-
securityF
license-
qualityA Model Context Protocol server that enables AI assistants like Claude to perform Python development tasks through file operations, code analysis, project management, and safe code execution.
Last updated -
5
MCP Server Semgrep
POWERED BY:
About the Project
This project was initially inspired by robustness of Semgrep tool, The Replit Team and their Agent V2, as well as the implementation by stefanskiasan/semgrep-mcp-server, but has evolved with significant architectural changes for enhanced and easier installation and maintenance.
MCP Server Semgrep is a Model Context Protocol compliant server that integrates the powerful Semgrep static analysis tool with AI assistants like Anthropic Claude. It enables advanced code analysis, security vulnerability detection, and code quality improvements directly through a conversational interface.
Benefits of Integration
For Developers and Development Teams:
Holistic Source Code Analysis - detecting issues throughout the entire project, not just in individual files
Proactive Error Detection - identifying potential problems before they become critical bugs
Continuous Code Quality Improvement - regular scanning and refactoring lead to gradual codebase improvements
Stylistic Consistency - identification and fixing of inconsistencies in code, such as:
Arbitrary z-index layers in CSS
Inconsistent naming conventions
Code duplication
"Magic numbers" instead of named constants
For Security:
Automated Code Verification for Known Vulnerabilities - scanning for known security issue patterns
Customized Security Rules - creating project-specific rules
Team Education - teaching secure programming practices through detection of potential issues
For Project Maintenance and Development:
"Live" Documentation - AI can explain why a code fragment is problematic and how to fix it
Technical Debt Reduction - systematically detecting and fixing problematic areas
Improved Code Reviews - automatic detection of common issues allows focus on more complex matters
Key Features
Direct integration with the official MCP SDK
Simplified architecture with consolidated handlers
Clean ES Modules implementation
Efficient error handling and path validation for security
Interface and documentation in both English and Polish
Comprehensive unit tests
Extensive documentation
Cross-platform compatibility (Windows, macOS, Linux)
Flexible Semgrep installation detection and management
Functions
Semgrep MCP Server provides the following tools:
scan_directory: Scanning source code for potential issues
list_rules: Displaying available rules and languages supported by Semgrep
analyze_results: Detailed analysis of scan results
create_rule: Creating custom Semgrep rules
filter_results: Filtering results by various criteria
export_results: Exporting results in various formats
compare_results: Comparing two sets of results (e.g., before and after changes)
Common Use Cases
Code security analysis before deployment
Detection of common programming errors
Enforcing coding standards within a team
Refactoring and improving quality of existing code
Identifying inconsistencies in styles and code structure (e.g., CSS, component organization)
Developer education regarding best practices
Verification of fix correctness (comparing before/after scans)
Installation
Prerequisites
Node.js v18+
TypeScript (for development)
Option 1: Install from Smithery.ai (Recommended)
The easiest way to install and use MCP Server Semgrep is through Smithery.ai:
Follow the installation instructions to add it to your MCP-compatible clients
Configure any optional settings like the Semgrep API token
This is the recommended method for Claude Desktop and other MCP clients as it handles all dependencies and configuration automatically.
Option 2: Install from NPM Registry
# Using npm
npm install -g mcp-server-semgrep
# Using pnpm
pnpm add -g mcp-server-semgrep
# Using yarn
yarn global add mcp-server-semgrep
The package is also available on other registries:
Option 3: Install from GitHub
# Using npm
npm install -g git+https://github.com/Szowesgad/mcp-server-semgrep.git
# Using pnpm
pnpm add -g git+https://github.com/Szowesgad/mcp-server-semgrep.git
# Using yarn
yarn global add git+https://github.com/Szowesgad/mcp-server-semgrep.git
Option 4: Local Development Setup
Clone the repository:
git clone https://github.com/Szowesgad/mcp-server-semgrep.git
cd mcp-server-semgrep
Install dependencies (supports all major package managers):
# Using pnpm (recommended)
pnpm install
# Using npm
npm install
# Using yarn
yarn install
Build the project:
# Using pnpm
pnpm run build
# Using npm
npm run build
# Using yarn
yarn build
Note: The installation process will automatically check for Semgrep availability. If Semgrep is not found, you'll receive instructions on how to install it.
