Semgrep MCP
Officialby Semgrep
The Semgrep MCP server connects your AI coding assistant to Semgrep's static analysis engine, so every code suggestion gets checked for security vulnerabilities before you accept it. It runs Semgrep Code, Supply Chain, and Secrets scanning simultaneously, catching issues across 30+ languages including Python, JavaScript, TypeScript, Go, Java, Rust, C, C++, Ruby, and Swift. The server exposes seven tools through the Model Context Protocol. The core ones -- security_check, semgrep_scan, and semgrep_scan_with_custom_rule -- let your LLM request deterministic static analysis on any code snippet or file. get_abstract_syntax_tree outputs the AST for deeper code understanding. supported_languages lists what Semgrep can parse. semgrep_rule_schema returns the JSON schema for writing custom rules, and a write_custom_semgrep_rule prompt guides the LLM through rule creation step by step. If you authenticate with a Semgrep AppSec Platform token, the semgrep_findings tool pulls centralized findings from your organization's dashboard directly into your editor context. Without authentication, the local scanning tools still work with Semgrep's open-source rule registry of over 5,000 rules. Install via pip, pipx, or uv (uvx semgrep-mcp is the fastest option). Docker images are also available at ghcr.io/semgrep/mcp. The server supports three transports: standard I/O for local editor integration, Streamable HTTP for production setups, and SSE for legacy clients. There is also a hosted endpoint at mcp.semgrep.ai for zero-install usage with Cursor and ChatGPT. The practical workflow: your IDE generates code, the MCP server scans it, and the IDE re-generates until Semgrep returns zero findings. This creates a feedback loop where security vulnerabilities get caught at write-time rather than in CI or code review. For teams that already use Semgrep in their pipeline, this moves the same checks earlier in the development cycle without adding friction.
Installation
Key Features
- ✓Scans AI-generated code for security vulnerabilities using Semgrep Code, Supply Chain, and Secrets products simultaneously
- ✓Over 5,000 built-in rules covering OWASP Top 10, CWE, and language-specific security patterns across 30+ languages
- ✓Custom rule support with guided LLM prompts for writing and testing Semgrep rules directly in your editor
- ✓AST generation tool for deep code structure analysis beyond pattern matching
- ✓Three transport options (STDIO, Streamable HTTP, SSE) plus a hosted endpoint at mcp.semgrep.ai for zero-install setup
- ✓AppSec Platform integration to pull centralized findings from your organization's Semgrep dashboard into editor context
Use Cases
- →Catching security vulnerabilities in AI-generated code: The MCP server creates a scan-regenerate loop where your IDE keeps fixing code until Semgrep returns zero findings, stopping SQL injection, XSS, and hardcoded secrets before they reach version control
- →Writing custom Semgrep rules: Use the write_custom_semgrep_rule prompt and semgrep_rule_schema tool to have your AI assistant draft, test, and iterate on organization-specific security rules without leaving the editor
- →Shifting security left for teams already running Semgrep in CI: Move the same rule set from your pipeline into the IDE so developers catch issues at write-time instead of waiting for CI feedback 10 minutes later
- →Supply chain vulnerability detection: Scan dependencies alongside source code to flag known CVEs in third-party packages during development, not after deployment
- →Security code review augmentation: Feed code diffs to the MCP server during review to get deterministic static analysis findings alongside your LLM's reasoning about code quality