[beta] Semgrep MCP Server

MCP Server for using Semgrep to scan code.

Demo

<a href="https://www.loom.com/share/8535d72e4cfc4e1eb1e03ea223a702df"> <img style="max-width:300px;" src="https://cdn.loom.com/sessions/thumbnails/8535d72e4cfc4e1eb1e03ea223a702df-1047fabea7261abb-full-play.gif"> </a>

MCP is like LSP or Unix pipes for LLMs, AI Agents, and coding tools such as Cursor.

Features

This MCP Server provides a comprehensive interface to Semgrep through the Model Context Protocol, offering the following tools:

Scanning Code

• semgrep_scan: Scan code snippets for security vulnerabilities
• scan_directory: Perform Semgrep scan on a directory

Customization

• list_rules: List available Semgrep rules with optional language filtering
• create_rule: Create custom Semgrep rules

Results

• analyze_results: Analyze scan results including severity counts and top affected files
• filter_results: Filter scan results by severity, rule ID, file path, etc.
• export_results: Export scan results in various formats (JSON, SARIF, text)
• compare_results: Compare two scan results to identify new and fixed issues

Installation

CLI

1. Install uv using their installation instructions

2. Ensure you have Python 3.13+ installed

3. Clone this repository

4. Install Semgrep (additional methods):

   pip install semgrep
   

Docker

docker build -t mcp-server .

Usage

CLI

uv run mcp run server.py -t sse

Additional info on the python mcp sdk

Docker

docker run -p 8000:8000 mcp-server

Also published to ghcr.io/semgrep/mcp.

docker run -p 8000:8000 ghcr.io/semgrep/mcp:latest

Creating your own client

from mcp.client import Client

client = Client()
client.connect("localhost:8000")

# Scan code for security issues
results = client.call_tool("semgrep_scan", {
    "code": "def get_user(user_id):\n    return User.objects.get(id=user_id)",
    "language": "python"
})

Cursor Plugin

1. Go to Cursor > Settings > Cursor Settings
2. Choose the MCP tab
3. Click "Add new MCP server"
4. Name: Semgrep, Type: sse, Server URL: http://127.0.0.1:8000/sse
5. Ensure the MCP server is enabled

You can also set it up by adding this to ~/.cursor/mcp.json

{
  "mcpServers": {
    "Semgrep": {
      "url": "http://localhost:8000/sse"
    }
  }
}

Advanced Usage

The server supports advanced Semgrep functionality:

# Scan an entire directory
results = client.call_tool("scan_directory", {
    "path": "/path/to/code",
    "config": "p/security-audit"
})

# Filter results by severity
filtered = client.call_tool("filter_results", {
    "results_file": "/path/to/results.json",
    "severity": "ERROR"
})

Developlment

Running the Development Server

Start the MCP server in development mode:

uv run mcp dev server.py

By default, the server runs on http://localhost:3000 with the inspector server on http://localhost:5173.

Note: When opening the inspector sever, add query parameters to the url to increase the default timeout of the server from 10s

http://localhost:5173/?timeout=300000

Community & Related Projects

This project builds upon and is inspired by several awesome community projects:

Core Technologies 🛠️

• Semgrep - The underlying static analysis engine that powers this project
• Model Context Protocol (MCP) - The protocol that enables AI agent communication

Similar Tools 🔍

• semgrep-vscode - Official VSCode extension for Semgrep
• semgrep-intellij - IntelliJ plugin for Semgrep

Community Projects 🌟

• semgrep-rules - The official collection of Semgrep rules
• mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan

MCP Server Registries

• Glama <a href="https://glama.ai/mcp/servers/4iqti5mgde"> <img width="380" height="200" src="https://glama.ai/mcp/servers/4iqti5mgde/badge" alt="Semgrep Server MCP server" />

• MCP.so