Semgrep logo

Semgrep

Organization
semgrep

A MCP server for using Semgrep to scan code for security vulnerabilities.

Publishersemgrep
Repositorymcp
LanguagePython
Forks
55
Stars
665
Available tools
8
Transport typestreamable-http
Categories
Auth SecurityDeveloper Tools
LicenseMIT
Links
GitHubHomepage
  • Connect tools to AI workflows

    Semgrep exposes MCP capabilities that can be used by compatible AI clients and agents.

  • 8 available tools

    Browse the callable actions below, including names and descriptions when provided by the server.

  • Ready-to-copy setup

    Use the installation snippets to configure this server in your preferred MCP client.

  • Open source signals

    665 stars and 55 forks from the linked repository.

⚠️ The Semgrep MCP server has been moved from a standalone repo to the main semgrep repository! ⚠️

This repository has been deprecated, and further updates to the Semgrep MCP server will be made via the official semgrep binary.

Semgrep MCP Server

Add MCP Server semgrep to LM Studio Install in Cursor Install in VS Code UV Install in VS Code Docker Install in VS Code semgrep.ai PyPI Docker Install in VS Code Insiders Install in VS Code Insiders

A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 😅

Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 5,000 rules. 🛠️

[!NOTE] This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

Contents

Getting started

Run the Python package as a CLI command using uv:

bash
uvx semgrep-mcp # see --help for more options

Or, run as a Docker container:

bash
docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Cursor

Example mcp.json

json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "<token>"
      }
    }
  }
}

Add an instruction to your .cursor/rules to use automatically:

text
Always scan code generated using Semgrep for security vulnerabilities

ChatGPT

  1. Go to the Connector Settings page (direct link)
  2. Name the connection Semgrep
  3. Set MCP Server URL to https://mcp.semgrep.ai/sse
  4. Set Authentication to No authentication
  5. Check the I trust this application checkbox
  6. Click Create

See more details at the official docs.

Hosted Server

[!WARNING] mcp.semgrep.ai is an experimental server that may break unexpectedly. It will rapidly gain new functionality.🚀

Cursor

  1. Cmd + Shift + J to open Cursor Settings
  2. Select MCP Tools
  3. Click New MCP Server.
json
{
  "mcpServers": {
    "semgrep": {
      "type": "streamable-http",
      "url": "https://mcp.semgrep.ai/mcp"
    }
  }
}

Demo

API

Tools

Enable LLMs to perform actions, make deterministic computations, and interact with external services.

Scan Code

  • security_check: Scan code for security vulnerabilities
  • semgrep_scan: Scan code files for security vulnerabilities with a given config string
  • semgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule

Understand Code

  • get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code

Cloud Platform (login and Semgrep token required)

  • semgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API

Meta

  • supported_languages: Return the list of languages Semgrep supports
  • semgrep_rule_schema: Fetches the latest semgrep rule JSON Schema

Prompts

Reusable prompts to standardize common LLM interactions.

  • write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule

Resources

Expose data and content to LLMs

  • semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schema
  • semgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry

Usage

This Python package is published to PyPI as semgrep-mcp and can be installed and run with pip, pipx, uv, poetry, or any Python package manager.

text
$ pipx install semgrep-mcp
$ semgrep-mcp --help

Usage: semgrep-mcp [OPTIONS]

  Entry point for the MCP server

  Supports both stdio and sse transports. For stdio, it will read from stdin
  and write to stdout. For sse, it will start an HTTP server on port 8000.

Options:
  -v, --version                Show version and exit.
  -t, --transport [stdio|sse]  Transport protocol to use (stdio or sse)
  -h, --help                   Show this message and exit.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

bash
semgrep-mcp

By default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.

Docker

This server is published to Github's Container Registry (ghcr.io/semgrep/mcp)

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in interactive mode.

Streamable HTTP

Streamable HTTP enables streaming responses over JSON RPC via HTTP POST requests. See the spec for more details.

By default, the server listens on 127.0.0.1:8000/mcp for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.

Python

bash
semgrep-mcp -t streamable-http

By default, the Python package will run in stdio mode, so you will have to include -t streamable-http.

Docker

docker run -p 8000:0000 ghcr.io/semgrep/mcp

Server-sent events (SSE)

[!WARNING] The MCP communiity considers this a legacy transport portcol and is really intended for backwards compatibility. Streamable HTTP is the recommended replacement.

SSE transport enables server-to-client streaming with Server-Send Events for client-to-server and server-to-client communication. See the spec for more details.

By default, the server listens on 127.0.0.1:8000/sse for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.

Python

bash
semgrep-mcp -t sse

By default, the Python package will run in stdio mode, so you will have to include -t sse.

