Semgrep

MCP server for using Semgrep to scan code for security vulnerabilities.

8 Tools

Version 4.43 or later needs to be installed to add the server automatically

Tools

Name Description

semgrep_findings Fetches findings from the Semgrep AppSec Platform Findings API. This function retrieves security, code quality, and supply chain findings that have already been identified by previous Semgrep scans and uploaded to the Semgrep AppSec platform. It does NOT perform a new scan or analyze code directly. Instead, it queries the Semgrep API to access historical scan results for a given repository or set of repositories. DEFAULT BEHAVIOR: By default, this tool should filter by the current repository. The model should determine the current repository name and pass it in the 'repos' parameter to ensure findings are scoped to the relevant codebase. However, users may explicitly request findings from other repositories, in which case the model should respect that request. Use this function when a prompt requests a summary, list, or analysis of existing findings, such as: - "Please list the top 10 security findings and propose solutions for them." - "Show all open critical vulnerabilities in this repository." - "Summarize the most recent Semgrep scan results." - "Get findings from repository X" (explicitly requesting different repo) This function is ideal for: - Reviewing, listing, or summarizing findings from past scans. - Providing actionable insights or remediation advice based on existing scan data. Do NOT use this function to perform a new scan or check code that has not yet been analyzed by Semgrep. For new scans, use the appropriate scanning function.

Name	Description
`semgrep_findings`	Fetches findings from the Semgrep AppSec Platform Findings API. This function retrieves security, code quality, and supply chain findings that have already been identified by previous Semgrep scans and uploaded to the Semgrep AppSec platform. It does NOT perform a new scan or analyze code directly. Instead, it queries the Semgrep API to access historical scan results for a given repository or set of repositories. DEFAULT BEHAVIOR: By default, this tool should filter by the current repository. The model should determine the current repository name and pass it in the 'repos' parameter to ensure findings are scoped to the relevant codebase. However, users may explicitly request findings from other repositories, in which case the model should respect that request. Use this function when a prompt requests a summary, list, or analysis of existing findings, such as: - "Please list the top 10 security findings and propose solutions for them." - "Show all open critical vulnerabilities in this repository." - "Summarize the most recent Semgrep scan results." - "Get findings from repository X" (explicitly requesting different repo) This function is ideal for: - Reviewing, listing, or summarizing findings from past scans. - Providing actionable insights or remediation advice based on existing scan data. Do NOT use this function to perform a new scan or check code that has not yet been analyzed by Semgrep. For new scans, use the appropriate scanning function.

Manual installation

You can install the MCP server using:

Installation for

Semgrep

Related servers

Firewalla MCP Server

Ramparts MCP Security Scanner

Root.io Vulnerability Remediation MCP