The Semgrep MCP Server provides a Model Context Protocol (MCP) interface for static code analysis and security scanning using Semgrep. With this server, you can:
Start scans using code content (
start_scan_from_content), target files/directories (start_scan), or custom rulesMonitor scan status of ongoing scans (
get_scan_status)Retrieve scan results from completed scans (
get_scan_results)Run direct scans to get findings in JSON format (
semgrep_scan)Get supported languages that Semgrep can analyze
Configure scans with specific rules or 'auto' mode
Obtain Abstract Syntax Trees (AST) of code
Access resources like rule schemas and registry rules
Generate prompts to assist in writing custom Semgrep rules
These capabilities enable integration with IDEs, LLMs, and other tools for effective security vulnerability detection.
Provides instructions for running the MCP server in a containerized environment using Docker.
Includes integration references for accessing repositories and issue tracking functionality.
Provides a Python client interface for interacting with the MCP server and executing Semgrep scans programmatically.
References community access through Slack for support and collaboration with other users.
⚠️ The Semgrep MCP server has been moved from a standalone repo to the
This repository has been deprecated, and further updates to the Semgrep MCP server will be made via the official
Semgrep MCP Server
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️
This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the#mcp community Slack channel!
Related MCP server: Semgrep MCP Server
Contents
Getting started
Run the Python package as a CLI command using uv:
Or, run as a Docker container:
Cursor
Example mcp.json
Add an instruction to your .cursor/rules to use automatically:
ChatGPT
Go to the Connector Settings page (direct link)
Name the connection
SemgrepSet MCP Server URL to
https://mcp.semgrep.ai/sseSet Authentication to
No authenticationCheck the I trust this application checkbox
Click Create
See more details at the official docs.
Hosted Server
mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀
Cursor
Cmd + Shift + J to open Cursor Settings
Select MCP Tools
Click New MCP Server.
Demo
API
Tools
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
Scan Code
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
Understand Code
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
Cloud Platform (login and Semgrep token required)
semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API
Meta
supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Prompts
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Resources
Expose data and content to LLMs
semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schemasemgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry
Usage
This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.
Standard Input/Output (stdio)
The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.
Python
By default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.
Docker
This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)
By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.
Streamable HTTP
Streamable HTTP enables streaming responses over JSON RPC via HTTP POST requests. See the spec for more details.
By default, the server listens on 127.0.0.1:8000/mcp for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.
Python
By default, the Python package will run in stdio mode, so you will have to include -t streamable-http.
Docker
Server-sent events (SSE)
The MCP communiity considers this a legacy transport portcol and is really intended for backwards compatibility.Streamable HTTP is the recommended replacement.
SSE transport enables server-to-client streaming with Server-Send Events for client-to-server and server-to-client communication. See the spec for more details.
By default, the server listens on 127.0.0.1:8000/sse for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.
Python
By default, the Python package will run in stdio mode, so you will have to include -t sse.
Docker
Semgrep AppSec Platform
Optionally, to connect to Semgrep AppSec Platform:
Login or sign up
Generate a token from Settings
Add the token to your environment variables:
CLI (
export SEMGREP_APP_TOKEN=<token>)Docker (
docker run -e SEMGREP_APP_TOKEN=<token>)MCP config JSON
Pleasereach out for support if needed. ☎️
Integrations
Cursor IDE
Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:
See cursor docs for more info.
VS Code / Copilot
Click the install buttons at the top of this README for the quickest installation.
Manual Configuration
Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
Optionally, you can add it to a file called .vscode/mcp.json in your workspace:
Using Docker
See VS Code docs for more info.
Windsurf
Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
See Windsurf docs for more info.
Claude Desktop
Here is a short video showing Claude Desktop using this server to write a custom rule.
Add the following JSON block to your claude_desktop_config.json file:
See Anthropic docs for more info.
Claude Code
See Claude Code docs for more info.
OpenAI
See the offical docs:
https://platform.openai.com/docs/mcp
https://platform.openai.com/docs/guides/tools-remote-mcp
Agents SDK
See OpenAI Agents SDK docs for more info.
Custom clients
Example Python SSE client
See a full example in examples/sse_client.py
Some client libraries want theURL: http://localhost:8000/sse
and others only want the HOST: localhost:8000.
Try out the URL in a web browser to confirm the server is running, and there are no network issues.
See official SDK docs for more info.
Contributing, community, and running from source
We love your feedback, bug reports, feature requests, and code. Join the#mcp community Slack channel!
See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.
Similar tools 🔍
semgrep-vscode - Official VS Code extension
semgrep-intellij - IntelliJ plugin
Community projects 🌟
semgrep-rules - The official collection of Semgrep rules
mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan
MCP server registries
Made with ❤️ by the Semgrep Team