We're shipping something new: an open-source Model Context Protocol (MCP) for Semgrep that works with any IDE based MCP client, like Cursor. With our MCP server, LLMs can use Semgrep to quickly find and fix security issues in the code they generate.
-> Check it out on GitHub
It’s our first take at helping security tooling show up where vibe coding happens - our MVP for MCP (bad joke). It’s early, but we think it’s pretty dang cool!
What’s MCP?
MCP stands for Model Context Protocol, and it’s a new open standard for making tools accessible to large language models. Cursor just shipped first-class support for it, so we jumped in right away.
Our MCP server gives your favorite MCP client access to Semgrep’s powerful static analysis, including:
Security checks
Secret detection
Code quality checks
Custom Semgrep rules
Semgrep is especially well positioned to implement this, as our engine is transparent, extensible, and ultra fast. Essentially, our MCP makes it easy for LLMs to interface with Semgrep and leverage it as a tool (the same way ChatGPT can use Python for those pesky triple digit addition problems).
This means that when you’re generating code in Cursor, or any IDE based MCP client, the model can answer questions like:
"Is this new function safe?"
"Are there any bugs in the code I just generated?"
"Am I leaking any secrets?"
And it can use Semgrep to improve what it writes, or help you fix things right away. No context switching or copy/pasting from terminal outputs. When an LLM uses Semgrep to check generated code for vulnerabilities, Semgrep helps the model fix any detected issues. When the LLM generates a fix, it can call on Semgrep again to make sure that the issue has been remediated.
Why we built this
We wish @leojr94_ the best and encourage him to connect his vibe coding tools to Semgrep's MCP server
We’re seeing a massive shift in how software is being written - more code is being generated by developers using AI-augmented editors with lots of help from LLMs. People with no software engineering experience are one-shot prompting entire apps. The code is flowing, which is awesome - but security tools haven’t kept up.
This plugin is our first step toward bridging that gap. If the LLM is your pair programmer, Semgrep can be your security brain - quietly checking your work, fixing risky patterns, and helping the model output safer, cleaner code.
Open source, as always
If you're into dev tooling or AppSec, please tell us what you think. And if you want to build on it - open a PR, make it weirder, or fork it entirely - we’d love that too! This project is fully open source because we’re big believers in building things with our community.
We’d love to hear what you think. Got ideas? Found a bug? Want to add something wild? Go for it.
What’s next?
We’re exploring tighter model integration, more robust custom rule support, and potentially letting developers or security engineers generate new rules via the LLM itself. We’re also curious how this model of interaction could show up in other editors and environments.
Mostly, we want to get it in your hands and see what breaks, what helps, and what vibes (another bad joke).
If you're a developer using any IDE based MCP client, we’d love for you to try it out and give us feedback!
— The Semgrep Team
