{ "name": "io.github.semgrep/mcp", "description": "The official Semgrep MCP wraps the Semgrep open-source static analyser so an AI agent can scan a project against the community ruleset or a team-authored ruleset. Designed for the \"review this diff\" workflow — point it at a folder or a specific file and get back ranked findings with file:line references and remediation suggestions.", "status": "active", "version": "latest", "_meta": { "com.top-mcps/lastVerified": "2026-05-27", "com.top-mcps/score": { "value": 69, "rubricVersion": "2026-04", "lastComputed": "2026-06-02T13:16:41.648Z", "methodology": "https://top-mcps.com/about/methodology" }, "com.top-mcps/stats": { "fetchedAt": "2026-06-02T11:55:52.321Z", "githubStars": 668, "lastCommitAt": "2025-10-28T22:32:31Z" } }, "repository": { "url": "https://github.com/semgrep/mcp", "source": "github" }, "author": { "name": "Semgrep" }, "packages": [ { "registryType": "pypi", "registryBaseUrl": "https://pypi.org", "identifier": "semgrep-mcp", "version": "latest", "transport": { "type": "stdio" } } ], "capabilities": { "security": { "scope": "read-only", "sandbox": "Runs Semgrep locally on the user's machine. No network egress in default mode. Custom rules are evaluated locally; ensure you trust the rule source before pointing the MCP at a third-party registry URL.", "gotchas": [ "A malicious custom rule can match aggressively and slow down the scan. Audit third-party rulesets before adoption.", "Semgrep does not modify code by default; the agent can use the findings to draft fixes, but the changes pass through your normal review.", "Some rules require a project-specific config — without it, the false-positive rate is higher." ] } }, "_links": { "html": "https://top-mcps.com/mcp/semgrep", "markdown": "https://top-mcps.com/mcp/semgrep.md", "methodology": "https://top-mcps.com/about/methodology" } }