Semgrep MCP Server

What is Semgrep MCP Server?

Semgrep MCP Server is a dedicated MCP server that exposes Semgrep’s static analysis tools as callable actions (tools) accessible to LLMs, agents, and applications supporting the MCP standard. It allows seamless, automated code security scanning, understanding, and rules management directly from environments like IDEs (Cursor, VS Code), chatbots (ChatGPT), and agent frameworks.

How to Configure Semgrep MCP Server

Install the Python package:
Use pipx or your preferred Python tool:
pipx install semgrep-mcp
Set up the server:
Run via CLI using uvx semgrep-mcp or as a Docker container:
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
Integrate with your environment:
- For IDEs like Cursor or VS Code, edit the MCP config file (e.g., .cursor/mcp.json, .vscode/mcp.json) by adding
```
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}
```
- For hosted (cloud) connections, set the MCP Server URL to https://mcp.semgrep.ai/mcp or use SSE at https://mcp.semgrep.ai/sse for backward compatibility.
- AppSec Platform integration:
  Generate a Semgrep AppSec API token, then add it as an environment variable:
  export SEMGREP_APP_TOKEN=<token>
  For Docker, add with -e SEMGREP_APP_TOKEN=<token>.

How to Use Semgrep MCP Server

Start the server using your preferred transport (stdio, streamable-http, or SSE).
Connect through your IDE or LLM framework that supports MCP, ensuring it’s configured to reach your local or remote server instance.
Invoke tools such as code scanning or AST generation directly from the connected interface (e.g., ask your LLM: “Scan this code for security vulnerabilities using Semgrep”).
Receive actionable results—LLMs, agents, and users receive detailed output on code issues, findings, or insights, seamlessly integrated into your development workflow.

Key Features

Instant code vulnerability scanning using Semgrep directly from LLMs or tools.
Multiple deployment options: Local CLI, Docker, and hosted cloud endpoints.
Extensive integration: Plug into IDEs (Cursor, VS Code, Claude Desktop), chatbots (ChatGPT), and agent SDKs.
Tool discovery & execution: List and call Semgrep tools dynamically via MCP endpoints.
Access to code insights: Extract abstract syntax trees, supported language lists, and rule schemas.
Custom rule usage: Analyze code with customized Semgrep rules for advanced use cases.
Secure authentication and AppSec platform integration for managed enterprise environments.

Use Cases

Automated code review: Incorporate real-time Semgrep scanning into AI agents participating in pull request review, code generation, or suggestions in IDEs.
Security audit automation: Enable security workflows where LLMs/agents scan project files automatically or on demand for vulnerabilities.
LLM-augmented rule authoring: Leverage LLMs to help draft, validate, and apply custom Semgrep rules to codebases.
DevSecOps pipeline augmentation: Add MCP-powered Semgrep scans to CI/CD or developer environments for immediate, actionable feedback.
Interactive learning and explanation: Use the abstract syntax tree and prompt tools to teach or explain code semantics within educational tools or chatbots.

FAQ

Q1: What programming languages does Semgrep MCP Server support?
The server supports all languages available in upstream Semgrep, such as Python, JavaScript, Go, Java, and more. Use the supported_languages tool to get a current list.

Q2: Can I use Semgrep MCP Server without a cloud account or token?
Yes, core code scanning and understanding tools work locally without authentication. For advanced features tied to the Semgrep AppSec Platform (like cloud findings), an API token is required.

Q3: Which communication protocols are supported?
Semgrep MCP Server supports stdio (for CLI/local), streamable HTTP (recommended for new integrations), and Server-Sent Events (legacy compatibility).

Q4: How do I connect Semgrep MCP Server to ChatGPT or VS Code?
Set the MCP server URL in your connector or editor settings (e.g., https://mcp.semgrep.ai/sse for ChatGPT, or update .vscode/mcp.json for VS Code).

Q5: Can LLMs create and use custom Semgrep rules automatically?
Yes, using the provided tools such as semgrep_scan_with_custom_rule and prompt generators, LLMs/agents can write and apply new rules dynamically.

Tool Name	Description
security_check	Scans code for security vulnerabilities using Semgrep’s prebuilt rules, providing diagnostics and recommendations for issues found in the submitted code or files.
semgrep_scan	Runs Semgrep scan on provided code files with a user-specified configuration string; supports detailed, customizable analysis across multiple files or code snippets.
semgrep_scan_with_custom_rule	Executes Semgrep with custom rules defined by the user, allowing flexible security or pattern detection tailored to specific project needs.
get_abstract_syntax_tree	Outputs the Abstract Syntax Tree (AST) for submitted code, enabling deeper structural code analysis, understanding, and downstream LLM-powered interpretation.
semgrep_findings	Fetches findings from the Semgrep AppSec Platform via the platform API; requires authentication and supports surfacing cloud-based scan results.
supported_languages	Returns the current list of programming languages supported by Semgrep, ensuring agents and users know coverage for their codebase.
semgrep_rule_schema	Provides the latest Semgrep rule JSON schema, enabling LLM or developer authoring and validation of custom rules based on official syntax.