Semgrep MCP. Govern code security and compliance directly from chat.
Semgrep lets your AI client read and write directly to Semgrep's security platform. It gives you the ability to audit code vulnerabilities, analyze specific flaws, mark findings as fixed or false positives, and deploy custom semantic rules without leaving your chat window.
Claude 
ChatGPT 
Cursor 
Gemini 
Windsurf 
VS Code 
JetBrains 
Vercel Give Claude and any AI agent real-world access
Mark specific security findings as fixed, ignored, false positives, or mitigated directly from your chat.
Create and deploy new semantic security rules to forbid newly discovered bad coding patterns across the entire organization.
Remove obsolete or unnecessary custom security rules from your active deployment set.
Retrieve a global list of static analysis vulnerabilities, including file lines and severity levels, for any given project deployment.
Analyze an individual vulnerability to see the exact malicious code block, suggested fixes, and associated CVE data.
See a list of all repositories and projects currently being scanned by Semgrep within your organization's deployment scope.
Ask an AI about this
Waiting for input…
What AI agents can do with Semgrep with 10 Tools
These tools allow you to audit security issues, view compliance metrics, create new enforcement rules, and mark vulnerability findings directly through your AI agent.
Make your AI actually useful.
Add this MCP to Claude, Cursor, or Windsurf and your AI stops guessing. It gets real tools to look things up, take action, and handle the stuff you keep doing by hand.
Start using Semgrep MCPCreate Rule
Deploys a customized security rule that forbids specific bad coding patterns across your enterprise repositories.
Delete Rule
Removes an existing custom Semgrep security rule from the deployment scope entirely.
List Deployments
Lists all defined organizational deployments, providing necessary slugs to define...
List Findings
Fetches a comprehensive list of global static analysis vulnerabilities within a...
Get Finding Details
Retrieves deep, atomic information on a specific flaw, including malicious code...
Get Project
Searches for an exact Semgrep project using its precise repository name to scope security queries.
List Rules
Displays all current semantic rules that are actively deployed globally across your codebase.
Get Metrics
Gathers AppSec metrics and compliance statistics, ideal for generating high-level...
List Projects
Lists all monitored repositories or projects within a defined deployment scope over...
Update Finding Status
Marks the state of a specific vulnerability finding, changing it to 'fixed', 'false...
Security and governance baked right in.
Pick your AI client below to get set up. Just create a Vinkius account, subscribe, and you're instantly up and running. We handle the entire backend infrastructure, delivering out-of-the-box support for HTTPS Streamable, SSE, and OAuth2—zero messy routing required.
Claude AI
Open Claude Settings
Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
Add Custom Connector
Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL:
https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp
Replace [YOUR_TOKEN_HERE] with your token
from cloud.vinkius.com. For OAuth-protected servers, expand
Advanced settings to add credentials.
Start a conversation
Open a new chat. The Semgrep integration is available immediately — no restart needed.
Choose How to Get Started
Build a custom MCP for your own tools, or connect a ready-made integration from our catalog.
Build Your Own
Turn any API into an MCP. Import a spec, define Agent Skills, or deploy with MCPFusion.
- Import from OpenAPI, Swagger, or YAML specs
- Create Agent Skills with progressive disclosure
- Deploy to edge with MCPFusion framework
- Built in DLP, auth, and compliance on each call
- Real time usage dashboard and cost metering
- Publish to catalog or keep private
Make Your AI Do More
Start with Semgrep, then connect any of our 5,200+ other servers whenever your AI needs more. One click, no limits.
- Use this MCP plus 5,200+ others, all in one place
- Add new capabilities to your AI anytime you want
- Connections are secured and governed automatically
- Track usage and costs across all your servers
- Works with Claude, ChatGPT, Cursor, and more
- New servers added to the catalog weekly
Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Semgrep. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.
VINKIUS CLOUD
Cloud Hosted
Managed infra
V8 Isolated
Sandboxed per request
Zero-Trust Proxy
No stored credentials
DLP Enforced
Policy on each call
GDPR Compliant
EU data residency
Token Compression
~60% cost reduction
Dealing with Security Findings Feels Like Juggling Tabs
Right now, dealing with security vulnerabilities means context switching: you open your IDE to write code. When the build fails, you jump to the Semgrep dashboard to read findings. Then, if a team member asks about it, you copy data into Jira or Slack. You spend more time managing the workflow than actually fixing the bug.
With this MCP connected via Vinkius, that process collapses. Your AI agent pulls the raw finding details directly from Semgrep and gives you an analysis right in your chat. You can then use `update_finding_status` to mark it as fixed without ever leaving your conversation.
Deploying Rules with Semgrep MCP
Manually deploying a new security rule requires navigating the platform, writing YAML, testing against a staging environment, and then finally pushing it to production. It’s slow and prone to human error.
Now, you can have your agent draft or adjust the semantic rule definition using `create_rule`. You get immediate feedback and deployment control from chat. The enforcement is instant.
What Semgrep MCP does for your AI
Managing code security shouldn't mean abandoning your IDE for a web dashboard. This MCP connects your AI agent directly to Semgrep’s AppSec platform, letting you audit security findings right where you work. Instead of copying vulnerability details into a ticket and waiting for a human to triage it, your agent can pull the latest CI scan results, analyze the bad code snippet, and instantly update its status—whether that means marking it as fixed or confirming it’s a false positive.
