Skip to main content
Glama
Sign In
enesjakozh

Semgrep MCP Server

Official
by semgrep
GitHub
Python
MIT License
68
  • Linux
  • Apple
RedditDiscord
OverviewInspectNewSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

hybrid server

The server is able to function both locally and remotely, depending on the configuration or use case.

Integrations

  • Provides instructions for running the MCP server in a containerized environment using Docker.

  • Includes integration references for accessing repositories and issue tracking functionality.

  • Provides a Python client interface for interacting with the MCP server and executing Semgrep scans programmatically.

Semgrep MCP Server

An MCP server for using Semgrep to scan code for security vulnerabilies. Secure your vibe coding! 😅

Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, context, and harness the power of tools. Semgrep is a fast, deterministic static analysis semantically understands many languages and comes with with over 5,000 rules. 🛠️

Note

This beta project is under active development, we would love your feedback, bug reports, feature requests, and code. Join the #mcp community slack channel!

Contents

Getting started

Run the python package as a CLI command using uv:

uvx semgrep-mcp # see --help for more options

or as a docker container:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Cursor

example mcp.json

{ "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"], "env": { "SEMGREP_APP_TOKEN": "<token>" } } } }

Add an instruction to your .cursor/rules to use automatically

Always scan code generated using Semgrep for security vulnerabilities

Hosted Server

Warning

This is an experimental server that may break. Once the MCP spec gains support for HTTP Streaming and OAuth in the near future, it will gain new functionality. 🚀

mcp.json

{ "mcpServers": { "semgrep": { "url": "https://mcp.semgrep.ai/sse" } } }

Demo

API

Tools

Enable LLMs to perform actions, make deterministic computations, and interact with external services.

Scanning Code

  • security_check: Scan code for security vulnerabilities
  • semgrep_scan: Scan code files for security vulnerabilities with a given config string
  • semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule

Understanding Code

  • get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code

Meta

  • supported_languages: Return the list of langauges Semgrep supports
  • semgrep_rule_schema: Fetches the latest semgrep rule JSON Schema

Prompts

Reusable prompts to standardize common LLM interactions.

  • write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule

Resources

Expose data and content to LLMs

  • semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schema
  • semgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry

Usage

This python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any python package manager.

$ pipx install semgrep-mcp $ semgrep-mcp --help Usage: semgrep-mcp [OPTIONS] Entry point for the MCP server Supports both stdio and sse transports. For stdio, it will read from stdin and write to stdout. For sse, it will start an HTTP server on port 8000. Options: -v, --version Show version and exit. -t, --transport [stdio|sse] Transport protocol to use (stdio or sse) -h, --help Show this message and exit.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

semgrep-mcp

By default, the python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any print outs but this is normal.

Docker

This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

By default, the docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.

Server-Sent Events (SSE)

SSE transport enables server-to-client streaming with HTTP POST requests for client-to-server communication. See the spec for more details.

By default, the server wil listen on 0.0.0.0:8000/sse for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.

Python

semgrep-mcp -t sse

By default, the python package will run in stdio mode, so you will have to include -t sse.

Docker

docker run -p 8000:0000 ghcr.io/semgrep/mcp

Semgrep AppSec Platform

To optionally connect to Semgrep AppSec Platform:

  1. Login or sign up
  2. Generate a token from Settings page
  3. Add it to your environment variables
    • CLI (export SEMGREP_APP_TOKEN=<token>)
    • Docker (docker run -e SEMGREP_APP_TOKEN=<token>)
    • MCP Config JSON
      "env": { "SEMGREP_APP_TOKEN": "<token>" }

Tip

Please reach out to support@semgrep.com if needed. ☎️

Integrations

Cursor IDE

Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:

{ "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } }

See cursor docs for more info.

VS Code / Copilot

Click the install buttons at the top of this README for the quickest installation.

Manual Configuration

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).

{ "mcp": { "servers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } } }

Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

{ "servers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } }

Using Docker

{ "mcp": { "servers": { "semgrep": { "command": "docker", "args": [ "run", "-i", "--rm", "ghcr.io/semgrep/mcp", "-t", "stdio" ] } } } }

See VS Code docs for more info.

Windsurf

Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:

{ "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } }

See Windsurf docs for more info.

Claude Desktop

Here is a short video showing Claude Desktop using this server to write a custom rule.

Add the following JSON block to your claude_desktop_config.json file:

{ "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } }

See Anthropic docs for more info.

OpenAI

async with MCPServerStdio( params={ "command": "uvx", "args": ["semgrep-mcp"], } ) as server: tools = await server.list_tools()

See OpenAI Agents SDK docs for more info.

Custom Clients

Example Python SSE Client

See a full example in examples/sse_client.py

from mcp.client.session import ClientSession from mcp.client.sse import sse_client async def main(): async with sse_client("http://localhost:8000/sse") as (read_stream, write_stream): async with ClientSession(read_stream, write_stream) as session: await session.initialize() results = await session.call_tool( "semgrep_scan", { "code_files": [ { "filename": "hello_world.py", "content": "def hello(): print('Hello, World!')", } ] }, ) print(results)

Tip

Some client libraries want the URL: http://localhost:8000/sse and others only want the HOST: localhost:8000. Try it out the URL in a web browser to confirm the server is running and there are no network issues.

See offical SDK docs for more info.

Contributing, Community, and Running From Source

Note

We love your feedback, bug reports, feature requests, and code. Join the #mcp community slack channel!

See CONTRIBUTING.md for more info and details how to run from the MCP server from source code.

Similar Tools 🔍

Community Projects 🌟

MCP Server Registries

Made with ❤️ by the Semgrep Team

You must be authenticated.

A
security – no known vulnerabilities
A
license - permissive license
A
quality - confirmed to work

Tools

An MCP server that provides a comprehensive interface to Semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the Model Context Protocol.

  1. Contents
    1. Getting started
      1. Cursor
      2. Hosted Server
    2. Demo
      1. API
        1. Tools
        2. Prompts
        3. Resources
      2. Usage
        1. Standard Input/Output (stdio)
        2. Server-Sent Events (SSE)
      3. Semgrep AppSec Platform
        1. Integrations
          1. Cursor IDE
          2. VS Code / Copilot
          3. Windsurf
          4. Claude Desktop
          5. OpenAI
          6. Custom Clients
        2. Contributing, Community, and Running From Source
          1. Similar Tools 🔍
          2. Community Projects 🌟
          3. MCP Server Registries

        Related Resources

        Appeared in Searches

        ID: 4iqti5mgde