# Semgrep

> Open-source SAST scanning against custom rules from an AI agent.

[Canonical HTML page](https://top-mcps.com/mcp/semgrep) · [server.json](https://top-mcps.com/mcp/semgrep.json) · [methodology](https://top-mcps.com/about/methodology)

## Install

### Claude Desktop — `claude_desktop_config.json`

Paste under mcpServers. Fully quit and reopen Claude after editing.

```json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    }
  }
}
```

### Claude Code — `CLI or .mcp.json`

Run from your repo. Commit .mcp.json to share with your team.

```shell
claude mcp add semgrep -- uvx semgrep-mcp
```

### Cursor — `.cursor/mcp.json`

Global path: ~/.cursor/mcp.json. Reload window after editing.

```json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    }
  }
}
```

### VS Code — `.vscode/mcp.json`

VS Code uses the "servers" key (not "mcpServers").

```jsonc
{
  "servers": {
    "semgrep": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    }
  }
}
```

### Windsurf — `~/.codeium/windsurf/mcp_config.json`

Open via Cascade → hammer icon → Configure.

```json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    }
  }
}
```

### Cline — `cline_mcp_settings.json`

Open via the Cline sidebar → MCP Servers → Edit.

```json
{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": [
        "semgrep-mcp"
      ]
    }
  }
}
```

### Continue — `~/.continue/config.json`

Continue uses modelContextProtocolServers with a transport block.

```json
{
  "experimental": {
    "modelContextProtocolServers": [
      {
        "transport": {
          "type": "stdio",
          "command": "uvx",
          "args": [
            "semgrep-mcp"
          ]
        }
      }
    ]
  }
}
```

### Codex CLI — `~/.codex/config.toml`

Codex uses TOML. Each server is a [mcp_servers.<name>] subtable.

```shell
# ~/.codex/config.toml
[mcp_servers.semgrep]
command = "uvx"
args = [
  "semgrep-mcp",
]
```

### Zed — `~/.config/zed/settings.json`

Zed calls them "context_servers". Settings live-reload on save.

```jsonc
{
  "context_servers": {
    "semgrep": {
      "command": {
        "path": "uvx",
        "args": [
          "semgrep-mcp"
        ]
      }
    }
  }
}
```

### ChatGPT — `ChatGPT → Apps directory`

Semgrep doesn't ship a hosted HTTPS endpoint today. ChatGPT supports remote MCP servers only — to use this server in ChatGPT you'll need to deploy it to a public HTTPS URL first (e.g. via Cloudflare Workers or Vercel) or wait for an official remote build.

```none

```

## At a glance

- **Maintainer:** Semgrep
- **Transport:** stdio
- **Auth model:** None
- **Required secrets:** None
- **Supported clients:** Claude, Cursor, VS Code, Windsurf, Any MCP-compatible client, Semgrep 1.30+
- **License:** LGPL-2.1
- **Language:** Python
- **Latest version:** latest
- **Last verified:** 2026-05-27
- **GitHub stars:** 668 (fetched 2026-06-02T11:55:52.321Z)
- **Score:** 69/100 (rubric 2026-04 — see https://top-mcps.com/about/methodology)
- **Source:** https://github.com/semgrep/mcp

## Security & scope

- **Access scope:** read-only
- **Sandbox:** Runs Semgrep locally on the user's machine. No network egress in default mode. Custom rules are evaluated locally; ensure you trust the rule source before pointing the MCP at a third-party registry URL.
- **Gotchas:**
  - A malicious custom rule can match aggressively and slow down the scan. Audit third-party rulesets before adoption.
  - Semgrep does not modify code by default; the agent can use the findings to draft fixes, but the changes pass through your normal review.
  - Some rules require a project-specific config — without it, the false-positive rate is higher.

## Quick answer

**What it does.** Runs Semgrep against the current project (or a specific subtree) using either the community registry or a custom ruleset, and returns findings with severity, location, and fix suggestions.

**Best for:**
- Pre-commit SAST
- Custom rule enforcement
- Reviewing third-party PRs
- Auditing security patterns
- Teaching security through findings

**Not for:**
- Dependency-vulnerability scanning
- Runtime security monitoring
- Compliance reporting (use Semgrep AppSec Platform)

## Description

The official Semgrep MCP wraps the Semgrep open-source static analyser so an AI agent can scan a project against the community ruleset or a team-authored ruleset. Designed for the "review this diff" workflow — point it at a folder or a specific file and get back ranked findings with file:line references and remediation suggestions.

## Why it matters

Semgrep is the standard open-source SAST tool. An MCP-mediated scan during development catches issues that would otherwise wait for CI — and the rule format means teams can encode their own anti-patterns.

## Key features

- Open-source rule registry
- Custom YAML rules
- Per-language rule selection
- Diff-mode (scan only changed lines)
- JSON output for agent ingestion

## FAQ

### Do I need a Semgrep account?

No. The open-source registry runs entirely local. You only need an account for the AppSec Platform (org-wide policies, findings dashboard).

### Can I use my team's custom ruleset?

Yes — point the MCP at a local rules directory or a public rule registry URL. The rule format is the same Semgrep YAML.

### Diff-only mode?

Yes. Pass --baseline-ref=main to scan only lines changed against main. Perfect for the "scan this PR" workflow without re-scanning the whole repo.

### How fast is it?

Fast enough for an interactive loop on most repos. Big monorepos benefit from --include and per-language rule selection to cut scan time.

## Changelog

- **2026-05-27** — Refreshed install snippets and fact sheet; verified for 2026.
- **2025-04-30** — Initial directory listing.