Semgrep MCP Server

MCP server for Semgrep — a popular open-source static application security testing (SAST) tool. Enables AI agents to run Semgrep security scans on codebases, apply custom rules, detect security vulnerabilities, check code patterns, and integrate SAST findings into AI-driven secure development workflows.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security semgrep sast security code-analysis static-analysis mcp-server authorized-use
⚙ Agent Friendliness
72
/ 100
Can an agent use this?
🔒 Security
80
/ 100
Is it safe for agents?
⚡ Reliability
68
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
68
Documentation
68
Error Messages
65
Auth Simplicity
88
Rate Limits
82

🔒 Security

TLS Enforcement
85
Auth Strength
82
Scope Granularity
78
Dep. Hygiene
72
Secret Handling
80

SAST tool. Local analysis. Source code stays local unless Semgrep Pro cloud used. Security findings are sensitive data.

⚡ Reliability

Uptime/SLA
72
Version Stability
68
Breaking Changes
65
Error Recovery
68
AF Security Reliability

Best When

A security engineer or DevSecOps team wants AI agents to run automated code security reviews using Semgrep — integrating SAST findings into AI-driven code review and security workflows.

Avoid When

Your team already runs Semgrep in CI/CD — adding a separate MCP may duplicate effort. Best value is when agents need dynamic, on-demand SAST during AI code generation workflows.

Use Cases

  • Running Semgrep security scans on codebases from security review agents
  • Checking code for vulnerability patterns from AI code review agents
  • Applying custom Semgrep rules for compliance checking from DevSecOps agents
  • Integrating SAST findings into AI-driven secure development lifecycle workflows

Not For

  • Dynamic application security testing (Semgrep is SAST — static analysis only)
  • Scanning binary/compiled code without source access
  • Teams using only commercial SAST tools (Checkmarx, Veracode)

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none api_key
OAuth: No Scopes: No

Local Semgrep runs require no auth. Semgrep Pro/Cloud features require Semgrep API token.

Pricing

Model: freemium
Free tier: Yes
Requires CC: No

Semgrep open source is free. Pro rules require subscription. MCP server is free open source community tool.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Semgrep rule selection matters — agents should specify appropriate rule sets for the language/framework
  • False positive rates vary by rule set — agents may generate noise without proper rule configuration
  • Large codebases can take minutes to scan — implement appropriate timeouts
  • Community tool (VetCoders) — not official Semgrep/Returntocorp integration

Alternatives

codeql-mcp-server bandit-mcp-server

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Semgrep MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5220
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered