semgrep.com
semgrep.com logo

Semgrep

Integrates with Semgrep's static analysis engine to scan code for security vulnerabilities and coding issues, enabling d...

Created byApr 22, 2025

Semgrep MCP Server

![Install in VS Code UV](https://img.shields.io/badge/VS_Code-uv-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code Docker](https://img.shields.io/badge/VS_Code-docker-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code semgrep.ai](https://img.shields.io/badge/VS_Code-semgrep.ai-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![PyPI](https://img.shields.io/pypi/v/semgrep-mcp?style=flat-square&color=blue&logo=python&logoColor=white) ![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fsemgrep%2Fmcp-0098FF?style=flat-square&logo=docker&logoColor=white) ![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-uv-24bfa5?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-docker-24bfa5?style=flat-square&logo=githubcopilot&logoColor=white)
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding!
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules.
[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

Contents

  • Getting Started
  • Demo
  • API
  • Usage
  • Semgrep AppSec Platform
  • Integrations
  • Contributing, Community, and Running From Source

Getting started

Run the Python package as a CLI command using `uv`:
Or, run as a Docker container:

Cursor

Example `mcp.json`
Add an instruction to your `.cursor/rules` to use automatically:

Hosted Server

[!WARNING] This is an experimental server that may break. Once the MCP spec gains support for HTTP Streaming and OAuth in the near future, it will gain new functionality.
mcp.json

Demo

<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>

API

Tools

Enable LLMs to perform actions, make deterministic computations, and interact with external services.

Scan Code

  • security_check: Scan code for security vulnerabilities
  • semgrep_scan: Scan code files for security vulnerabilities with a given config string
  • semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule

Understand Code

  • get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code

Meta

  • supported_languages: Return the list of languages Semgrep supports
  • semgrep_rule_schema: Fetches the latest semgrep rule JSON Schema

Prompts

Reusable prompts to standardize common LLM interactions.
  • write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule

Resources

Expose data and content to LLMs
  • semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schema
  • semgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry

Usage

This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

By default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.

Docker

This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)
By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.

Server-sent events (SSE)

SSE transport enables server-to-client streaming with HTTP POST requests for client-to-server communication. See the spec for more details.
By default, the server listens on 0.0.0.0:8000/sse for client connections. To change any of this, set FASTMCP\_\* environment variables. The server must be running for clients to connect to it.

Python

By default, the Python package will run in stdio mode, so you will have to include -t sse.

Docker

Semgrep AppSec Platform

Optionally, to connect to Semgrep AppSec Platform:
  1. Login or sign up
  1. Generate a token from Settings
  1. Add the token to your environment variables:
[!TIP] Please reach out to support@semgrep.com if needed.

Integrations

Cursor IDE

Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:
cursor MCP settings
See cursor docs for more info.

VS Code / Copilot

Click the install buttons at the top of this README for the quickest installation.

Manual Configuration

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

Using Docker

See VS Code docs for more info.

Windsurf

Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
See Windsurf docs for more info.

Claude Desktop

Here is a short video showing Claude Desktop using this server to write a custom rule.
Add the following JSON block to your claude_desktop_config.json file:
See Anthropic docs for more info.

OpenAI

See OpenAI Agents SDK docs for more info.

Custom clients

Example Python SSE client

See a full example in examples/sse_client.py
[!TIP] Some client libraries want the URL: http://localhost:8000/sse and others only want the HOST: localhost:8000. Try out the URL in a web browser to confirm the server is running, and there are no network issues.
See official SDK docs for more info.

Contributing, community, and running from source

[!NOTE] We love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!
See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.