Semgrep Installation Options
Semgrep can be installed in several ways:
Via package managers:
# Using pnpm pnpm add -g semgrep # Using npm npm install -g semgrep # Using yarn yarn global add semgrepPython pip:
pip install semgrepHomebrew (macOS):
brew install semgrepLinux:
sudo apt-get install semgrep # or curl -sSL https://install.semgrep.dev | shWindows:
pip install semgrep
Integration with Claude Desktop
There are two ways to integrate MCP Server Semgrep with Claude Desktop:
Method 1: Install via Smithery.ai (Recommended)
Click "Install in Claude Desktop"
Follow the on-screen instructions
Method 2: Manual Configuration
Install Claude Desktop
Update the Claude Desktop configuration file (
claude_desktop_config.json) and add this to your servers section:
{
"mcpServers": {
"semgrep": {
"command": "node",
"args": [
"/your_path/mcp-server-semgrep/build/index.js"
],
"env": {
"SEMGREP_APP_TOKEN": "your_semgrep_app_token"
}
}
}
}
Launch Claude Desktop and start asking questions about code analysis!
Usage Examples
Project Scanning
Could you scan my source code in the /projects/my-application directory for potential security issues?
Style Consistency Analysis
Analyze the z-index values in the project's CSS files and identify inconsistencies and potential layer conflicts.
Creating a Custom Rule
Create a Semgrep rule that detects improper use of input sanitization functions.
Filtering Results
Show me only scan results related to SQL injection vulnerabilities.
Identifying Problematic Patterns
Find all "magic numbers" in the code and suggest replacing them with named constants.
Creating Custom Rules
You can create custom rules for your project's specific needs. Here are examples of rules you can create:
Rule to detect inconsistent z-indices:
rules:
- id: inconsistent-z-index
pattern: z-index: $Z
message: "Z-index $Z may not comply with the project's layering system"
languages: [css, scss]
severity: WARNING
Rule to detect deprecated imports:
rules:
- id: deprecated-import
pattern: import $X from 'old-library'
message: "You're using a deprecated library. Consider using 'new-library'"
languages: [javascript, typescript]
severity: WARNING
Development
Testing
pnpm test
Project Structure
├── src/
│ ├── config.ts # Server configuration
│ └── index.ts # Main entry point and all handler implementations
├── scripts/
│ └── check-semgrep.js # Semgrep detection and installation helper
├── build/ # Compiled JavaScript (after build)
└── tests/ # Unit tests
Further Documentation
Detailed information on using the tool can be found in:
USAGE.md - Detailed usage instructions
README_PL.md - Documentation in Polish
examples/ - Example fun and practical Semgrep rules - "The Hall of Code Horrors"
License
This project is licensed under the MIT License - see the LICENSE file for details.
Developed by
Maciej Gad - a veterinarian who couldn't find
basha half year agoKlaudiusz - the individual ethereal being, and separate instance of Claude Sonnet 3.5-3.7 by Anthropic living somewhere in the GPU's loops in California, USA
The journey from CLI novice to MCP tool developer
🤖 Developed with the ultimate help of Claude Code and MCP Tools
Acknowledgements
stefanskiasan for the original inspiration
Anthropic for Claude and the MCP protocol
Semgrep for their excellent static analysis tool
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
A Model Context Protocol compliant server that integrates Semgrep static analysis tool with AI assistants like Anthropic Claude, enabling advanced code analysis, security vulnerability detection, and code quality improvements through a conversational interface.
- POWERED BY:
- About the Project
- Benefits of Integration
- Key Features
- Functions
- Common Use Cases
- Installation
- Integration with Claude Desktop
- Usage Examples
- Creating Custom Rules
- Development
- Further Documentation
- License
- Developed by
- Acknowledgements
Related Resources
Related MCP Servers
Semgrep MCP Serverofficial
AsecurityAlicenseAqualityAn MCP server that provides a comprehensive interface to Semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the Model Context Protocol.Last updated -6585MIT License- AsecurityFlicenseAqualityA comprehensive Model Context Protocol server for advanced code analysis that provides tools for syntax analysis, dependency visualization, and AI-assisted development workflow support.Last updated -284
- AsecurityAlicenseAqualityAn AI-powered Model Context Protocol server for Claude Code that provides code intelligence tools including codebase analysis, task management, component generation, and deployment configuration.Last updated -2314GPL 3.0