MCP VERIFIED · PRODUCTION READY · VINKIUS GUARANTEED

Semgrep MCP Server

Name: Semgrep
Availability: InStock
Author: Vinkius

Built by Vinkius GDPR ToolsFree for Subscribers

Equip your AI agent with read/write access to Semgrep's SAST platform to audit code security findings, update triage statuses, and enforce custom semantic rules.

Get MCP Server for AI Agents

Ask AI about this MCP Server

Open in ChatGPT Open in Claude Open in Perplexity

Vinkius supports streamable HTTP and SSE.

AI Agent→Vinkius

High Security·Kill Switch·Plug and Play

Fully ManagedVinkius Servers

60%Token savings

High SecurityEnterprise-grade

IAMAccess control

EU AI ActCompliant

DLPData protection

V8 IsolateSandboxed

Ed25519Audit chain

<40msKill switch

Stream every event to Splunk, Datadog, or your own webhook in real-time

* Every MCP server runs on Vinkius-managed infrastructure inside AWS - a purpose-built runtime with per-request V8 isolates, Ed25519 signed audit chains, and sub-40ms cold starts optimized for native MCP execution. See our infrastructure

What is the Semgrep MCP Server?

The Semgrep MCP Server gives AI agents like Claude, ChatGPT, and Cursor direct access to Semgrep via 10 tools. Equip your AI agent with read/write access to Semgrep's SAST platform to audit code security findings, update triage statuses, and enforce custom semantic rules. Powered by the Vinkius - no API keys, no infrastructure, connect in under 2 minutes.

Built-in capabilities (10)

create_ruledelete_ruleget_finding_detailsget_metricsget_projectlist_deploymentslist_findingslist_projectslist_rulesupdate_finding_status

Tools for your AI Agents to operate Semgrep

Ask your AI agent "List the most severe unmitigated findings currently breaking our CI/CD pipeline on the 'vinkius/cloud' repository." and get the answer without opening a single dashboard. With 10 tools connected to real Semgrep data, your agents reason over live information, cross-reference it with other MCP servers, and deliver insights you would spend hours assembling manually.

Works with Claude, ChatGPT, Cursor, and any MCP-compatible client. Powered by the Vinkius - your credentials never touch the AI model, every request is auditable. Connect in under two minutes.

Why teams choose Vinkius

One subscription gives you access to thousands of MCP servers - and you can deploy your own to the Vinkius Edge. Your AI agents only access the data you authorize, with DLP that blocks sensitive information from ever reaching the model, kill switch for instant shutdown, and up to 60% token savings. Enterprise-grade infrastructure and security, zero maintenance.

Build your own MCP Server with our secure development framework →

Vinkius works with every AI agent you already use

…and any MCP-compatible client

Semgrep MCP Server capabilities

10 tools

create_rule

Allows developers to forbid project-specific bad patterns securely and continuously across the enterprise repositories. Create a customized Semgrep security rule within the platform

delete_rule

Delete a custom Semgrep security rule from the deployment

get_finding_details

Explains the exact malicious code block, suggests semantic fixes, states whether it is blocking PRs in CI, and links to CVE data (if an SCA supply chain defect). Get atomic details for a specific Semgrep flaw

get_metrics

Typically consumed to render executive security dashboards. Get AppSec metrics and compliance stats for Semgrep

get_project

Search for a precise Semgrep project by exact repository name

list_deployments

The primary key is the deployment slug identifier. Almost all subsequent API operations targeting rules, projects, or findings will require this deployment slug to define the scope. List Semgrep organizational deployments

list_findings

Findings provide snippet details, file line numbers, severity, and rule types. Fetch global static analysis security findings for a deployment

list_projects

Projects maintain a link between developers and static security scan outputs over time. List Semgrep projects (repositories) monitored in a deployment

list_rules

The rules are structured YAML definitions that search for semantic anti-patterns in codebases (e.g., unparameterized SQL queries, hardcoded AWS keys). List Semgrep semantic rules deployed globally

update_finding_status

Valid states generally include active, fixed, false_positive, ignored, mitigated. Resolving findings through this API cleans up the developer experience when managing compliance queues. Mark a Semgrep finding state (e.g., fixed, false positive)

What the Semgrep MCP Server unlocks

Connect the Semgrep AppSec platform directly to your AI agent to radically accelerate code security triaging. Instead of forcing developers to jump between their IDE and the Semgrep dashboard, empower your AI to pull 'Findings', analyze the vulnerable syntax, and instantly close false positives.

What you can do

Triage Findings (Bugs) — Instruct the agent to grab the latest CI vulnerability findings and immediately push a status update to mark it as fixed, ignored, or mitigated (update_finding_status)
Rule Management — Request the AI to look at a newly discovered bad coding pattern and command it to write and deploy a matching custom semantic rule (create_rule) to your organizational deployment
Project & Deployment Scoping — Map out all repositories running Semgrep actions and check their overarching security health scores in milliseconds
Comprehensive Forensics — Fetch granular SCA and SAST semantic flaw definitions, including exact snippets, CVE links, and the specific bad lines causing the trigger

How it works

1. Enable this MCP server within your workflow
2. Supply a standard API Token from your Semgrep Dashboard settings
3. Engage your agent in Cursor or Claude to cross-examine security warnings dynamically

Who is this for?

Security Engineers (AppSec) — tell the AI to quickly delete an obsolete rule across the entire deployment without wrestling with the dashboard interface
DevOps — retrieve compliance metrics and pipeline fix rates natively and pipe them directly into an executive summary report via chat
Software Developers — let Cursor fetch the specific finding_id blocking your PR, explain what the vulnerability means, and draft the exact semantic fix to pass the scan

Frequently asked questions about the Semgrep MCP Server

Can the AI resolve or close findings in Semgrep natively?

Yes. This server supports mutable actions. By invoking update_finding_status, your AI agent can shift a specific semantic flaw to 'mitigated', 'fixed', 'ignored', or 'false_positive' updating the registry in real-time.

How can I deploy a new custom SAST rule via chat?

Simply ask the LLM: 'Draft a semantic grep rule to ban hardcoded API keys in Python and deploy it'. The agent will natively format the JSON structure required and call create_rule, sending it directly to all repositories.

Do I need to supply a 'Deployment Slug' for every request?

Most API queries require the deployment context. To ensure smooth interactions, just tell the agent your organization slug once (or let it query list_deployments to fetch the default one). The agent will remember it for the rest of the conversation loop.

More in this category

Aikido Security

16 tools

Query security vulnerabilities via Aikido — list open issues, check repositories, monitor cloud assets, and track compliance directly from any AI agent.

OFAC Sanctions Service

10 tools

Access authoritative sanctions data via OFAC SLS — track SDN lists, entities, and version history directly from your AI agent.

JumpCloud

10 tools

Manage users, systems, and directories via JumpCloud API.

SEC EDGAR Companies — Ticker Lookup & Company Search

3 tools

Look up any U.S. public company on SEC EDGAR: resolve stock tickers (AAPL, TSLA, MSFT) to CIK numbers, search 8,000+ registered companies by name, and retrieve full SEC registration profiles including SIC industry codes, exchanges, and fiscal year details.