Semgrep Code Scanner MCP Server

SecurityPython

Scan code for security vulnerabilities using Semgrep's static analysis

Available Tools

scan_code

Scan code for security vulnerabilities using Semgrep

codelanguagerules

explain_finding

Get detailed explanation of a Semgrep finding

finding_id

list_rules

List available Semgrep rules for a specific language

language

Semgrep Code Scanner provides real-time security scanning for your code using Semgrep's powerful static analysis engine. It semantically understands code across multiple languages and can identify security vulnerabilities, bugs, and code quality issues directly in your development environment. With access to over 5,000 pre-built rules covering common security vulnerabilities, this MCP helps developers catch issues early in the development process. The scanner integrates seamlessly with your coding workflow through the Model Context Protocol, allowing AI assistants to provide security insights without disrupting your development process.

Semgrep Code Scanner

Semgrep Code Scanner is a Model Context Protocol (MCP) server that brings Semgrep's powerful static analysis capabilities directly into your development environment. It allows you to scan your code for security vulnerabilities, bugs, and code quality issues in real-time.

Installation Options

You have several ways to install and use the Semgrep MCP:

Option 1: Using UV (Python Package Installer)

The simplest way to install is using UV:

uvx semgrep-mcp

Option 2: Using Docker

You can run the Semgrep MCP server using Docker:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

Option 3: Using the Hosted Service

Semgrep provides a hosted version of the MCP server at https://mcp.semgrep.ai/sse.

Configuration

To configure your MCP client (like VS Code with GitHub Copilot, Cursor, etc.), add the appropriate configuration:

For UV installation:

{
  "command": "uvx",
  "args": ["semgrep-mcp"]
}

For Docker installation:

{
  "command": "docker",
  "args": ["run", "-i", "--rm", "ghcr.io/semgrep/mcp", "-t", "stdio"]
}

For the hosted service:

{
  "type": "sse",
  "url": "https://mcp.semgrep.ai/sse"
}

Usage

Once installed, you can interact with Semgrep through your MCP-compatible client. Here are some example prompts:

"Scan this file for security vulnerabilities"
"Check if this code has any SQL injection vulnerabilities"
"Is there any sensitive data exposure in this code?"
"Analyze this function for potential bugs"

The Semgrep MCP will analyze your code and provide detailed feedback about any issues it finds, including:

The type of vulnerability or issue
The location in your code
An explanation of the problem
Recommendations for fixing the issue

Advanced Usage

Semgrep supports scanning across multiple languages including Python, JavaScript, TypeScript, Java, Go, C, C++, and many others. The MCP automatically detects the language of your code and applies the appropriate rules.

You can also specify particular rule sets or categories of vulnerabilities you're interested in checking for in your prompts.

Getting Help

If you encounter any issues or have questions about using the Semgrep MCP:

Join the Semgrep community Slack at https://go.semgrep.dev/slack (specifically the #mcp channel)
Check the documentation at https://semgrep.dev/docs/
Report bugs or request features on the GitHub repository: https://github.com/semgrep/mcp