[beta] Semgrep MCP Server

Semgrep MCP Server

This beta Semgrep mcp server is under active development, we would love your feedback, bug reports, feature requests. For more support, join our community slack > #mcp channel.

A MCP server for using Semgrep to scan code for security vulnerabilies.

uvx semgrep-mcp -t sse

example Cursor mcp.json config:

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

Demo

Model Context Protocul (MCP) is like Unix pipes or an API for LLMs, agents, and coding tools like Cursor, VS Code, Windsurf, Claude, or any other tool that support MCP, to get specialized help doing a task by using a tool.

MCP Tools

To optionally connect to Semgrep AppSec Platform:

1. Login or sign up
2. Generate a token from Settings page
3. Add it to your environment variables

   • CLI (export SEMGREP_APP_TOKEN=<token>)

   • Docker (docker run -e SEMGREP_APP_TOKEN=<token>)

   • MCP Config JSON

     "env": {
       "SEMGREP_APP_TOKEN": "<token>"
     }
     

Semgrep will automatically use the API token to connect and use the remote configuration. Please reach out to [email protected] if you have any problems.

Scanning Code

• semgrep_scan: Scan code snippets for security vulnerabilities
• scan_directory: Perform Semgrep scan on a directory

Customization

• list_rules: List available Semgrep rules with optional language filtering
• create_rule: Create custom Semgrep rules

Results

• analyze_results: Analyze scan results including severity counts and top affected files
• filter_results: Filter scan results by severity, rule ID, file path, etc.
• export_results: Export scan results in various formats (JSON, SARIF, text)
• compare_results: Compare two scan results to identify new and fixed issues

Usage

This package is published to PyPI as semgrep-mcp

You can install it and run with pip, pipx, uv, poetry, or any other way to install python packages.

For example:

pipx install semgrep-mcp
semgrep-mcp --help

Run From Source

Setup

CLI Environment

1. Install uv using their installation instructions

2. Ensure you have Python 3.13+ installed

3. Clone this repository

4. Install Semgrep (additional methods):

   pip install semgrep
   

Docker

1. Install docker using their installation instructions
2. Clone this repository
3. Build the server

docker build -t semgrep-mcp .

Running

CLI Environment

SSE Mode

uv run mcp run server.py -t sse

Or as a uv script

chmod +x server.py
./server.py

STDIO Mode

uv run mcp run server.py -t stdio

See the official python mcp sdk for more details and configuration options.

Docker

docker run -p 8000:8000 semgrep-mcp

Also published to ghcr.io/semgrep/mcp

docker run -p 8000:8000 ghcr.io/semgrep/mcp:latest

Creating your own client

from mcp.client import Client

client = Client()
client.connect("localhost:8000")

# Scan code for security issues
results = client.call_tool("semgrep_scan", 
  {
  "code_files": [
    {
      "filename": "hello_world.py",
      "content": "def hello(): ..."
    }
  ]
})

VS Code Integration

Manual Installation into VS Code

Click the install buttons at the top of this section for the quickest installation method. Alternatively, you can manually configure the server using one of the methods below.

Using UV

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).

{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "uv",
        "args": ["run", "mcp", "run", "server.py", "-t", "sse"]
      }
    }
  }
}

Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

{
  "servers": {
    "semgrep": {
      "command": "uv",
        "args": ["run", "mcp", "run", "server.py", "-t", "sse"]
    }
  }
}

Using Docker

Add the following JSON block to your User Settings (JSON) file in VS Code:

{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "docker",
        "args": ["run", "-p", "8000:8000", "ghcr.io/semgrep/mcp:latest"]
      }
    }
  }
}

Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

{
  "servers": {
    "semgrep": {
      "command": "docker",
      "args": ["run", "-p", "8000:8000", "ghcr.io/semgrep/mcp:latest"]
    }
  }
}

Cursor in SSE Mode

1. Ensure your Semgrep MCP is running in SSE mode in the terminal
2. Go to Cursor > Settings > Cursor Settings
3. Choose the MCP tab
4. Click "Add new MCP server"
5. Name: Semgrep, Type: sse, Server URL: http://127.0.0.1:8000/sse
6. Ensure the MCP server is enabled

You can also set it up by adding this to ~/.cursor/mcp.json

{
  "mcpServers": {
    "Semgrep": {
      "url": "http://localhost:8000/sse"
    }
  }
}

Development

Your contributions to this project are most welcome. Please see the "good first issue" label for easy tasks.

Running the Development Server

Start the MCP server in development mode:

uv run mcp dev server.py

By default, the MCP server runs on http://localhost:8000 with the inspector server on http://localhost:6274.

Note: When opening the inspector sever, add query parameters to the url to increase the default timeout of the server from 10s

http://localhost:6274/?timeout=300000

Community & Related Projects

This project builds upon and is inspired by several awesome community projects:

Core Technologies 🛠️

• Semgrep - The underlying static analysis engine that powers this project
• Model Context Protocol (MCP) - The protocol that enables AI agent communication

Similar Tools 🔍

• semgrep-vscode - Official VSCode extension for Semgrep
• semgrep-intellij - IntelliJ plugin for Semgrep

Community Projects 🌟

• semgrep-rules - The official collection of Semgrep rules
• mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan

MCP Server Registries

• MCP.so