Back to MCP Servers

Semgrep MCP Server

Official MCP server that exposes Semgrep static analysis to AI agents, letting them scan code for security vulnerabilities and write custom detection rules.

Developer Tools by Semgrep API Key active
Connect (Remote Server) GitHub Docs
Overview

The Semgrep MCP server is an official Model Context Protocol integration from Semgrep that lets LLMs and AI coding assistants run Semgrep static analysis against code. It exposes Semgrep's scanning engine, rule registry, and AppSec Platform findings as MCP tools, so an agent can detect vulnerabilities, generate ASTs, fetch rule schemas, and even draft custom Semgrep rules on the fly.

The server supports stdio, streamable HTTP, and legacy SSE transports, and can be run locally via uvx semgrep-mcp or Docker, or used as a hosted remote server at https://mcp.semgrep.ai/mcp. With a SEMGREP_APP_TOKEN, it can also pull findings from the Semgrep AppSec Platform for organizations using Semgrep Cloud.

Note: the original standalone semgrep/mcp repository was archived on October 28, 2025. Development has moved into the main semgrep/semgrep repository, and the MCP server now ships as part of the official Semgrep binary. The README and tool surface described here remain the canonical reference for usage.

Tools

Tool Description
security_check Scan code for security vulnerabilities using Semgrep's default rule set.
semgrep_scan Run a Semgrep scan against files using a chosen config or rule set.
semgrep_scan_with_custom_rule Scan code using a user-supplied custom Semgrep rule.
get_abstract_syntax_tree Return the Semgrep abstract syntax tree for a given code snippet.
semgrep_findings Fetch findings from the Semgrep AppSec Platform (requires SEMGREP_APP_TOKEN).
supported_languages List programming languages supported by Semgrep.
semgrep_rule_schema Return the latest Semgrep rule JSON schema for rule authoring.
write_custom_semgrep_rule Prompt template that guides an LLM through writing a custom Semgrep rule.
Setup Guide

Install

The server is distributed as the semgrep-mcp Python package and as a Docker image.

# Run via uv (recommended)
uvx semgrep-mcp

# Or via Docker
docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Claude Desktop

Add to ~/.config/Claude/claude_desktop_config.json (or the platform equivalent):

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

Cursor

Add to ~/.cursor/mcp.json or .cursor/mcp.json in your project:

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "<your-token>"
      }
    }
  }
}

VS Code

Add to user settings or .vscode/mcp.json:

{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "uvx",
        "args": ["semgrep-mcp"]
      }
    }
  }
}

Hosted remote server

To use the Semgrep-hosted endpoint instead of running locally:

{
  "mcpServers": {
    "semgrep": {
      "type": "streamable-http",
      "url": "https://mcp.semgrep.ai/mcp"
    }
  }
}

Authentication

Set SEMGREP_APP_TOKEN to enable AppSec Platform features (the semgrep_findings tool). Generate a token at semgrep.dev under Settings, Tokens. Local scanning with default rules works without a token.

Transports

The server supports stdio (default), streamable-http (JSON RPC over HTTP on port 8000), and legacy sse. Override host and port with the FASTMCP_* environment variables.

Use Cases
  • Run a security scan of the current file or repo from inside Cursor or Claude Code before opening a PR.
  • Triage Semgrep AppSec Platform findings conversationally, pulling open issues by repo, severity, or rule.
  • Have the agent draft a new Semgrep YAML rule against an example of a vulnerable pattern, then validate it with a scan.
  • Generate an abstract syntax tree of a function to reason about complex code transformations or rule authoring.
  • Fetch the rule schema and registry rules so the LLM can write syntactically valid custom rules without guessing.
Example Prompts
  • "Run a Semgrep security_check on the files I just modified and summarize any high-severity findings."
  • "Write a custom Semgrep rule that flags use of eval in our Python code, then scan src/ with it."
  • "Pull all open Semgrep findings of severity ERROR for the payments-api repo from the AppSec Platform."
  • "Show me the Semgrep AST for this Go function so we can discuss a refactor."
  • "What languages does Semgrep support, and which of our project's files would it cover?"
Pros
  • Official Semgrep project, with a hosted remote endpoint and multiple distribution options (uvx, Docker).
  • Covers both local scanning and cloud platform findings, plus rule schema access for LLM-assisted rule writing.
  • Works with the full Semgrep rule registry (5,000+ rules) across many languages with no extra setup.
  • Supports stdio, streamable HTTP, and SSE transports, so it fits both desktop clients and remote agent setups.
Limitations
  • The standalone semgrep/mcp repository was archived on October 28, 2025; updates now ship inside the main semgrep binary, which can be confusing for users following the old repo.
  • AppSec Platform features (semgrep_findings) require a Semgrep account and SEMGREP_APP_TOKEN.
  • Marked as a beta project, so tool surface and transports may still change.
Alternatives
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.