Semgrep MCP
MCP server that lets AI agents run Semgrep static analysis to find security vulnerabilities in code.
🛡️ AgentReady threat assessment
MAESTRO 7-layer threat model + OWASP AIVSS risk score for Semgrep MCP, derived from its capabilities.
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.
Overview
Exposes Semgrep's static application security testing (SAST) engine as MCP tools so an agent can scan code snippets or repositories for vulnerabilities. It returns findings with rule IDs, severity, and locations, and can run custom or registry rules. Because it ingests arbitrary code and returns rule output back into the model, it carries prompt-injection-via-findings and scope surface.
Key features
- Scan code for vulnerabilities via Semgrep rules
- Custom and registry rulesets
- Structured findings with severity and location
Use cases
- Automated code security review inside an AI IDE
- Pre-commit vulnerability scanning by an agent