A Model Context Protocol (MCP) server for using
Note
This beta project is under active development. We would love your feedback, bug reports, feature requests, and code. Join the #mcp
- Getting Started
- Demo
- API
- Usage
- Semgrep AppSec Platform
- Integrations
- Contributing, Community, and Running From Source
Run the uv:
uvx semgrep-mcp # see --help for more optionsOr, run as a
docker run -i --rm ghcr.io/semgrep/mcp -t stdio Example mcp.json
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"],
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
}
}
}
Add an instruction to your .cursor/rules to use automatically:
Always scan code generated using Semgrep for security vulnerabilities
Warning
This is an experimental server that may break. Once the MCP spec gains support for HTTP Streaming and OAuth in the near future, it will gain new functionality. π
mcp.json
{
"mcpServers": {
"semgrep": {
"url": "https://mcp.semgrep.ai/sse"
}
}
}
Enable LLMs to perform actions, make deterministic computations, and interact with external services.
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given config stringsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep rule
get_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of code
supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON Schema
Reusable prompts to standardize common LLM interactions.
write_custom_semgrep_rule: Return a prompt to help write a Semgrep rule
Expose data and content to LLMs
semgrep://rule/schema: Specification of the Semgrep rule YAML syntax using JSON schemasemgrep://rule/{rule_id}/yaml: Full Semgrep rule in YAML format from the Semgrep registry
This Python package is published to PyPI as
$ pipx install semgrep-mcp
$ semgrep-mcp --help
Usage: semgrep-mcp [OPTIONS]
Entry point for the MCP server
Supports both stdio and sse transports. For stdio, it will read from stdin
and write to stdout. For sse, it will start an HTTP server on port 8000.
Options:
-v, --version Show version and exit.
-t, --transport [stdio|sse] Transport protocol to use (stdio or sse)
-h, --help Show this message and exit.
The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the
semgrep-mcpBy default, the Python package will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.
This server is published to Github's Container Registry (
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
By default, the Docker container is in SSE mode, so you will have to include -t stdio after the image name and run with -i to run in
SSE transport enables server-to-client streaming with HTTP POST requests for client-to-server communication. See the
By default, the server listens on
semgrep-mcp -t sseBy default, the Python package will run in stdio mode, so you will have to include -t sse.
docker run -p 8000:0000 ghcr.io/semgrep/mcp
Optionally, to connect to Semgrep AppSec Platform:
- Generate a token from
- Add the token to your environment variables:
-
CLI (
export SEMGREP_APP_TOKEN=<token>) -
Docker (
docker run -e SEMGREP_APP_TOKEN=<token>) -
MCP config JSON
-
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}Tip
Please reach out to support@semgrep.com if needed. βοΈ
Add the following JSON block to your ~/.cursor/mcp.json global or .cursor/mcp.json project-specific configuration file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
See
Click the install buttons at the top of this README for the quickest installation.
Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).
{
"mcp": {
"servers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
}Optionally, you can add it to a file called .vscode/mcp.json in your workspace:
{
"servers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}{
"mcp": {
"servers": {
"semgrep": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"ghcr.io/semgrep/mcp",
"-t",
"stdio"
]
}
}
}
}See
Add the following JSON block to your ~/.codeium/windsurf/mcp_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}See
Here is a
Add the following JSON block to your claude_desktop_config.json file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}See
async with MCPServerStdio(
params={
"command": "uvx",
"args": ["semgrep-mcp"],
}
) as server:
tools = await server.list_tools()See
See a full example in examples/sse_client.py
from mcp.client.session import ClientSession
from mcp.client.sse import sse_client
async def main():
async with sse_client("http://localhost:8000/sse") as (read_stream, write_stream):
async with ClientSession(read_stream, write_stream) as session:
await session.initialize()
results = await session.call_tool(
"semgrep_scan",
{
"code_files": [
{
"filename": "hello_world.py",
"content": "def hello(): print('Hello, World!')",
}
]
},
)
print(results)Tip
Some client libraries want the URL: HOST: localhost:8000.
Try out the URL in a web browser to confirm the server is running, and there are no network issues.
See
Note
We love your feedback, bug reports, feature requests, and code. Join the #mcp
See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.
- semgrep-vscode - Official VS Code extension
- semgrep-intellij - IntelliJ plugin
- semgrep-rules - The official collection of Semgrep rules
- mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan
Made with β€οΈ by the