Semgrep: Detect Security Flaws & Enforce Best Practices

What is Semgrep: Detect Security Flaws & Enforce Best Practices?

Semgrep is a static analysis tool engineered to identify security vulnerabilities and coding missteps in real time. The MCP Server acts as its AI-powered intermediary, enabling seamless integration with coding tools like Cursor via the Model Context Protocol (MCP). Think of it as a code guardian that speaks the language of modern development workflows—combining the rigor of traditional scanners with the adaptability of LLM-driven collaboration.

How to Use Semgrep: Detect Security Flaws & Enforce Best Practices?

1. Bootstrap the Environment: Install uv and Python 3.13+, then clone this repo.
2. Deploy Semgrep: Use pip install semgrep or Docker (docker build -t mcp-server .).
3. Connect via MCP: Run the server (uv run mcp run server.py) and configure tools like Cursor with the provided endpoint.

For Cursor users: Add the server URL (http://localhost:8000/sse) in settings, then enjoy on-demand scans without context-switching.

Key Features of Semgrep: Detect Security Flaws & Enforce Best Practices?

• Granular Scanning: Analyze individual code snippets (e.g., a Python function) or entire directories with presets like config="p/security-audit".
• Rule Customization: Craft tailored policies for niche security concerns—like detecting API key leaks in YAML configs—then share them with colleagues.
• Result Mastery: Filter findings by severity (e.g., severity: ERROR), export to SARIF for CI/CD pipelines, or compare audit results across code versions.

Use Cases of Semgrep: Detect Security Flaws & Enforce Best Practices?

Imagine a developer fixing a Django query injection flaw mid-edit, or a team leader auditing 10k+ files pre-deployment. Semgrep’s strengths shine in scenarios like:

• Real-time code reviews in IDEs (Cursor integration reduces context switches)
• Automated CI/CD gates that fail builds with critical vulnerabilities
• Regulatory compliance audits via custom rulesets for HIPAA or GDPR

FAQ from Semgrep: Detect Security Flaws & Enforce Best Practices?

• Why use MCP over traditional CLI? It enables bidirectional communication with AI agents, letting tools like Cursor suggest fixes while you code.
• Can I scan private repos? Absolutely—results stay local unless explicitly shared.
• Does Docker support GPU acceleration? Not yet, but community contributions are welcome (check GitHub issues marked good-first-issue).

[beta] Semgrep MCP Server

MCP Server for using Semgrep to scan code

MCP is like LSP or unix pipes but for LLMs and AI Agents and coding tools such as Cursor.

Features

This MCP Server provides a comprehensive interface to Semgrep through the Model Context Protocol, offering the following tools:

Scanning Code

• semgrep_scan: Scan code snippets for security vulnerabilities
• scan_directory: Perform Semgrep scan on a directory

Customization

• list_rules: List available Semgrep rules with optional language filtering
• create_rule: Create custom Semgrep rules

Results

• analyze_results: Analyze scan results including severity counts and top affected files
• filter_results: Filter scan results by severity, rule ID, file path, etc.
• export_results: Export scan results in various formats (JSON, SARIF, text)
• compare_results: Compare two scan results to identify new and fixed issues

Installation

1. Install uv using their installation instructions

2. Ensure you have Python 3.13+ installed

3. Clone this repository

4. Install Semgrep (additional methods):

   pip install semgrep

Docker

docker build -t mcp-server .

Usage

Docker

docker run -p 8000:8000 mcp-server

CLI

uv run mcp run server.py

Additional info on the python mcp sdk

Creating your own client

from mcp.client import Client

client = Client()
client.connect("localhost:8000")

# Scan code for security issues
results = client.call_tool("semgrep_scan", {
    "code": "def get_user(user_id):\n    return User.objects.get(id=user_id)",
    "language": "python"
})

Cursor Plugin

1. Go to Cursor > Settings > Cursor Settings
2. Choose the MCP tab
3. Click "Add new MCP server"
4. Name: Semgrep, Type: sse, Server URL: http://127.0.0.1:8000/sse
5. Ensure the MCP server is enabled

You can also set it up by adding this to ~/.cursor/mcp.json

{
  "mcpServers": {
    "Semgrep": {
      "url": "http://localhost:8000/sse"
    }
  }
}

Advanced Usage

The server supports advanced Semgrep functionality:

# Scan an entire directory
results = client.call_tool("scan_directory", {
    "path": "/path/to/code",
    "config": "p/security-audit"
})

# Filter results by severity
filtered = client.call_tool("filter_results", {
    "results_file": "/path/to/results.json",
    "severity": "ERROR"
})

Developlment

Running the Development Server

Start the MCP server in development mode:

uv run mcp dev server.py

By default, the server runs on http://localhost:3000 with the inspector server on http://localhost:5173.

Note: When opening the inspector sever, add query parameters to the url to increase the default timeout of the server from 10s

http://localhost:5173/?timeout=300000

Community & Related Projects

This project builds upon and is inspired by several awesome community projects:

Core Technologies 🛠️

• Semgrep - The underlying static analysis engine that powers this project
• Model Context Protocol (MCP) - The protocol that enables AI agent communication

Similar Tools 🔍

• semgrep-vscode - Official VSCode extension for Semgrep
• semgrep-intellij - IntelliJ plugin for Semgrep

Community Projects 🌟

• semgrep-rules - The official collection of Semgrep rules
• mcp-server-semgrep - Original inspiration written by Szowesgad and stefanskiasan