playbooks
Learn Cursor Rules Windsurf Rules MCPs Modes
Log in

Semgrep MCP server

Integrates Semgrep for static code analysis, enabling AI-driven security scanning, vulnerability detection, and code quality improvement across multiple programming languages.
Back to servers
Setup instructions
Provider
Asan Stefanski
Release date
Mar 04, 2025
Language
TypeScript
Stats
16 stars
View on GitHub

This MCP Server Semgrep tool integrates Semgrep static analysis capabilities with AI assistants like Claude, enabling code analysis, security vulnerability detection, and quality improvements through a conversational interface. It scans entire projects to identify potential issues, security vulnerabilities, and style inconsistencies.

Installation Options

Via Smithery.ai (Recommended)

  1. Visit MCP Server Semgrep on Smithery.ai
  2. Follow the installation instructions to add it to your MCP-compatible clients
  3. Configure any optional settings like the Semgrep API token

Via NPM Registry

# Using npm
npm install -g mcp-server-semgrep

# Using pnpm
pnpm add -g mcp-server-semgrep

# Using yarn
yarn global add mcp-server-semgrep

Via GitHub

# Using npm
npm install -g git+https://github.com/Szowesgad/mcp-server-semgrep.git

# Using pnpm
pnpm add -g git+https://github.com/Szowesgad/mcp-server-semgrep.git

# Using yarn
yarn global add git+https://github.com/Szowesgad/mcp-server-semgrep.git

Local Development Setup

  1. Clone the repository:
git clone https://github.com/Szowesgad/mcp-server-semgrep.git
cd mcp-server-semgrep
  1. Install dependencies:
# Using pnpm (recommended)
pnpm install

# Using npm
npm install

# Using yarn
yarn install
  1. Build the project:
# Using pnpm
pnpm run build

# Using npm
npm run build

# Using yarn
yarn build

Installing Semgrep

The installation process automatically checks for Semgrep. If not found, you can install it using:

# Using pnpm
pnpm add -g semgrep

# Using npm
npm install -g semgrep

# Using yarn
yarn global add semgrep

# Using pip
pip install semgrep

# On macOS
brew install semgrep

# On Linux
curl -sSL https://install.semgrep.dev | sh

Integration with Claude Desktop

Method 1: Via Smithery.ai (Recommended)

  1. Visit MCP Server Semgrep on Smithery.ai
  2. Click "Install in Claude Desktop"
  3. Follow the on-screen instructions

Method 2: Manual Configuration

  1. Install Claude Desktop
  2. Update the Claude Desktop configuration file (claude_desktop_config.json):
{
  "mcpServers": {
    "semgrep": {
      "command": "node",
      "args": [
        "/your_path/mcp-server-semgrep/build/index.js"
      ],
        "env": {
          "SEMGREP_APP_TOKEN": "your_semgrep_app_token"
      }
    }
  }
}

Key Features and Functions

  • scan_directory: Scans source code for potential issues
  • list_rules: Displays available rules and supported languages
  • analyze_results: Provides detailed analysis of scan results
  • create_rule: Creates custom Semgrep rules
  • filter_results: Filters results by various criteria
  • export_results: Exports results in various formats
  • compare_results: Compares two sets of results

Usage Examples

Scanning for Security Issues

Could you scan my source code in the /projects/my-application directory for potential security issues?

Analyzing Style Consistency

Analyze the z-index values in the project's CSS files and identify inconsistencies and potential layer conflicts.

Creating Custom Rules

Create a Semgrep rule that detects improper use of input sanitization functions.

Custom Rule Examples

Rule to detect inconsistent z-indices:

rules:
  - id: inconsistent-z-index
    pattern: z-index: $Z
    message: "Z-index $Z may not comply with the project's layering system"
    languages: [css, scss]
    severity: WARNING

Rule to detect deprecated imports:

rules:
  - id: deprecated-import
    pattern: import $X from 'old-library'
    message: "You're using a deprecated library. Consider using 'new-library'"
    languages: [javascript, typescript]
    severity: WARNING

Filtering Results

Show me only scan results related to SQL injection vulnerabilities.

Identifying Code Patterns

Find all "magic numbers" in the code and suggest replacing them with named constants.

How to install this MCP server

For Claude Code

To add this MCP server to Claude Code, run this command in your terminal:

claude mcp add-json "semgrep" '{"command":"node","args":["/your_path/mcp-server-semgrep/build/index.js"],"env":{"SEMGREP_APP_TOKEN":"your_semgrep_app_token"}}'

See the official Claude Code MCP documentation for more details.

For Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > Tools & Integrations and click "New MCP Server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "semgrep": {
            "command": "node",
            "args": [
                "/your_path/mcp-server-semgrep/build/index.js"
            ],
            "env": {
                "SEMGREP_APP_TOKEN": "your_semgrep_app_token"
            }
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explicitly ask the agent to use the tool by mentioning the tool name and describing what the function does.

For Claude Desktop

To add this MCP server to Claude Desktop:

1. Find your configuration file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
  • Windows: %APPDATA%\Claude\claude_desktop_config.json
  • Linux: ~/.config/Claude/claude_desktop_config.json

2. Add this to your configuration file:

{
    "mcpServers": {
        "semgrep": {
            "command": "node",
            "args": [
                "/your_path/mcp-server-semgrep/build/index.js"
            ],
            "env": {
                "SEMGREP_APP_TOKEN": "your_semgrep_app_token"
            }
        }
    }
}

3. Restart Claude Desktop for the changes to take effect

Want to 10x your AI skills?

Get a free account and learn to code + market your apps using AI (with or without vibes!).

Nah, maybe later