Docker

docker run -p 8000:0000 ghcr.io/semgrep/mcp -t sse

Semgrep AppSec Platform

Optionally, to connect to Semgrep AppSec Platform:

  1. Login or sign up
  2. Generate a token from Settings
  3. Add the token to your environment variables:

    • CLI (export SEMGREP_APP_TOKEN=<token>)

    • Docker (docker run -e SEMGREP_APP_TOKEN=<token>)

    • MCP config JSON

json
    "env": {
      "SEMGREP_APP_TOKEN": "<token>"
    }

[!TIP] Please reach out for support if needed. ☎️

Integrations

Cursor IDE

Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:

json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

cursor MCP settings

See cursor docs for more info.

VS Code / Copilot

Click the install buttons at the top of this README for the quickest installation.

Manual Configuration

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).

json
{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "uvx",
        "args": ["semgrep-mcp"]
      }
    }
  }
}

Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

json
{
  "servers": {
    "semgrep": {
      "command": "uvx",
        "args": ["semgrep-mcp"]
    }
  }
}

Using Docker

json
{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "docker",
        "args": [
          "run",
          "-i",
          "--rm",
          "ghcr.io/semgrep/mcp",
          "-t",
          "stdio"
        ]
      }
    }
  }
}

See VS Code docs for more info.

Windsurf

Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:

json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

See Windsurf docs for more info.

Claude Desktop

Here is a short video showing Claude Desktop using this server to write a custom rule.

Add the following JSON block to your claude_desktop_config.json file:

json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

See Anthropic docs for more info.

Claude Code

bash
claude mcp add semgrep uvx semgrep-mcp

See Claude Code docs for more info.

OpenAI

See the offical docs:

Agents SDK

python
async with MCPServerStdio(
    params={
        "command": "uvx",
        "args": ["semgrep-mcp"],
    }
) as server:
    tools = await server.list_tools()

See OpenAI Agents SDK docs for more info.

Custom clients

Example Python SSE client

See a full example in examples/sse_client.py

python
from mcp.client.session import ClientSession
from mcp.client.sse import sse_client


async def main():
    async with sse_client("http://localhost:8000/sse") as (read_stream, write_stream):
        async with ClientSession(read_stream, write_stream) as session:
            await session.initialize()
            results = await session.call_tool(
                "semgrep_scan",
                {
                    "code_files": [
                        {
                            "path": "hello_world.py",
                            "content": "def hello(): print('Hello, World!')",
                        }
                    ]
                },
            )
            print(results)

[!TIP] Some client libraries want the URL: http://localhost:8000/sse and others only want the HOST: localhost:8000. Try out the URL in a web browser to confirm the server is running, and there are no network issues.

See official SDK docs for more info.

Contributing, community, and running from source

[!NOTE] We love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.

Similar tools 🔍

Community projects 🌟

MCP server registries

Made with ❤️ by the Semgrep Team

Installation

TypingMind
{
  "mcpServers": {
    "semgrep": {
      "url": "https://mcp.semgrep.ai/mcp"
    }
  }
}

Available Tools

  • semgrep_rule_schema
    Get the schema for a Semgrep rule

Use this tool when you need to:
  - get the schema required to write a Semgrep rule
  - need to see what fields are available for a Semgrep rule
  - verify what fields are available for a Semgrep rule
  - verify the syntax for a Semgrep rule is correct
  • get_supported_languages
    Returns a list of supported languages by Semgrep

Only use this tool if you are not sure what languages Semgrep supports.
  • semgrep_findings

    $2e

  • semgrep_scan_with_custom_rule
    Runs a Semgrep scan with a custom rule on provided code content
and returns the findings in JSON format

Use this tool when you need to:
  - scan code files for specific security vulnerability not covered by the default Semgrep rules
  - scan code files for specific issue not covered by the default Semgrep rules
  • semgrep_scan
    Runs a Semgrep scan on provided code content and returns the findings in JSON format

Use this tool when you need to:
  - scan code files for security vulnerabilities
  - scan code files for other issues
  • semgrep_scan_local
    Runs a Semgrep scan locally on provided code files returns the findings in JSON format.

Files are expected to be in the current paths are absolute paths to the code files.

Use this tool when you need to:
  - scan code files for security vulnerabilities
  - scan code files for other issues
  • security_check
    Runs a fast security check on code and returns any issues found.

