdin and write to stdout. For streamable-http, it will start
an HTTP server on port 8000.
Options:
-v, --version Show version and exit.
-t, --transport [stdio|streamable-http]
Transport protocol to use:
stdio or streamable-http
-p, --port INTEGER Port to use for the MCP server
-h, --help Show this message and exit.Standard Input/Output (stdio)
The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.
Python
semgrep mcpBy default, the server will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.
Docker
The Semgrep binary is published to Docker:
docker run -i --rm semgrep/semgrep semgrep mcp -t stdioStreamable HTTP
Streamable HTTP enables streaming responses over JSON RPC via HTTP POST requests. See the spec for more details.
By default, the server listens on 127.0.0.1:8000/mcp for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.
Python
semgrep mcp -t streamable-httpBy default, the server will run in stdio mode, so you will have to include -t streamable-http.
Docker
docker run -p 8000:8000 semgrep/semgrep semgrep mcpServer-Sent Events (SSE) (deprecated)
[!WARNING]
The MCP community considers this a legacy transport protocol. We have stopped supporting the SSE transport. Please use Streamable HTTP instead.
Semgrep AppSec Platform
Optionally, to connect to Semgrep AppSec Platform:
- Login or sign up
- Generate a token from Settings
- Add the token to your environment variables:
CLI (
export SEMGREP_APP_TOKEN=<token>)Docker (
docker run -e SEMGREP_APP_TOKEN=<token>)MCP config JSON
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}[!TIP]
Please reach out for support if needed. ☎️
Integrations
Cursor IDE
Install Semgrep:
brew install semgrep # or python3 -m pip install semgrepAuthenticate and install Semgrep Pro:
semgrep login && semgrep install-semgrep-proAdd the following JSON block to your
~/.cursor/mcp.jsonglobal or.cursor/mcp.jsonproject-specific configuration file:{ "mcpServers": { "semgrep": { "command": "semgrep mcp", "env": {}, "args": [] } } }Create a
.cursor/hooks.jsonfile in your project to enable automatic scanning:{ "version": 1, "hooks": { "stop": [{"command": "semgrep mcp -k stop-cli-scan -a cursor"}], "afterFileEdit": [{"command": "semgrep mcp -k record-file-edit -a cursor"}] } }
See cursor docs for more info.
VS Code / Copilot
Click the install buttons at the top of this README for the quickest installation.
Manual Configuration
Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
{
"mcp": {
"servers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}
}Optionally, you can add it to a file called .vscode/mcp.json in your workspace:
{
"servers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}Using Docker
{
"mcp": {
"servers": {
"semgrep": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"semgrep/semgrep",
"semgrep",
"mcp",
"-t",
"stdio"
]
}
}
}
}See VS Code docs for more info.
Windsurf
Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}See Windsurf docs for more info.
Claude Desktop
Here is a short video showing Claude Desktop using this server to write a custom rule.
Add the following JSON block to your claude_desktop_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}See Anthropic docs for more info.
Claude Code
Install Semgrep:
brew install semgrep # or python3 -m pip install semgrepLaunch Claude Code in your terminal:
claudeAdd the marketplace source:
/plugin marketplace add semgrep/mcp-marketplaceInstall the plugin:
/plugin install semgrep-plugin@semgrepConfigure the plugin:
/semgrep-plugin:setup_semgrep_plugin(If that fails, try
/plugin enable semgrep-plugin@semgrep)
See Claude Code docs for more info.
OpenAI
See the official docs:
Agents SDK
async with MCPServerStdio(
params={
"command": "semgrep",
"args": ["mcp"],
}
) as server:
tools = await server.list_tools()See OpenAI Agents SDK docs for more info.
Custom clients
Example Python streamable HTTP client
import asyncio
import json
from mcp.client.session import ClientSession
from mcp.client.streamable_http import streamablehttp_client
async def main():
async with streamablehttp_client("http://localhost:8000/mcp") as (read_stream, write_stream, _):
async with ClientSession(read_stream, write_stream) as session:
await session.initialize()
results = await session.call_tool(
"semgrep_scan_remote",
{
"code_files": [
{
"path": "hello_world.py",
"content": "def hello(): print('Hello, World!')",
}
]
},
)
content_block = results.content[0]
content = json.loads(content_block.text)
paths = content.get("paths", None)
if paths:
scanned = paths.get("scanned", [])
findings = content.get("results", [])
print(f"Scanned {len(scanned)} paths. Found {len(findings)} findings.")[!TIP]
Some client libraries want theURL: http://localhost:8000/mcp
and others only want theHOST:localhost:8000.
Try out theURLin a web browser to confirm the server is running, and there are no network issues.
SetSEMGREP_IS_HOSTED=trueto use thesemgrep_scan_remotetool
See official SDK docs for more info.
Contributing, community, and running from source
[!NOTE]
We love your feedback, bug reports, feature requests, and code. Join the#mcpcommunity Slack channel!
See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.
Similar tools 🔍
- semgrep-vscode - Official VS Code extension
- semgrep-intellij - IntelliJ plugin
Community projects 🌟
- semgrep-rules - The official collection of Semgrep rules
- mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan
MCP server registries
Made with ❤️ by the Semgrep Team
