# Semgrep MCP

> Semgrep lets your AI client read and write directly to Semgrep's security platform. It gives you the ability to audit code vulnerabilities, analyze specific flaws, mark findings as fixed or false positives, and deploy custom semantic rules without leaving your chat window.

## Overview
- **Category:** fort-knox
- **Price:** Free
- **Tags:** sast, sca, code-security, vulnerability-management, static-analysis, devsecops, compliance-auditing, automated-triage

## Description

Managing code security shouldn't mean abandoning your IDE for a web dashboard. This MCP connects your AI agent directly to Semgrep’s AppSec platform, letting you audit security findings right where you work. Instead of copying vulnerability details into a ticket and waiting for a human to triage it, your agent can pull the latest CI scan results, analyze the bad code snippet, and instantly update its status—whether that means marking it as fixed or confirming it’s a false positive. You can also use it to enforce custom security standards by having your AI client write and deploy new semantic rules across all your repositories. By connecting this MCP via Vinkius, you give your agent access to the full catalog of code quality tools, accelerating compliance auditing instantly.

## Tools

### create_rule
Deploys a customized security rule that forbids specific bad coding patterns across your enterprise repositories.

### delete_rule
Removes an existing custom Semgrep security rule from the deployment scope entirely.

### list_deployments
Lists all defined organizational deployments, providing necessary slugs to define the scope for other security operations.

### list_findings
Fetches a comprehensive list of global static analysis vulnerabilities within a specified deployment's code base.

### get_finding_details
Retrieves deep, atomic information on a specific flaw, including malicious code blocks, suggested fixes, and CVE links.

### get_project
Searches for an exact Semgrep project using its precise repository name to scope security queries.

### list_rules
Displays all current semantic rules that are actively deployed globally across your codebase.

### get_metrics
Gathers AppSec metrics and compliance statistics, ideal for generating high-level executive security dashboards.

### list_projects
Lists all monitored repositories or projects within a defined deployment scope over time.

### update_finding_status
Marks the state of a specific vulnerability finding, changing it to 'fixed', 'false positive', or 'ignored'.

## Prompt Examples

**Prompt:** 
```
List the most severe unmitigated findings currently breaking our CI/CD pipeline on the 'vinkius/cloud' repository.
```

**Response:** 
```
I've fetched the findings list scoped to 'vinkius/cloud'. Currently, there are 2 blockers. 1) Exposed hardcoded AWS Secret Access Key in `auth.py:L45`. 2) Outdated dependency `lodash@4.17.15` in `package.json` vulnerable to prototype pollution. Would you like me to resolve the Lodash one by generating an update commit script?
```

**Prompt:** 
```
Mark vulnerability issue ID #58032 as a 'false_positive' using the update finding tool.
```

**Response:** 
```
The operation is complete. I've sent the mutation `update_finding_status` for issue 58032 within your deployment. Semgrep now permanently recognizes this event as `false_positive`, and subsequent scans will not flag this specific semantic line match again.
```

**Prompt:** 
```
Review the company's Semgrep performance metrics focusing on fix rate.
```

**Response:** 
```
I've analyzed your AppSec timeline with `get_metrics`. Your overall Fix Rate for the trailing 30 days is hovering around 83%. The median 'time-to-resolve' for critical SAST vulnerabilities is 3.4 days. This shows strong engagement natively within developer pull requests before merge.
```

## Capabilities

### Update finding status
Mark specific security findings as fixed, ignored, false positives, or mitigated directly from your chat.

### Deploy custom rules
Create and deploy new semantic security rules to forbid newly discovered bad coding patterns across the entire organization.

### Delete existing rules
Remove obsolete or unnecessary custom security rules from your active deployment set.

### Fetch all security findings
Retrieve a global list of static analysis vulnerabilities, including file lines and severity levels, for any given project deployment.

### Get flaw details
Analyze an individual vulnerability to see the exact malicious code block, suggested fixes, and associated CVE data.

### List monitored projects
See a list of all repositories and projects currently being scanned by Semgrep within your organization's deployment scope.

## Use Cases

### A PR blocks because of an unknown dependency flaw.
The agent fetches the findings list and uses get_finding_details on a specific ID. It explains to the developer exactly why the vulnerability exists, links to CVE data, and suggests the precise code change needed for the fix.

### Quarterly compliance audit requires proof of patch rates.
The DevOps user asks the agent to get_metrics. The AI client returns a detailed report showing the overall Fix Rate and the median time-to-resolve critical vulnerabilities, which is perfect for an executive meeting.

### An old, unused security rule needs removal.
The AppSec Engineer instructs the agent to list_rules first. After identifying the obsolete pattern, they use delete_rule to take it out of service globally without logging into the web interface.

### Need to quickly confirm a reported bug is actually harmless.
The developer runs an initial check using list_findings. They then use update_finding_status on the specific finding ID, marking it as 'false positive' and logging the action for audit purposes.

## Benefits

- Stop context switching. Instead of hopping between the IDE, Semgrep dashboard, and Jira, your AI agent manages everything—from fetching findings to updating their status with a single command.
- Accelerate triage dramatically. Use `list_findings` followed by `get_finding_details` so you don't have to copy-paste raw vulnerability data; the details appear right in the conversation.
- Enforce policy on demand. Need to block a new, bad coding practice? You can use `create_rule` to write and deploy a custom semantic rule instantly across all your repositories.
- Simplify compliance reporting. Run `get_metrics` to pull fix rates and overall AppSec statistics, then pipe that data directly into an executive summary report without manual export/import steps.
- Clear up the backlog fast. If you confirm a vulnerability is irrelevant or already patched, use `update_finding_status` to change its state permanently, cleaning up developer queues.

## How It Works

The bottom line is you get real-time, auditable control over your code's security posture without ever leaving your AI interface.

1. Enable the Semgrep MCP through Vinkius, then supply an API token from your Semgrep Dashboard settings.
2. Engage your AI agent in any MCP-compatible client and prompt it to analyze a security report or check compliance metrics.
3. The agent executes specific actions—like updating findings status or listing rules—and returns actionable data directly into the chat thread.

## Frequently Asked Questions

**How do I use Semgrep MCP to check my overall security health?**
You run the list_findings tool, specifying the target deployment slug. This retrieves a comprehensive report of all vulnerabilities found across the code base in one go.

**Can I update finding status using Semgrep MCP?**
Yes, you use the update_finding_status tool. You just need to provide the specific finding ID and the desired status (e.g., 'false_positive').

**What is the best way to review compliance data with Semgrep MCP?**
To get high-level stats, use the get_metrics tool. This returns AppSec performance metrics and overall compliance statistics for executive reporting.

**Does Semgrep MCP help me write new security rules?**
Yes, you can use create_rule to deploy a custom semantic rule. You define the pattern once, and it enforces that rule across all your repositories.

**Which tool do I use to find out which projects Semgrep is monitoring?**
Use list_projects. This tool reads the monitored repository list for a specific deployment scope, giving you visibility into your entire security footprint.