Use this tool when you need to:
  - scan code for security vulnerabilities
  - verify that code is secure
  - double check that code is secure before committing
  - get a second opinion on code security

If there are any issues found, you **MUST** fix them or offer to fix them and
explain to the user why it's important to fix.
If there are no issues, you can be reasonably confident that the code is secure.
  • get_abstract_syntax_tree
    Returns the Abstract Syntax Tree (AST) for the provided code file in JSON format

Use this tool when you need to:
  - get the Abstract Syntax Tree (AST) for the provided code file      - get the AST of a file
  - understand the structure of the code in a more granular way
  - see what a parser sees in the code

Use Semgrep MCP with multiple AI models

TypingMind connects MCP tools at the workspace level, so once Semgrep is connected, you can use it with different AI models in TypingMind instead of setting it up separately for each model. This MCP connects through a hosted MCP server URL in TypingMind.

Add an MCP server URL

Use this when Semgrep is already hosted remotely or your team wants one shared connector that multiple users can access.

1

Open MCP connectors

In TypingMind, go to Plugins, open MCP connectors, then choose Add URL.

  1. Open TypingMind in your browser.
  2. Go to Plugins.
  3. Open MCP connectors.
  4. Click Add URL.
TypingMind Add Custom MCP Server URL form
2

Paste the server URL

Enter https://mcp.semgrep.ai/mcp in the Server URL field. Add a connection name, description, icon, custom HTTP headers, or OAuth client settings if the server requires them.

  1. Paste https://mcp.semgrep.ai/mcp into the Server URL field.
  2. Enter a connection name for Semgrep.
  3. Add a description and icon if you want it to be easier to identify.
  4. Add custom HTTP headers or OAuth client details if the server requires authentication.
3

Create the connection

Click Create connection, then return to the Plugins list and confirm the new MCP connection is active.

  1. Click Create connection.
  2. Return to the MCP connectors list.
  3. Confirm the Semgrep connection appears as active.
  4. Refresh the plugin list if the connection does not appear immediately.
4

Switch models without reconnecting

Start a chat with your preferred model, enable the Semgrep tools from Plugins, and switch to another model whenever needed. The MCP connection stays available to the TypingMind workspace.

  1. Start a new chat in TypingMind.
  2. Select the AI model you want to use.
  3. Enable the Semgrep tools from Plugins.
  4. Ask the model to use the tool when needed.
  5. Switch to another AI model and reuse the same MCP connection.
TypingMind chat using enabled MCP tools with a selected AI model
Can you use Semgrep to help me with this task?
Semgrep
Sure. I read it.
Here is what I found using Semgrep.

Frequently asked questions

What is the Semgrep MCP server used for?

Semgrep is an MCP server that lets compatible AI clients connect to external tools and context. In TypingMind, you can add this MCP server once and make its tools available in your AI workspace.

Can I use Semgrep MCP with multiple AI models in TypingMind?

Yes. TypingMind connects MCP tools at the workspace level, so you can use Semgrep with different AI models such as Claude, ChatGPT, Gemini, or other models you have configured in TypingMind without setting up the MCP server separately for each model.

Why use Semgrep MCP with TypingMind?

TypingMind is one of the best frontends for LLM chat because it brings multiple AI models, prompts, plugins, AI agents, API keys, and MCP tools into one workspace. With Semgrep connected, you can use its MCP tools across your preferred models while keeping your chat workflow organized in TypingMind.

How do I connect Semgrep MCP to TypingMind?

Semgrep can be connected in TypingMind by adding its hosted MCP server URL. This is useful when you want a remote MCP connection that is available from your TypingMind workspace.

What tools does Semgrep MCP provide in TypingMind?

Semgrep exposes 8 MCP tools that can be enabled from the TypingMind Plugins page and used in chat or assigned to AI agents.

Do I need to share my API keys with TypingMind to use Semgrep MCP?

No. TypingMind is local-first and lets you keep your model providers, API keys, prompts, and MCP configuration under your control. If Semgrep requires authentication, add the required headers, OAuth settings, or local configuration for that MCP server when you create the connection.

Related MCP Servers

View all
LaurieWired logo

GhidraMCP

LaurieWired
CommunityPopular

MCP Server for Ghidra

900
8.9K
0 tools
View details
0x4m4 logo

HexStrike AI

0x4m4
CommunityPopular

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly bridge LLMs with real-world offensive security capabilities.

1.9K
8.7K
0 tools
View details
webflow logo

Webflow

webflow
CommunityPopular

Official Webflow MCP server. Manage sites, pages, CMS collections, and form submissions via Webflow's Data API. Publish drafts, update content, and automate site operations.

0
3.9K
16 tools
View details
integromat logo

Make.com (Integromat)

integromat
CommunityPopular

Official Make.com MCP server. Trigger scenarios, manage connections, and automate workflows across 2,000+ apps via Make's visual automation platform.

0
3.8K
16 tools
View details

Set up your own AI workspace now

Get notified about new features and future giveaways by subscribing to our newsletter 👇