mcp

This MCP server integrates Semgrep into the Model Context Protocol ecosystem, allowing LLMs and IDEs to request code scans and contextual analysis powered by Semgrep rules. You can run the server locally either via the UV-based binary or as a Docker container. The included tools support scanning code, understanding code structure and security implications, and interfacing with Semgrep’s cloud or local tokens as needed. Typical usage involves starting the MCP server and then configuring your MCP client (e.g., Cursor, VS Code, or other MCP-enabled tooling) to point at the server so you can send prompts that request code scanning, rule-based analysis, or Meta information about the codebase. The server exposes tools such as Scan Code, Understand Code, Cloud Platform access (requires login and an Semgrep token), and Meta data queries to help you manage and interpret analysis results.

Prerequisites:

• A supported runtime: UV (via uvx) or Docker for running the MCP server. Optional Python-based setup if you prefer a Python/UV workflow.
• Internet access to pull the package image or install the CLI.

Installation options:

1. Using UV (recommended for local development):

   • Install UV if you don’t have it yet (follow the UV installation instructions for your OS).
   • Run the MCP server: uvx semgrep-mcp
   • This will start the MCP server using the Semgrep MCP package from the main Semgrep repository.

2. Using Docker (recommended for isolation):

   • Ensure Docker is installed and running.
   • Run the MCP server in a container: docker run -i --rm ghcr.io/semgrep/mcp -t stdio
   • This starts the server and exposes stdio-based communication for MCP clients.

3. Python/PyPI option (if you prefer installing the package directly):

   • Install the Semgrep MCP package from PyPI: pip install semgrep-mcp
   • Start via the provided CLI (as documented in the Semgrep MCP readme in the main repo).

Notes:

• This MCP server has been moved from a standalone repository to the main semgrep repository. Expect updates to come through the official semgrep binary and repository. The standalone repo is deprecated.

Helpful tips and caveats:

• The Semgrep MCP server is currently distributed via UV and Docker options. You can also use the main Semgrep binary for MCP-related functionality as updates roll out in the semgrep repo.
• When using UV, you may need to provide an Semgrep API token if your workflow relies on Cloud Platform features. Set SEMGREP_APP_TOKEN to your token value in your MCP config or environment.
• If you encounter connectivity or token errors, verify that your token is valid and that your MCP client is configured to communicate with the correct MCP server URL. The server in this repository references the official Semgrep MCP workflow; refer to the main Semgrep MCP docs for supported prompts and tool usage.
• The mcp_config example uses the server-name semgrep. You can add additional servers or variants (e.g., Docker-based or uvx-based) as needed by duplicating the entry with different command/args values.
• This repository’s MCP server is focused on Semgrep interactions (scanning, understanding code, and meta queries). For full capabilities, you’ll typically configure clients like Cursor or VS Code to route prompts to the MCP and handle the scan results as structured data.