Navigation
Semgrep MCP Server (Beta): Real-Time Security & Policy Enforcement - MCP Implementation

Semgrep MCP Server (Beta): Real-Time Security & Policy Enforcement

Semgrep MCP Server (Beta): Embed code security into LLMs with real-time vulnerability detection, policy enforcement, and scalable pattern analysis.

Visit Repository
Research And Data
4.5(194 reviews)
291 saves
135 comments

This tool saved users approximately 5185 hours last month!

About Semgrep MCP Server (Beta)

What is Semgrep MCP Server (Beta): Real-Time Security & Policy Enforcement?

Semgrep MCP Server (Beta) is an advanced tool built on the Model Context Protocol (MCP), enabling real-time security analysis and policy enforcement for code repositories. It leverages the Semgrep static analysis engine to integrate seamlessly with AI-driven development workflows, providing actionable insights during coding, CI/CD pipelines, and post-deployment audits. The server acts as a communication bridge for AI agents, ensuring compliance with security best practices and organizational policies across multiple development environments.

How to use Semgrep MCP Server (Beta): Real-Time Security & Policy Enforcement?

Installation

Install via Docker:

docker run -p 3000:3000 semgrep/mcp-server:latest

Or use uv-run for local development:

uv run mcp dev server.py

Integration

Connect to IDEs like VS Code or IntelliJ for real-time alerts. Use the official API to trigger scans programmatically:

curl -X POST http://localhost:3000/analyze -H "Content-Type: application/json" --data '{"path":"/code/repo"}'

Development Mode

Run with extended timeouts for complex workflows:

http://localhost:5173/?timeout=300000

Semgrep MCP Server (Beta) Features

Key Features of Semgrep MCP Server (Beta): Real-Time Security & Policy Enforcement?

  • Instant Code Analysis: Detect vulnerabilities and policy violations as code is written
  • Configurable Policies: Customize rulesets using the official rule repository
  • Result Orchestration: Filter, sort, and export findings via the filter_results API endpoint
  • Language Support: Analyze 20+ languages including Python, JavaScript, and Java
  • CI/CD Integration: Gate deployments with automated policy checks

Use Cases for Semgrep MCP Server (Beta)

  • Enforce SOC2 compliance in SaaS platforms
  • Prevent data leaks during microservices development
  • Automate OWASP Top 10 vulnerability detection
  • Create custom compliance checks for industry-specific regulations
  • Monitor open-source dependencies for CVEs

Semgrep MCP Server (Beta) FAQ

Frequently Asked Questions

Q: Does this require Semgrep Pro?

No. The MCP Server works with free Semgrep Community Edition but gains advanced features with Pro plans.

Q: Can it scale for enterprise use?

Yes. Horizontal scaling is supported through Kubernetes deployments and distributed analysis workers.

Q: How are false positives handled?

Use the semgrep ignore CLI or integrate with issue trackers like Jira to mark safe findings.

Content

Semgrep logo

Documentation Join Semgrep community Slack Issues welcome!

Follow @semgrep on X


[beta] Semgrep MCP Server

MCP Server for using Semgrep to scan code

MCP is like LSP or unix pipes but for LLMs and AI Agents and coding tools such as Cursor.

Features

This MCP Server provides a comprehensive interface to Semgrep through the Model Context Protocol, offering the following tools:

Scanning Code

  • semgrep_scan: Scan code snippets for security vulnerabilities
  • scan_directory: Perform Semgrep scan on a directory

Customization

  • list_rules: List available Semgrep rules with optional language filtering
  • create_rule: Create custom Semgrep rules

Results

  • analyze_results: Analyze scan results including severity counts and top affected files
  • filter_results: Filter scan results by severity, rule ID, file path, etc.
  • export_results: Export scan results in various formats (JSON, SARIF, text)
  • compare_results: Compare two scan results to identify new and fixed issues

Installation

  1. Install uv using their installation instructions

  2. Ensure you have Python 3.13+ installed

  3. Clone this repository

  4. Install Semgrep (additional methods):

    pip install semgrep

Docker

docker build -t mcp-server .

Usage

Docker

docker run -p 8000:8000 mcp-server

CLI

uv run mcp run server.py

Additional info on the python mcp sdk

Creating your own client

from mcp.client import Client

client = Client()
client.connect("localhost:8000")

# Scan code for security issues
results = client.call_tool("semgrep_scan", {
    "code": "def get_user(user_id):\n    return User.objects.get(id=user_id)",
    "language": "python"
})

Cursor Plugin

  1. Go to Cursor > Settings > Cursor Settings
  2. Choose the MCP tab
  3. Click "Add new MCP server"
  4. Name: Semgrep, Type: sse, Server URL: http://127.0.0.1:8000/sse
  5. Ensure the MCP server is enabled

cursor MCP settings

You can also set it up by adding this to ~/.cursor/mcp.json

{
  "mcpServers": {
    "Semgrep": {
      "url": "http://localhost:8000/sse"
    }
  }
}

Advanced Usage

The server supports advanced Semgrep functionality:

# Scan an entire directory
results = client.call_tool("scan_directory", {
    "path": "/path/to/code",
    "config": "p/security-audit"
})

# Filter results by severity
filtered = client.call_tool("filter_results", {
    "results_file": "/path/to/results.json",
    "severity": "ERROR"
})

Developlment

Running the Development Server

Start the MCP server in development mode:

uv run mcp dev server.py

By default, the server runs on http://localhost:3000 with the inspector server on http://localhost:5173.

Note: When opening the inspector sever, add query parameters to the url to increase the default timeout of the server from 10s

http://localhost:5173/?timeout=300000

Community & Related Projects

This project builds upon and is inspired by several awesome community projects:

Core Technologies 🛠️

Similar Tools 🔍

Community Projects 🌟

Related MCP Servers & Clients

mcpsemgrep

Quick Navigation

MCP Categories

Research And Data