Semgrep
OfficialRuns Semgrep static analysis scans to find security vulnerabilities and code quality issues in your code. Can scan with built-in rules or custom rules you create.
Integrates with Semgrep's static analysis engine to scan code for security vulnerabilities and coding issues, enabling developers to identify and fix potential problems directly within their coding workflow.
What it does
- Scan code for security vulnerabilities
- Run custom rule analysis on code
- Fetch findings from Semgrep AppSec Platform
- Generate Abstract Syntax Trees for code files
- Get rule schemas for writing custom rules
- Check supported programming languages
Best for
About Semgrep
Semgrep is an official MCP server published by semgrep that provides AI assistants with tools and capabilities via the Model Context Protocol. Semgrep is a leading code analysis tool that scans code for vulnerabilities, helping developers fix issues swiftly withi It is categorized under auth security, developer tools. This server exposes 8 tools that AI clients can invoke during conversations and coding sessions.
How to install
You can install Semgrep in your AI client of choice. Use the install panel on this page to get one-click setup for Cursor, Claude Desktop, VS Code, and other MCP-compatible clients. This server supports remote connections over HTTP, so no local installation is required.
License
Semgrep is released under the MIT license. This is a permissive open-source license, meaning you can freely use, modify, and distribute the software.
Tools (8)
Get the schema for a Semgrep rule Use this tool when you need to: - get the schema required to write a Semgrep rule - need to see what fields are available for a Semgrep rule - verify what fields are available for a Semgrep rule - verify the syntax for a Semgrep rule is correct
Returns a list of supported languages by Semgrep Only use this tool if you are not sure what languages Semgrep supports.
Fetches findings from the Semgrep AppSec Platform Findings API. This function retrieves security, code quality, and supply chain findings that have already been identified by previous Semgrep scans and uploaded to the Semgrep AppSec platform. It does NOT perform a new scan or analyze code directly. Instead, it queries the Semgrep API to access historical scan results for a given repository or set of repositories. DEFAULT BEHAVIOR: By default, this tool should filter by the current repository. The model should determine the current repository name and pass it in the 'repos' parameter to ensure findings are scoped to the relevant codebase. However, users may explicitly request findings from other repositories, in which case the model should respect that request. Use this function when a prompt requests a summary, list, or analysis of existing findings, such as: - "Please list the top 10 security findings and propose solutions for them." - "Show all open critical vulnerabilities in this repository." - "Summarize the most recent Semgrep scan results." - "Get findings from repository X" (explicitly requesting different repo) This function is ideal for: - Reviewing, listing, or summarizing findings from past scans. - Providing actionable insights or remediation advice based on existing scan data. Do NOT use this function to perform a new scan or check code that has not yet been analyzed by Semgrep. For new scans, use the appropriate scanning function. Args: issue_type (Optional[List[str]]): Filter findings by type. Use 'sast' for code analysis findings and 'sca' for supply chain analysis findings (e.g., ['sast'], ['sca']). status (Optional[str]): Filter findings by status (default: 'open'). repos (Optional[List[str]]): List of repository names to filter results. By default, should include the current repository name to scope findings appropriately. Can be overridden when users explicitly request findings from other repositories. severities (Optional[List[str]]): Filter findings by severity (e.g., ['critical', 'high']). confidence (Optional[List[str]]): Filter findings by confidence level (e.g., ['high']). autotriage_verdict (Optional[str]): Filter findings by auto-triage verdict (default: 'true_positive'). page (Optional[int]): Page number for paginated results. (default: 0) page_size (int): Number of findings per page (default: 100, min: 100, max: 3000). Returns: List[Finding]: A list of findings matching the specified filters, where each finding contains details such as rule ID, description, severity, file location, and remediation guidance if available.
Runs a Semgrep scan with a custom rule on provided code content and returns the findings in JSON format Use this tool when you need to: - scan code files for specific security vulnerability not covered by the default Semgrep rules - scan code files for specific issue not covered by the default Semgrep rules
Runs a Semgrep scan on provided code content and returns the findings in JSON format Use this tool when you need to: - scan code files for security vulnerabilities - scan code files for other issues
⚠️ The Semgrep MCP server has been moved from a standalone repo to the main semgrep repository! ⚠️
This repository has been deprecated, and further updates to the Semgrep MCP server will be made via the official semgrep binary.
Semgrep MCP Server
A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅
Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️
[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the
#mcpcommunity Slack channel!
Contents
- Semgrep MCP Server
Getting started
Run the Python package as a CLI command using uv:
uvx semgrep-mcp # see --help for more options
Or, run as a Docker container:
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
Cursor
Example mcp.json
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"],
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
}
}
}
Add an instruction to your .cursor/rules to use automatically:
Always scan code generated using Semgrep for security vulnerabilities
ChatGPT
- Go to the Connector Settings page (direct link)
- Name the connection
Semgrep - Set MCP Server URL to
https://mcp.semgrep.ai/sse - Set Authentication to
No authentication - Check the I trust this application checkbox
- Click Create
See more details at the official docs.
Hosted Server
[!WARNING] mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀
Cursor
- Cmd + Shift + J to open Cursor Settings
- Select MCP Tools
- Click New MCP Server.
{
"mcpServers": {
"semgrep": {
"type": "streamable-http",
"url": "https://mcp.semgrep.ai/mcp"
}
}
}
Demo
API
Tools
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
Scan Code
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
Understand Code
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
Cloud Platform (login and Semgrep token required)
semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API
Meta
supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Prompts
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Resources
Expose data and content to LLMs
semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schemasemgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry
Usage
This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.
$ pipx install semgrep-mcp
$ semgrep-mc
---
*README truncated. [View full README on GitHub](https://github.com/semgrep/mcp).*
Alternatives
Related Skills
Browse all skillsUse when working with the OpenAI API (Responses API) or OpenAI platform features (tools, streaming, Realtime API, auth, models, rate limits, MCP) and you need authoritative, up-to-date documentation (schemas, examples, limits, edge cases). Prefer the OpenAI Developer Documentation MCP server tools when available; otherwise guide the user to enable `openaiDeveloperDocs`.
Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication. Triggers: "azure-identity", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust".
CCXT cryptocurrency exchange library for TypeScript and JavaScript developers (Node.js and browser). Covers both REST API (standard) and WebSocket API (real-time). Helps install CCXT, connect to exchanges, fetch market data, place orders, stream live tickers/orderbooks, handle authentication, and manage errors. Use when working with crypto exchanges in TypeScript/JavaScript projects, trading bots, arbitrage systems, or portfolio management tools. Includes both REST and WebSocket examples.
.NET/C# backend developer for ASP.NET Core APIs with Entity Framework Core. Builds REST APIs, minimal APIs, gRPC services, authentication with Identity/JWT, authorization, database operations, background services, SignalR real-time features. Activates for: .NET, C#, ASP.NET Core, Entity Framework Core, EF Core, .NET Core, minimal API, Web API, gRPC, authentication .NET, Identity, JWT .NET, authorization, LINQ, async/await C#, background service, IHostedService, SignalR, SQL Server, PostgreSQL .NET, dependency injection, middleware .NET.
Build full-stack applications with Supabase (PostgreSQL, Auth, Storage, Real-time, Edge Functions). Use when implementing authentication, database design with RLS, file storage, real-time features, or serverless functions.
Comprehensive security engineering skill for application security, penetration testing, security architecture, and compliance auditing. Includes security assessment tools, threat modeling, crypto implementation, and security automation. Use when designing security architecture, conducting penetration tests, implementing cryptography, or performing security audits.