Semgrep

v1.0.0Securitystable

An MCP server that provides a comprehensive interface to Semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the Model Context Protocol.

mcpsemgrep
Share:
667
Stars
0
Downloads
0
Weekly
0/5

What is Semgrep?

Semgrep is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to mcp server that provides a comprehensive interface to semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the model context protoco...

An MCP server that provides a comprehensive interface to Semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the Model Context Protocol.

This server falls under the Security and Developer Tools categories on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • An MCP server that provides a comprehensive interface to Sem

Use Cases

Scan code for security vulnerabilities and custom pattern violations through MCP. Create and manage custom Semgrep rules for your codebase. Analyze scan results and prioritize security findings.
semgrep

Maintainer

LicenseMIT License
Languagepython
Versionv1.0.0
UpdatedMay 20, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx semgrep-mcp-server

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Semgrep

The Semgrep MCP Server provides AI assistants with direct access to Semgrep's static analysis engine for scanning code for security vulnerabilities, writing custom detection rules, and querying findings from the Semgrep AppSec Platform. It exposes tools for running security scans on code snippets or files, generating abstract syntax trees, and retrieving cloud findings — all through natural language. Security engineers and developers use it to embed automated code scanning into their AI-assisted development and code review workflows.

Prerequisites

  • Python 3.9+ and uv or pipx installed
  • Semgrep CLI installed and available in PATH (pip install semgrep)
  • An MCP client such as Claude Code, Cursor, or VS Code with MCP support
  • Optional: SEMGREP_APP_TOKEN for accessing Semgrep AppSec Platform cloud findings
  • Docker (optional, for the containerized deployment)
1

Install the Semgrep MCP server

Install using uvx for the simplest setup. This also installs the Semgrep CLI as a dependency.

# Recommended (no permanent install):
uvx semgrep-mcp

# Permanent install with pipx:
pipx install semgrep-mcp

# Docker:
docker pull ghcr.io/semgrep/mcp
2

Add to Claude Code

Claude Code users can add the Semgrep MCP server with a single command.

claude mcp add semgrep uvx semgrep-mcp
3

Configure for Claude Desktop

Add the Semgrep MCP server to your Claude Desktop configuration file.

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}
4

Enable Semgrep AppSec Platform integration (optional)

To access cloud findings from the Semgrep AppSec Platform, set the SEMGREP_APP_TOKEN environment variable. Get your token at semgrep.dev/settings.

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "your-semgrep-app-token"
      }
    }
  }
}
5

Configure for Cursor or VS Code

Add the server to your Cursor MCP config (~/.cursor/mcp.json) or VS Code user settings.

# Cursor (~/.cursor/mcp.json):
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

# VS Code (User Settings JSON):
{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "uvx",
        "args": ["semgrep-mcp"]
      }
    }
  }
}
6

Restart your client and verify

Restart Claude Code or your MCP client. Ask Claude to scan a code snippet for security issues to confirm the Semgrep tools are available.

Semgrep Examples

Client configuration

Claude Desktop configuration for the Semgrep MCP server. Add SEMGREP_APP_TOKEN if you want cloud findings from the AppSec Platform.

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "your-semgrep-app-token"
      }
    }
  }
}

Prompts to try

Use these prompts to leverage Semgrep's security analysis through Claude:

- "Scan this Python function for SQL injection vulnerabilities: [paste code]"
- "Run a security check on my login handler and explain any findings"
- "Write a custom Semgrep rule to detect hardcoded AWS credentials in JavaScript"
- "Show me the abstract syntax tree for this code snippet"
- "Fetch the latest findings from my Semgrep AppSec Platform project and prioritize the critical ones"
- "What programming languages does Semgrep support for scanning?"

Troubleshooting Semgrep

semgrep_scan fails with 'semgrep: command not found'

The Semgrep CLI must be installed separately and available in PATH. Run 'pip install semgrep' or 'brew install semgrep', then verify with 'semgrep --version'. The MCP server wraps the CLI and requires it to be accessible.

semgrep_findings tool returns no results or an authentication error

The semgrep_findings tool requires a valid SEMGREP_APP_TOKEN set in the MCP server's environment. Generate a token at semgrep.dev → Settings → Tokens, then add it to the env block in your MCP configuration.

Server fails to start via uvx with package resolution errors

Update uv to the latest version: 'pip install --upgrade uv'. If the issue persists, try the pipx installation method: 'pipx install semgrep-mcp'. Alternatively, use the Docker image: 'docker run -i --rm ghcr.io/semgrep/mcp -t stdio'.

Frequently Asked Questions about Semgrep

What is Semgrep?

Semgrep is a Model Context Protocol (MCP) server that mcp server that provides a comprehensive interface to semgrep, enabling users to scan code for security vulnerabilities, create custom rules, and analyze scan results through the model context protocol. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Semgrep?

Follow the installation instructions on the Semgrep GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Semgrep?

Semgrep works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Semgrep free to use?

Yes, Semgrep is open source and available under the MIT License license. You can use it freely in both personal and commercial projects.

Semgrep Alternatives — Similar Security Servers

Looking for alternatives to Semgrep? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "semgrep-mcp-server": { "command": "npx", "args": ["-y", "semgrep-mcp-server"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Semgrep?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides