MCP HubMCP Hub
Szowesgad

mcp-server-semgrep

by: Szowesgad

MCP Server Semgrep is a [Model Context Protocol](https://modelcontextprotocol.io) compliant server that integrates the powerful Semgrep static analysis tool with AI assistants like Anthropic Claude. It enables advanced code analysis, security vulnerability detection, and code quality improvements directly through a conversational interface.

11created 03/03/2025
Visit
Semgrep
static-analysis

πŸ“ŒOverview

Purpose: To provide a Model Context Protocol compliant server that integrates Semgrep for enhanced code analysis, security scanning, and code quality improvements.

Overview: MCP Server Semgrep combines the capabilities of Semgrep with AI assistance, enabling developers to analyze source code for vulnerabilities and quality issues effectively using a conversational interface. The framework simplifies installation and maintenance while delivering robust performance across multiple platforms.

Key Features:

  • Direct Integration with MCP SDK: Seamlessly connects with the Model Context Protocol SDK, ensuring easy setup.
  • Simplified Architecture: Consolidated handlers contribute to a more manageable and maintainable codebase.
  • Cross-Platform Compatibility: Works on Windows, macOS, and Linux, enhancing accessibility for diverse developer environments.
  • Comprehensive Documentation: Provides extensive resources, including examples and bilingual support in English and Polish.
  • Custom Rule Creation: Allows users to tailor specific scanning rules to meet unique project requirements.
  • Efficient Error Handling: Implements robust error handling and path validation to safeguard against security threats.

MCP Server Semgrep

POWERED BY:

Semgrep

About the Project

This project was inspired by the robustness of the Semgrep tool, The Replit Team and their Agent V2, as well as the implementation by stefanskiasan/semgrep-mcp-server. It has evolved with significant architectural changes for enhanced and easier installation and maintenance.

MCP Server Semgrep is a Model Context Protocol compliant server integrating the powerful Semgrep static analysis tool with AI assistants like Anthropic Claude. It enables advanced code analysis, security vulnerability detection, and code quality improvements directly through a conversational interface.

Benefits of Integration

For Developers and Development Teams

  • Holistic source code analysis across entire projects
  • Proactive error detection before bugs become critical
  • Continuous code quality improvement through regular scans
  • Stylistic consistency identification and fixing, e.g.:
    • Arbitrary z-index layers in CSS
    • Inconsistent naming conventions
    • Code duplication
    • Use of "magic numbers" instead of named constants

For Security

  • Automated code verification for known vulnerabilities
  • Customized security rules for projects
  • Team education on secure programming practices

For Project Maintenance and Development

  • "Live" documentation: AI explains why code is problematic and how to fix it
  • Technical debt reduction by systematically detecting and fixing issues
  • Improved code reviews by automatically detecting common problems

Key Features

  • Direct integration with the official MCP SDK
  • Simplified architecture with consolidated handlers
  • Clean ES Modules implementation
  • Efficient error handling and path validation for security
  • Interface and documentation in English and Polish
  • Comprehensive unit tests
  • Extensive documentation
  • Cross-platform compatibility (Windows, macOS, Linux)
  • Flexible Semgrep installation detection and management

Functions

Semgrep MCP Server provides the following tools:

  • scan_directory: Scan source code for potential issues
  • list_rules: Display available rules and supported languages
  • analyze_results: Detailed analysis of scan results
  • create_rule: Create custom Semgrep rules
  • filter_results: Filter results by various criteria
  • export_results: Export results in various formats
  • compare_results: Compare two sets of results (e.g., before and after changes)

Common Use Cases

  • Code security analysis before deployment
  • Detection of common programming errors
  • Enforcing coding standards within a team
  • Refactoring and improving code quality
  • Identifying style and code structure inconsistencies
  • Developer education on best practices
  • Verification of fix correctness (comparing before/after scans)

Installation

Prerequisites

  • Node.js v18+
  • TypeScript (for development)

Option 1: Install from Smithery.ai (Recommended)

  1. Visit https://smithery.ai/server/@Szowesgad/mcp-server-semgrep
  2. Follow installation instructions to add to MCP-compatible clients
  3. Configure optional settings like Semgrep API token

Recommended for Claude Desktop and other MCP clients as it handles dependencies automatically.

