Giving AppSec a Seat at the Vibe Coding Table

“Coding vibes great, security vibes… kinda bad.” - AppSec teams watching everyone use Cursor right now

Chushi Li
April 2nd, 2025
Enter your email here
Your privacy matters to us. By submitting this form, you agree to our Privacy Policy
Share

We're shipping something new: an open-source Model Context Protocol (MCP) for Semgrep that works with any IDE based MCP client, like Cursor. 

-> Check it out on GitHub

It’s our first take at helping security tooling show up where vibe coding happens - our MVP for MCP (bad joke). It’s early, but we think it’s pretty dang cool!


What’s MCP?

MCP stands for Model Context Protocol, and it’s a new open standard for making tools accessible to large language models. Cursor just shipped first-class support for it, so we jumped in right away.

Our MCP server gives your favorite MCP client access to Semgrep’s powerful static analysis, including:

  • Security checks

  • Secret detection

  • Code quality checks

  • Custom Semgrep rules

Semgrep is especially well positioned to implement this, as our engine is transparent, extensible, and ultra fast. Essentially, our MCP makes it easy for LLMs to interface with Semgrep and leverage it as a tool (the same way ChatGPT can use Python for those pesky triple digit addition problems). 


This means that when you’re generating code in Cursor, or any IDE based MCP client, the model can answer questions like:

"Is this new function safe?"
"Are there any bugs in the code I just generated?"
"Am I leaking any secrets?"

And it can use the results to improve what it writes, or help you fix things right away. No context switching. No copy/pasting from terminal outputs.

Why we built this

We wish @leojr94_ the best and encourage him to connect his vibe coding tools to Semgrep's MCP server

We’re seeing a massive shift in how software is being written - more code is being generated by developers using AI-augmented editors with lots of help from LLMs. People with no software engineering experience are one-shot prompting entire apps. The code is flowing, which is awesome - but security tools haven’t kept up.

This plugin is our first step toward bridging that gap. If the LLM is your pair programmer, Semgrep can be your security brain - quietly checking your work, pointing out risky patterns, and helping the model output safer, cleaner code.

Open source, as always

If you're into dev tooling or AppSec, please tell us what you think. And if you want to build on it - open a PR, make it weirder, or fork it entirely - we’d love that too! This project is fully open source because we’re big believers in building things with our community.

We’d love to hear what you think. Got ideas? Found a bug? Want to add something wild? Go for it.

👉 See the code

What’s next?

We’re exploring tighter model integration, more robust custom rule support, and potentially letting developers or security engineers generate new rules via the LLM itself. We’re also curious how this model of interaction could show up in other editors and environments.

Mostly, we want to get it in your hands and see what breaks, what helps, and what vibes (another bad joke).

If you're a developer using any IDE based MCP client, we’d love for you to try it out and give us feedback!

— The Semgrep Team

About

Semgrep lets security teams partner with developers and shift left organically, without introducing friction. Semgrep gives security teams confidence that they are only surfacing true, actionable issues to developers, and makes it easy for developers to fix these issues in their existing environments.