Servers
Clients
Tools
Contact

Semgrep MCP Server

What is this?

The Semgrep MCP Server brings Semgrep’s powerful pattern-based code scanning into any MCP-compliant workflow. Packaged as @modelcontextprotocol/server-semgrep, it acts as a bridge between AI assistants, CI/CD pipelines, or custom tools and Semgrep’s rule engine, providing real-time vulnerability detection and policy enforcement. By speaking the Model Context Protocol out of the box, it makes security analysis extensible and easy to integrate.

Under the hood, it leverages the official Semgrep CLI and library, exposing scan jobs, rule management resources, and preconfigured scan tools, all over HTTP or WebSocket in JSON. Agents and applications can invoke scans as tool calls or resource requests, receive line-level annotations, severity metadata, and even templated prompts for guided workflows. You can customize rulesets, tune severity thresholds, and embed it in pipelines without writing custom adapters.

Quick Start

Install the server using npm:

npm install @modelcontextprotocol/server-semgrep

Then add it to your MCP client configuration:

{
  "mcpServers": {
    "semgrep-mcp-server": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-semgrep"],
      "env": {
        "API_KEY": "your-api-key-here"
      }
    }
  }
}

Key Features

Unified Interface: Leverage Semgrep’s full rule engine via standardized MCP calls, so clients don’t need custom integrations.

Automated Vulnerability Scanning: Run on-demand scans against OWASP Top 10, custom security rules, and code quality patterns with real-time feedback.

Context-Rich Reporting: Get structured results with severity metadata, annotated code snippets, and summaries agents can process or display.

Example Usage

One common use case is invoking the semgrepScanTool from an AI agent to scan a code snippet as part of a chat workflow.

// Example code
const result = await client.callTool({
  name: "semgrepScanTool",
  arguments: {
    codeSnippet: "eval(userInput)",
    language: ["js"]
  }
});

This code invokes the built-in semgrepScanTool, runs a scan on the provided snippet, and returns findings with rule IDs, messages, and location data.

Configuration

The server accepts the following environment variables:

API_KEY – API key for securing the MCP server endpoints.

SETTING_1 (optional) – Specify log verbosity (e.g., « info », « debug »).

Available Tools/Resources

semgrep.scanCode: Main resource to trigger code scans on files, snippets, or repositories.

semgrepScanTool: Tool call that AI agents can invoke to perform on-demand scans within conversations or workflows.

Who Should Use This?

This server is perfect for:

Use case 1: DevSecOps teams looking to embed security scanning directly into CI/CD pipelines without custom adapters.

Use case 2: AI and chat-based assistants that need a tool call interface to perform code analysis in real time.

Use case 3: Development teams wanting consistent, context-rich vulnerability reporting across multiple languages and projects.

Conclusion

With the Semgrep MCP Server, you can easily unify your security scanning and AI-driven workflows under the MCP protocol, accelerating code review feedback and enforcing guardrails across teams. Give it a try and see how quickly you can add powerful, context-aware scanning to your pipelines and agents.

Check out the GitHub repository for more information and to contribute.