This project provides a Model Context Protocol (MCP) server that integrates Semgrep's static analysis capabilities with AI agents and IDEs. It enables LLMs and development tools to automatically scan code for security vulnerabilities, understand code structure via ASTs, and leverage Semgrep's extensive rule set.

How It Works

The server acts as a bridge, exposing Semgrep's functionality through the MCP standard. It supports multiple transport protocols: stdio for command-line integration, streamable-http for JSON RPC over HTTP, and sse (Server-Sent Events) for legacy compatibility. This design allows seamless integration with various AI platforms and IDEs like Cursor, VS Code, and others that adhere to the MCP specification.

Quick Start & Requirements

• Install: pipx install semgrep-mcp or docker run -i --rm ghcr.io/semgrep/mcp -t stdio
• Prerequisites: Python 3.x. Optional Semgrep AppSec Platform token for cloud features.
• Setup: Minimal setup time for local CLI usage. Docker requires container runtime.
• Docs: https://github.com/semgrep/mcp

Highlighted Details

• Exposes Semgrep's 5,000+ rules for security vulnerability scanning.
• Provides tools for code understanding (AST generation).
• Supports integration with popular IDEs (Cursor, VS Code) and AI frameworks (OpenAI Agents SDK).
• Offers a hosted experimental server at mcp.semgrep.ai.

Maintenance & Community

• Actively developed by the Semgrep Team.
• Community support via Slack channel #mcp.
• Contributions are welcomed.

Licensing & Compatibility

• The project appears to be under a permissive license, but specific details are not explicitly stated in the README. Compatibility for commercial use is likely, but requires verification of the exact license.

Limitations & Caveats

• The hosted server mcp.semgrep.ai is experimental and subject to change.
• The SSE transport is considered legacy, with streamable-http recommended.
• The project is in beta and under active development, implying potential for breaking changes.