Skip to content

README.md

Latest commit

 

History

History
386 lines (284 loc) · 14.3 KB

README.md

File metadata and controls

386 lines (284 loc) · 14.3 KB

Semgrep logo

Documentation Join Semgrep community Slack Follow on LinkedIn Follow @semgrep on X

Semgrep MCP Server

A Model Context Protocol (MCP) server for using Semgrep to scan code for security vulnerabilities. Secure your vibe coding! 🔒

Model Context Protocol (MCP) is a standardized API for LLMs, Agents, and IDEs like Claude Code, Cursor, VS Code, Windsurf, or anything that supports MCP, to get specialized help, get context, and harness the power of tools. Semgrep is a fast, deterministic static analysis tool that semantically understands many languages and comes with over 10,000 rules. 🛠️

Note

This project is under active development. We would love your feedback. Join the #mcp community Slack channel!

Contents

Getting started

Demo Video

MCP-demo-video-RSA.mov

Claude Code

  1. Start a new Claude Code instance in the terminal:

    claude

  2. Open the plugin marketplace:

    /plugin

  3. Go to Discover, search for Semgrep, and click Install.

  4. Set up the Semgrep plugin by running the following skill. This also installs the Semgrep CLI:

    /setup-semgrep-plugin

Cursor

  1. Open Cursor

  2. Find Semgrep in the Cursor Plugin Marketplace, or open Cursor > ⌘⇧J > Plugins and Search "Semgrep" and click Add to Cursor.

  3. Set up the Semgrep plugin by running the following skill. This also installs the Semgrep CLI:

    /setup-semgrep-plugin

  4. Restart Cursor to apply configuration.

Usage

In order to use the Semgrep MCP server, you must first have the Semgrep CLI:

$ brew install semgrep

The server can then be invoked via the mcp subcommand:

$ semgrep mcp --help

Usage: semgrep mcp [OPTIONS]

  Entry point for the MCP server

  Supports stdio and streamable-http transports. For stdio, it will read
  from stdin and write to stdout. For streamable-http, it will start
  an HTTP server on port 8000.

Options:
  -v, --version                   Show version and exit.
  -t, --transport [stdio|streamable-http]
                                  Transport protocol to use:
                                  stdio or streamable-http
  -p, --port INTEGER              Port to use for the MCP server
  -h, --help                      Show this message and exit.

Standard Input/Output (stdio)

The stdio transport enables communication through standard input and output streams. This is particularly useful for local integrations and command-line tools. See the spec for more details.

Python

semgrep mcp

By default, the server will run in stdio mode. Because it's using the standard input and output streams, it will look like the tool is hanging without any output, but this is expected.

Docker

The Semgrep binary is published to Docker:

docker run -i --rm semgrep/semgrep semgrep mcp -t stdio

Streamable HTTP

Streamable HTTP enables streaming responses over JSON RPC via HTTP POST requests. See the spec for more details.

By default, the server listens on 127.0.0.1:8000/mcp for client connections. To change any of this, set FASTMCP_* environment variables. The server must be running for clients to connect to it.

Python

semgrep mcp -t streamable-http

By default, the server will run in stdio mode, so you will have to include -t streamable-http.

Docker

docker run -p 8000:8000 semgrep/semgrep semgrep mcp

Semgrep AppSec Platform

Optionally, to connect to Semgrep AppSec Platform:

  1. Login or sign up
  2. Generate a token from Settings
  3. Add the token to your environment variables:

    • CLI (export SEMGREP_APP_TOKEN=<token>)

    • Docker (docker run -e SEMGREP_APP_TOKEN=<token>)

    • MCP config JSON

    "env": {
      "SEMGREP_APP_TOKEN": "<token>"
    }

Tip

Please reach out for support if needed. ☎️

Integrations

Claude Code Integration

  1. Start a new Claude Code instance in the terminal:

    claude

  2. Open the plugin marketplace:

    /plugin

  3. Go to Discover, search for Semgrep, and click Install.

  4. Set up the Semgrep plugin by running the following skill. This also installs the Semgrep CLI:

    /setup-semgrep-plugin

See Claude Code docs for more info.

Cursor Integration

  1. Open Cursor

  2. Find Semgrep in the Cursor Plugin Marketplace, or open Cursor > ⌘⇧J > Plugins and Search "Semgrep" and click Add to Cursor.

  3. Set up the Semgrep plugin by running the following skill. This also installs the Semgrep CLI:

    /setup-semgrep-plugin

  4. Restart Cursor to apply configuration.

See cursor docs for more info.

VS Code / Copilot

Manual Configuration

Add the following JSON block to your User Settings (JSON) file in VS Code. You can do this by pressing Ctrl + Shift + P and typing Preferences: Open User Settings (JSON).

{
  "mcp": {
    "servers": {
      "semgrep": {
        "command": "semgrep",
        "args": ["mcp"]
      }
    }
  }
}

Optionally, you can add it to a file called .vscode/mcp.json in your workspace:

{
  "servers": {
    "semgrep": {
      "command": "semgrep",
        "args": ["mcp"]
    }
  }
}

See VS Code docs for more info.

Windsurf

  1. Install Semgrep:

    # install through homebrew
brew install semgrep
    # install through pip
python3 -m pip install semgrep

  2. Verify that you've installed the latest version of Semgrep by running the following:

    semgrep --version

  3. Log in to Semgrep and install Semgrep Pro:

    semgrep login && semgrep install-semgrep-pro

  4. Create a hooks.json file at ~/.codeium/windsurf/hooks.json and paste the following configuration:

    {
  "hooks": {
    "post_write_code": [
      {
        "command": "semgrep mcp -k post-tool-cli-scan -a windsurf",
        "show_output": true
      }
    ]
  }
}

  5. Restart Windsurf to apply hook configuration.

See Windsurf docs for more info.

Custom clients

Example Python streamable HTTP client

import asyncio
import json
from mcp.client.session import ClientSession
from mcp.client.streamable_http import streamablehttp_client


async def main():
    async with streamablehttp_client("http://localhost:8000/mcp") as (read_stream, write_stream, _):
        async with ClientSession(read_stream, write_stream) as session:
            await session.initialize()
            results = await session.call_tool(
                "semgrep_scan_remote",
                {
                    "code_files": [
                        {
                            "path": "hello_world.py",
                            "content": "def hello(): print('Hello, World!')",
                        }
                    ]
                },
            )
            content_block = results.content[0]
            content = json.loads(content_block.text)
            paths = content.get("paths", None)
            if paths:
                scanned = paths.get("scanned", [])
                findings = content.get("results", [])
                print(f"Scanned {len(scanned)} paths. Found {len(findings)} findings.")

Tip

Some client libraries want the URL: http://localhost:8000/mcp and others only want the HOST: localhost:8000. Try out the URL in a web browser to confirm the server is running, and there are no network issues. Set SEMGREP_IS_HOSTED=true to use the semgrep_scan_remote tool

See official SDK docs for more info.

Contributing, community, and running from source

Note

We love your feedback, bug reports, feature requests, and code. Join the #mcp community Slack channel!

See CONTRIBUTING.md for more info and details on how to run from the MCP server from source code.

Community projects 🌟

MCP server registries

Semgrep Server MCP server

Made with ❤️ by the Semgrep Team