Add the Semgrep MCP server to Windsurf

Config last verified Jun 1, 2026

The exact config to run Semgrep in Windsurf — paste it in, restart, and the tools load.

Prerequisites

Windsurf installed.

Setup

1. Open `~/.codeium/windsurf/mcp_config.json`

On Windows the file lives at %USERPROFILE%\.codeium\windsurf\mcp_config.json.

2. Add this configuration

Add to ~/.codeium/windsurf/mcp_config.json

~/.codeium/windsurf/mcp_config.json

json

{
  "mcpServers": {
    "semgrep": {
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "semgrep/semgrep",
        "semgrep",
        "mcp",
        "-t",
        "stdio"
      ],
      "env": {
        "SEMGREP_APP_TOKEN": "<SEMGREP_APP_TOKEN>"
      }
    }
  }
}

3. Restart Windsurf and confirm the Semgrep tools load.

Gotchas

Windsurf's Cascade reads MCP servers from an "mcpServers" object in ~/.codeium/windsurf/mcp_config.json. Unlike most clients, remote servers are configured with the "serverUrl" field rather than "url", so a config that uses "url" silently fails to connect. Native remote transport is supported without an OAuth flow.

← Back to the Semgrep MCP server