Semgrep MCP server
Semgrep's official MCP server: scan code for security vulnerabilities, run custom rules, and pull AppSec Platform findings from your editor.
The Semgrep MCP server is Semgrep's official integration for using its static analysis engine through an AI agent. Semgrep performs fast, semantic, rule-based scanning across 30+ languages, and this server exposes that power as MCP tools so an agent can scan code for security vulnerabilities, write and run custom rules, inspect a file's abstract syntax tree, run a supply-chain (dependency) scan, and fetch findings that earlier scans uploaded to the Semgrep AppSec Platform. This turns Semgrep into a security reviewer that an agent can invoke inline — checking newly generated or edited code before it lands, then explaining and helping fix what it finds.
The MCP server now ships inside the official Semgrep binary and is invoked with the `semgrep mcp` subcommand (supporting stdio and streamable-HTTP transports). The simplest reproducible install is the official Docker image: `docker run -i --rm semgrep/semgrep semgrep mcp -t stdio`. Local scanning works without any account or token. To connect to the Semgrep AppSec Platform and use the findings and identity tools, generate an API token and pass it as the SEMGREP_APP_TOKEN environment variable. (The earlier standalone `uvx semgrep-mcp` package and the hosted mcp.semgrep.ai endpoint have been deprecated in favor of the binary-integrated server.)
Quick install
Copy-paste configs are provided for all 8 supported clients. Pick your client below.
Add to ~/.claude.json
{
"mcpServers": {
"semgrep": {
"command": "docker",
"args": [
"run",
"-i",
"--rm",
"semgrep/semgrep",
"semgrep",
"mcp",
"-t",
"stdio"
],
"env": {
"SEMGREP_APP_TOKEN": "<SEMGREP_APP_TOKEN>"
}
}
}
}claude mcp add semgrep -- docker run -i --rm semgrep/semgrep semgrep mcp -t stdioAvailable tools
| Tool | Description |
|---|---|
| semgrep_scan | Runs a Semgrep scan locally on the provided code files (absolute paths) and returns the findings in JSON format. |
| semgrep_scan_remote | Runs a Semgrep scan on provided code content (rather than local file paths) and returns the findings in JSON format. |
| semgrep_scan_with_custom_rule | Runs a Semgrep scan with a custom rule against provided code content, for vulnerabilities not covered by the default rulesets. |
| semgrep_scan_supply_chain | Runs a Semgrep supply-chain scan on a workspace directory to identify third-party (dependency) security vulnerabilities. |
| semgrep_rule_schema | Returns the schema for a Semgrep rule, showing the fields available when writing or verifying a rule. |
| semgrep_findings | Fetches existing security, code-quality, and supply-chain findings from the Semgrep AppSec Platform Findings API (requires authentication). |
| get_supported_languages | Returns the list of programming languages supported by Semgrep. |
| get_abstract_syntax_tree | Returns the abstract syntax tree (AST) for a provided code file in JSON format, to understand its structure. |
| semgrep_whoami | Returns the identity of the currently authenticated user (works with JWTs, not API tokens). |
Required configuration
- SEMGREP_APP_TOKENOptional
Semgrep AppSec Platform API token, used by the findings and identity tools. Optional; local scans do not require it.
What you can do with it
Security-review code as the agent writes it
After generating or editing code, the agent runs semgrep_scan on the changed files, reads the findings, and fixes the flagged vulnerabilities before the code is committed — catching issues at inception rather than in CI.
Author and test custom rules
The agent fetches the rule schema, drafts a custom Semgrep rule for a project-specific pattern, and runs semgrep_scan_with_custom_rule to validate that it matches the intended code, iterating on the rule from natural language.
FAQ
- Is it free?
- Yes. Semgrep's open-source CLI and the MCP server are free, and local scanning with the community rulesets requires no account. Optional features that read from the Semgrep AppSec Platform use a token tied to your Semgrep plan, which has a free tier.
- Does it support remote/OAuth?
- It runs locally over stdio (via the semgrep binary or the official Docker image) and also supports a streamable-HTTP transport on port 8000 for remote use. It has no OAuth flow; AppSec Platform access uses a SEMGREP_APP_TOKEN. The previously hosted mcp.semgrep.ai endpoint and the standalone uvx package have been deprecated.