You can also use it to enforce custom security standards by having your AI client write and deploy new semantic rules across all your repositories. By connecting this MCP via Vinkius, you give your agent access to the full catalog of code quality tools, accelerating compliance auditing instantly.
019d7605-b00e-71f5-ab3f-aa8a74304cf7 
How to set up Semgrep MCP
The bottom line is you get real-time, auditable control over your code's security posture without ever leaving your AI interface.
Enable the Semgrep MCP through Vinkius, then supply an API token from your Semgrep Dashboard settings.
Engage your AI agent in any MCP-compatible client and prompt it to analyze a security report or check compliance metrics.
The agent executes specific actions—like updating findings status or listing rules—and returns actionable data directly into the chat thread.
Who uses Semgrep MCP
Security Engineers and DevOps staff who are tired of context switching between multiple dashboards. It’s for the developer needing to stop clicking through tickets just to verify a fix.
Uses this MCP to quickly delete obsolete security rules or audit compliance metrics across all deployments in one chat command.
Retrieves global AppSec performance metrics and pipeline fix rates, compiling executive summaries for stakeholders instantly.
Lets the agent fetch a specific finding ID blocking a pull request, explains the vulnerability meaning, and drafts the precise semantic code fix needed to pass the scan.
Benefits of connecting Semgrep MCP
Stop context switching. Instead of hopping between the IDE, Semgrep dashboard, and Jira, your AI agent manages everything—from fetching findings to updating their status with a single command.
Accelerate triage dramatically. Use list_findings followed by get_finding_details so you don't have to copy-paste raw vulnerability data; the details appear right in the conversation.
Enforce policy on demand. Need to block a new, bad coding practice? You can use create_rule to write and deploy a custom semantic rule instantly across all your repositories.
Simplify compliance reporting. Run get_metrics to pull fix rates and overall AppSec statistics, then pipe that data directly into an executive summary report without manual export/import steps.
Clear up the backlog fast. If you confirm a vulnerability is irrelevant or already patched, use update_finding_status to change its state permanently, cleaning up developer queues.
Semgrep MCP use cases
A PR blocks because of an unknown dependency flaw.
The agent fetches the findings list and uses get_finding_details on a specific ID. It explains to the developer exactly why the vulnerability exists, links to CVE data, and suggests the precise code change needed for the fix.
Quarterly compliance audit requires proof of patch rates.
The DevOps user asks the agent to get_metrics. The AI client returns a detailed report showing the overall Fix Rate and the median time-to-resolve critical vulnerabilities, which is perfect for an executive meeting.
An old, unused security rule needs removal.
The AppSec Engineer instructs the agent to list_rules first. After identifying the obsolete pattern, they use delete_rule to take it out of service globally without logging into the web interface.
Need to quickly confirm a reported bug is actually harmless.
The developer runs an initial check using list_findings. They then use update_finding_status on the specific finding ID, marking it as 'false positive' and logging the action for audit purposes.
Semgrep MCP tradeoffs
What to watch out for, and the recommended way to handle each one.
Manual Dashboard Hunting
A developer has to manually copy vulnerability details from the Semgrep UI into a ticket, then wait for an engineer to log back in and manually update the status.
Instead, tell your agent to list_findings first. Then use get_finding_details on the specific ID you care about. Finally, use update_finding_status right away to mark it as 'false positive' or 'fixed'.
Ignoring Scope Limitations
Trying to run a rule check without specifying which deployment is affected, leading to ambiguous results and errors.
Always start by using list_deployments to identify the correct scope. All subsequent operations (like creating rules or listing findings) must be scoped correctly.
Writing Rules in Code Comments
A developer writes a security requirement as a comment, hoping it gets noticed by auditors later.
For actual enforcement, use create_rule. This tool deploys a semantic rule that automatically checks and enforces the pattern across your entire codebase.
When to use Semgrep MCP
Use this MCP if your core pain point is context switching related to code security. You need an AI agent to interact with Semgrep's complex data—fetching findings, modifying statuses, or deploying rules—all through a chat interface. This is ideal for teams that value speed and auditability over manual dashboard navigation.
Don't use this if you just need general API access to pull raw data dumps; the MCP provides structured, actionable workflows (e.g., get_metrics, which aggregates performance). If your only goal is to read a list of available rules without taking action, simply listing them is enough. But if you need to act on that information—like marking a finding or creating a new rule—this MCP is what you need.
Frequently asked questions about Semgrep MCP
How do I use Semgrep MCP to check my overall security health? +
You run the list_findings tool, specifying the target deployment slug. This retrieves a comprehensive report of all vulnerabilities found across the code base in one go.
Can I update finding status using Semgrep MCP? +
Yes, you use the update_finding_status tool. You just need to provide the specific finding ID and the desired status (e.g., 'false_positive').
What is the best way to review compliance data with Semgrep MCP? +
To get high-level stats, use the get_metrics tool. This returns AppSec performance metrics and overall compliance statistics for executive reporting.
Does Semgrep MCP help me write new security rules? +
Yes, you can use create_rule to deploy a custom semantic rule. You define the pattern once, and it enforces that rule across all your repositories.
Which tool do I use to find out which projects Semgrep is monitoring? +
Use list_projects. This tool reads the monitored repository list for a specific deployment scope, giving you visibility into your entire security footprint.