Option 2: Install from NPM Registry

# Using npm
npm install -g mcp-server-semgrep

# Using pnpm
pnpm add -g mcp-server-semgrep

# Using yarn
yarn global add mcp-server-semgrep

Also available on other registries, e.g., https://mcp.so/@Szowesgad/mcp-server-semgrep

Option 3: Install from GitHub

# Using npm
npm install -g git+https://github.com/Szowesgad/mcp-server-semgrep.git

# Using pnpm
pnpm add -g git+https://github.com/Szowesgad/mcp-server-semgrep.git

# Using yarn
yarn global add git+https://github.com/Szowesgad/mcp-server-semgrep.git

Option 4: Local Development Setup

  1. Clone the repository:
git clone https://github.com/Szowesgad/mcp-server-semgrep.git
cd mcp-server-semgrep
  1. Install dependencies:
# Using pnpm (recommended)
pnpm install

# Using npm
npm install

# Using yarn
yarn install
  1. Build the project:
# Using pnpm
pnpm run build

# Using npm
npm run build

# Using yarn
yarn build

The installation process automatically checks for Semgrep availability and provides instructions if missing.

Semgrep Installation Options

Semgrep can be installed via:

  • Package managers: 
    # pnpm
pnpm add -g semgrep

# npm
npm install -g semgrep

# yarn
yarn global add semgrep
  • Python pip: 
    pip install semgrep
  • Homebrew (macOS): 
    brew install semgrep
  • Linux: 
    sudo apt-get install semgrep
# or
curl -sSL https://install.semgrep.dev | sh
  • Windows: 
    pip install semgrep

Integration with Claude Desktop

Method 1: Install via Smithery.ai (Recommended)

  1. Visit https://smithery.ai/server/@Szowesgad/mcp-server-semgrep
  2. Click "Install in Claude Desktop"
  3. Follow the on-screen instructions

Method 2: Manual Configuration

  1. Install Claude Desktop
  2. Update claude_desktop_config.json and add to servers section:
{
  "mcpServers": {
    "semgrep": {
      "command": "node",
      "args": [
        "/your_path/mcp-server-semgrep/build/index.js"
      ],
      "env": {
        "SEMGREP_APP_TOKEN": "your_semgrep_app_token"
      }
    }
  }
}
  1. Launch Claude Desktop and start querying code analysis!

Usage Examples

  • Scan a source code directory for security issues:
Could you scan my source code in the /projects/my-application directory for potential security issues?
  • Analyze CSS z-index values for inconsistencies:
Analyze the z-index values in the project's CSS files and identify inconsistencies and potential layer conflicts.
  • Create a custom Semgrep rule:
Create a Semgrep rule that detects improper use of input sanitization functions.
  • Filter scan results for SQL injection vulnerabilities:
Show me only scan results related to SQL injection vulnerabilities.
  • Identify "magic numbers" and suggest named constants:
Find all "magic numbers" in the code and suggest replacing them with named constants.

Creating Custom Rules

Example: Detect inconsistent z-indices

rules:
  - id: inconsistent-z-index
    pattern: z-index: $Z
    message: "Z-index $Z may not comply with the project's layering system"
    languages: [css, scss]
    severity: WARNING

Example: Detect deprecated imports

rules:
  - id: deprecated-import
    pattern: import $X from 'old-library'
    message: "You're using a deprecated library. Consider using 'new-library'"
    languages: [javascript, typescript]
    severity: WARNING

Development

Testing

pnpm test

Project Structure

β”œβ”€β”€ src/
β”‚   β”œβ”€β”€ config.ts         # Server configuration
β”‚   └── index.ts          # Main entry point and handler implementations
β”œβ”€β”€ scripts/
β”‚   └── check-semgrep.js  # Semgrep detection and installation helper
β”œβ”€β”€ build/                # Compiled JavaScript (after build)
└── tests/                # Unit tests

Further Documentation

Detailed information on usage is in:

  • USAGE.md - Detailed usage instructions
  • README_PL.md - Documentation in Polish
  • examples/ - Example Semgrep rules ("The Hall of Code Horrors")

License

This project is licensed under the MIT License.

Developed by

  • Maciej Gad - a veterinarian who became an MCP tool developer
  • Klaudiusz - an ethereal being inspired by Claude Sonnet AI

Developed with the help of Claude Code and MCP Tools

Acknowledgements

  • stefanskiasan for the original inspiration
  • Anthropic for Claude and the MCP protocol
  • Semgrep for their excellent static analysis tool