playbooks

home / mcp / semgrep mcp server

Semgrep MCP Server

A MCP server for using Semgrep to scan code for security vulnerabilities.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "semgrep-mcp": {
      "url": "https://mcp.semgrep.ai/mcp",
      "headers": {
        "SEMGREP_APP_TOKEN": "<token>"
      }
    }
  }
}

You can run Semgrepโ€™s MCP server to enable large language models, IDEs, and automation tools to scan code with Semgrep rules, get context, and perform automated security checks. This MCP server exposes both local, self-contained operation (stdio) and remote, streamable HTTP access, so you can choose the integration method that best fits your workflow.

How to use

You connect your MCP client to either a local stdio server or a remote HTTP(S) MCP endpoint. The stdio method runs on your machine and communicates via standard input and output, while the HTTP method exposes a streaming API over HTTP that your client can call.

How to install

Prerequisites: Python and/or Docker, depending on how you want to run the MCP server.

Option A: Run the MCP server locally via Python (stdio transport) using the uvx runner.

Option B: Run the MCP server locally in a Docker container (stdio transport) using the official image.

Additional content

This MCP server supports multiple connection methods and provides tooling endpoints for scanning code, understanding code structure, and integrating with the Semgrep AppSec Platform.

Config examples and endpoints

{
  "mcpServers": {
    "semgrep": {
      "type": "stdio",
      "command": "uvx",
      "args": ["semgrep-mcp"],
      "env": {
        "SEMGREP_APP_TOKEN": "<token>"
      }
    }
  }
}

Tools and capabilities

{
  "tools": [
    {
      "name": "security_check",
      "description": "Scan code for security vulnerabilities using predefined checks."
    },
    {
      "name": "semgrep_scan",
      "description": "Scan code files for security vulnerabilities with a given Semgrep config string."
    },
    {
      "name": "semgrep_scan_with_custom_rule",
      "description": "Scan code files using a custom Semgrep rule."
    },
    {
      "name": "get_abstract_syntax_tree",
      "description": "Output the Abstract Syntax Tree (AST) of code."
    },
    {
      "name": "semgrep_findings",
      "description": "Fetch Semgrep findings from the Semgrep AppSec Platform API."
    },
    {
      "name": "supported_languages",
      "description": "Return the list of languages Semgrep supports."
    },
    {
      "name": "semgrep_rule_schema",
      "description": "Fetches the latest Semgrep rule JSON Schema."
    }
  ]
}

Available tools

security_check

Scan code for security vulnerabilities using predefined checks.

semgrep_scan

Scan code files for security vulnerabilities with a given Semgrep config string.

semgrep_scan_with_custom_rule

Scan code files using a custom Semgrep rule.

get_abstract_syntax_tree

Output the Abstract Syntax Tree (AST) of code.

semgrep_findings

Fetch Semgrep findings from the Semgrep AppSec Platform API.

supported_languages

Return the list of languages Semgrep supports.

semgrep_rule_schema

Fetches the latest semgrep rule JSON Schema.