Semgrep MCP
MCP server that lets AI agents run Semgrep static analysis to find security vulnerabilities in code.
🛡️ AgentReady threat assessment
MAESTRO 7-layer threat model + OWASP AIVSS risk score for Semgrep MCP, derived from its capabilities.
AIVSS 7.2 · High
View MAESTRO 7-layer threat model →Overview
Exposes Semgrep's static application security testing (SAST) engine as MCP tools so an agent can scan code snippets or repositories for vulnerabilities. It returns findings with rule IDs, severity, and locations, and can run custom or registry rules. Because it ingests arbitrary code and returns rule output back into the model, it carries prompt-injection-via-findings and scope surface.
Key features
- Scan code for vulnerabilities via Semgrep rules
- Custom and registry rulesets
- Structured findings with severity and location
Use cases
- Automated code security review inside an AI IDE
- Pre-commit vulnerability scanning by an agent