Verified asset on Archimedes Market. View the full 4-dimension Trust Report (security · quality · license · complexity) and the curated catalog on the asset page.

MCP Semgrep Scanner

Run Semgrep static analysis from an AI agent. Lets an agent scan a repo with prebuilt rulesets (OWASP top 10, secrets, language-specific packs), surface findings with severity scoring, and run baseline diffs to focus only on newly-introduced issues.

Tools

• scan — run a default scan (p/security-audit + p/secrets) and return findings sorted by severity

• scan_with_ruleset — scan with one or more named rulesets (p/owasp-top-ten, p/python, etc.)

• list_rulesets — built-in rulesets available without a Semgrep account

• get_finding_details — full rule metadata + remediation hint for a finding ID

• baseline_scan — scan only files modified since a git ref (HEAD~1, main, custom SHA)

What gets returned

Each finding includes:

• rule_id — the Semgrep rule that matched

• severity — ERROR | WARNING | INFO

• cwe — CWE classification if available

• owasp — OWASP category mapping

• file + line_start + line_end

• message — human-readable explanation

• fix — suggested patch if available

Quick start

pip install mcp-semgrep-scanner
# Optional: Semgrep account token for Pro rules
export SEMGREP_APP_TOKEN="..."
mcp-semgrep-scanner serve

Typical agent workflow

Agent: "Are there any security issues in this PR?"
↓
1. baseline_scan(repo="/path/to/repo", base_ref="origin/main")
   → returns only findings introduced by the PR's diff
2. get_finding_details(finding_id=...) for the ERROR-severity ones
3. Agent suggests fixes inline in PR review

License

MIT.