Semgrep
MCP server for using Semgrep to scan code for security vulnerabilities.
8 Tools
Add to Docker Desktop
Version 4.43 or later needs to be installed to add the server automatically
Tools
| Name | Description |
|---|---|
semgrep_rule_schema | Get the schema for a Semgrep rule Use this tool when you need to: - get the schema required to write a Semgrep rule - need to see what fields are available for a Semgrep rule - verify what fields are available for a Semgrep rule - verify the syntax for a Semgrep rule is correct |
get_supported_languages | Returns a list of supported languages by Semgrep Only use this tool if you are not sure what languages Semgrep supports. |
semgrep_findings | Fetches findings from the Semgrep AppSec Platform Findings API. This function retrieves security, code quality, and supply chain findings that have already been identified by previous Semgrep scans and uploaded to the Semgrep AppSec platform. It does NOT perform a new scan or analyze code directly. Instead, it queries the Semgrep API to access historical scan results for a given repository or set of repositories. DEFAULT BEHAVIOR: By default, this tool should filter by the current repository. The model should determine the current repository name and pass it in the 'repos' parameter to ensure findings are scoped to the relevant codebase. However, users may explicitly request findings from other repositories, in which case the model should respect that request. Use this function when a prompt requests a summary, list, or analysis of existing findings, such as: - "Please list the top 10 security findings and propose solutions for them." - "Show all open critical vulnerabilities in this repository." - "Summarize the most recent Semgrep scan results." - "Get findings from repository X" (explicitly requesting different repo) This function is ideal for: - Reviewing, listing, or summarizing findings from past scans. - Providing actionable insights or remediation advice based on existing scan data. Do NOT use this function to perform a new scan or check code that has not yet been analyzed by Semgrep. For new scans, use the appropriate scanning function. |
semgrep_scan_with_custom_rule | Runs a Semgrep scan with a custom rule on provided code content and returns the findings in JSON format Use this tool when you need to: - scan code files for specific security vulnerability not covered by the default Semgrep rules - scan code files for specific issue not covered by the default Semgrep rules |
semgrep_scan | Runs a Semgrep scan on provided code content and returns the findings in JSON format Use this tool when you need to: - scan code files for security vulnerabilities - scan code files for other issues |
semgrep_scan_local | Runs a Semgrep scan locally on provided code files returns the findings in JSON format. Files are expected to be in the current paths are absolute paths to the code files. Use this tool when you need to: - scan code files for security vulnerabilities - scan code files for other issues |
security_check | Runs a fast security check on code and returns any issues found. Use this tool when you need to: - scan code for security vulnerabilities - verify that code is secure - double check that code is secure before committing - get a second opinion on code security If there are any issues found, you **MUST** fix them or offer to fix them and explain to the user why it's important to fix. If there are no issues, you can be reasonably confident that the code is secure. |
get_abstract_syntax_tree | Returns the Abstract Syntax Tree (AST) for the provided code file in JSON format Use this tool when you need to: - get the Abstract Syntax Tree (AST) for the provided code file - get the AST of a file - understand the structure of the code in a more granular way - see what a parser sees in the code |
Manual installation
You can install the MCP server using:
Installation for