Similar tools

Community projects

MCP server registries

Made with by the Semgrep Team

Semgrep MCP Server

![Install in VS Code UV](https://img.shields.io/badge/VS_Code-uv-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code Docker](https://img.shields.io/badge/VS_Code-docker-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code semgrep.ai](https://img.shields.io/badge/VS_Code-semgrep.ai-0098FF?style=flat-square&logo=githubcopilot&logoColor=white) ![PyPI](https://img.shields.io/pypi/v/semgrep-mcp?style=flat-square&color=blue&logo=python&logoColor=white) ![Docker](https://img.shields.io/badge/docker-ghcr.io%2Fsemgrep%2Fmcp-0098FF?style=flat-square&logo=docker&logoColor=white) ![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-uv-24bfa5?style=flat-square&logo=githubcopilot&logoColor=white) ![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-docker-24bfa5?style=flat-square&logo=githubcopilot&logoColor=white)
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding!
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules.
[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

Contents

  • Getting Started
  • Demo
  • API
  • Usage
  • Semgrep AppSec Platform
  • Integrations
  • Contributing, Community, and Running From Source

Getting started

Run the Python package as a CLI command using `uv`:
Or, run as a Docker container:

Cursor

Example `mcp.json`
Add an instruction to your `.cursor/rules` to use automatically:

Hosted Server

[!WARNING] This is an experimental server that may break. Once the MCP spec gains support for HTTP Streaming and OAuth in the near future, it will gain new functionality.
mcp.json

Demo

<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>

API

Tools

Enable LLMs to perform actions, make deterministic computations, and interact with external services.

Scan Code

  • security_check: Scan code for security vulnerabilities
  • semgrep_scan: Scan code files for security vulnerabilities with a given config string
  • semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule

Understand Code

  • get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code

Meta

  • supported_languages: Return the list of languages Semgrep supports
  • semgrep_rule_schema: Fetches the latest semgrep rule JSON Schema

Prompts

Reusable prompts to standardize common LLM interactions.
  • write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule

Resources

Expose data and content to LLMs
  • semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schema
  • semgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry

Usage

This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

By default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.

Docker

This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)
By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.

Server-sent events (SSE)

SSE transport enables server-to-client streaming with HTTP POST requests for client-to-server communication. See the spec for more details.
By default, the server listens on 0.0.0.0:8000/sse for client connections. To change any of this, set FASTMCP\_\* environment variables. The server must be running for clients to connect to it.

Python

By default, the Python package will run in stdio mode, so you will have to include -t sse.

Docker

Semgrep AppSec Platform

Optionally, to connect to Semgrep AppSec Platform:
  1. Login or sign up
  1. Generate a token from Settings
  1. Add the token to your environment variables:
[!TIP] Please reach out to support@semgrep.com if needed.

Integrations

Cursor IDE

Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:
cursor MCP settings
See cursor docs for more info.

VS Code / Copilot

Click the install buttons at the top of this README for the quickest installation.

Manual Configuration

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

Using Docker

See VS Code docs for more info.

Windsurf

Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
See Windsurf docs for more info.

Claude Desktop

Here is a short video showing Claude Desktop using this server to write a custom rule.
Add the following JSON block to your claude_desktop_config.json file:
See Anthropic docs for more info.

OpenAI

See OpenAI Agents SDK docs for more info.

Custom clients

Example Python SSE client

See a full example in examples/sse_client.py
[!TIP] Some client libraries want the URL: http://localhost:8000/sse and others only want the HOST: localhost:8000. Try out the URL in a web browser to confirm the server is running, and there are no network issues.
See official SDK docs for more info.

Contributing, community, and running from source

[!NOTE] We love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!
See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.

Similar tools

Community projects

MCP server registries

Made with by the Semgrep Team

Related servers

magicslides
magicslides logo

MagicSlides MCP Server

A server that implements the Model Context Protocol (MCP) to generate PowerPoint presentations from text, YouTube videos, or structured JSON data.

A server that implements the Model Context Protocol (MCP) to generate PowerPoint presentations from text, YouTube videos, or structured JSON data.

Zerodha
Zerodha logo

Zerodha MCP Integration

Mcp server to connect with zerodha's kite trade apis

Mcp server to connect with zerodha's kite trade apis

tddt
tddt logo

Stock Info (AKShare)

Provides real-time financial market data from Chinese and global markets through AKShare API integration for traders and...

Provides real-time financial market data from Chinese and global markets through AKShare API integration for traders and...

Aaron Allsbury
Aaron Allsbury logo

QuickBooks Time

Integrates with QuickBooks Time API to provide unified access for managing timesheets, users, projects, and generating r...

Integrates with QuickBooks Time API to provide unified access for managing timesheets, users, projects, and generating r...