Semgrep MCP Server provides a Model Context Protocol interface that lets LLMs and AI assistants leverage Semgrep's powerful static analysis capabilities to scan code for security vulnerabilities. This server allows AI tools like Cursor, VS Code, and ChatGPT to identify potential security issues in your code through the standardized MCP API.
The simplest way to install and run the Semgrep MCP server is with Python's package manager:
uvx semgrep-mcp
Alternatively, you can run it as a Docker container:
docker run -i --rm ghcr.io/semgrep/mcp -t stdio
For local integrations and command-line tools:
semgrep-mcp
By default, the Python package runs in stdio mode, which may appear to be hanging without output (this is expected behavior).
For HTTP-based streaming responses:
semgrep-mcp -t streamable-http
This starts a server listening on 127.0.0.1:8000/mcp for client connections.
For server-to-client streaming (legacy transport):
semgrep-mcp -t sse
This starts a server listening on 127.0.0.1:8000/sse for client connections.
Add to your ~/.cursor/mcp.json or .cursor/mcp.json file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
Add to your VS Code User Settings (JSON):
{
"mcp": {
"servers": {
"semgrep": {
"command": "uvx",
"args": ["semgrep-mcp"]
}
}
}
}
https://mcp.semgrep.ai/sseTo connect to the Semgrep AppSec Platform:
export SEMGREP_APP_TOKEN=<token>
Or in your MCP config JSON:
"env": {
"SEMGREP_APP_TOKEN": "<token>"
}
security_check: Scan code for security vulnerabilitiessemgrep_scan: Scan code files for security vulnerabilities with a given configsemgrep_scan_with_custom_rule: Scan code files using a custom Semgrep ruleget_abstract_syntax_tree: Output the Abstract Syntax Tree (AST) of codesemgrep_findings: Fetch Semgrep findings from the Semgrep AppSec Platform API (requires token)supported_languages: Return the list of languages Semgrep supportssemgrep_rule_schema: Fetches the latest semgrep rule JSON SchemaThe server also provides:
To add this MCP server to Claude Code, run this command in your terminal:
claude mcp add-json "semgrep" '{"command":"uvx","args":["semgrep-mcp"]}'See the official Claude Code MCP documentation for more details.
There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.
If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.
To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".
When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": [
"semgrep-mcp"
]
}
}
}To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.
Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.
The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.
You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.
To add this MCP server to Claude Desktop:
1. Find your configuration file:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%\Claude\claude_desktop_config.json~/.config/Claude/claude_desktop_config.json2. Add this to your configuration file:
{
"mcpServers": {
"semgrep": {
"command": "uvx",
"args": [
"semgrep-mcp"
]
}
}
}3. Restart Claude Desktop for the changes to take effect