Semgrep MCP server
Run Semgrep scans and pull AppSec Platform findings from your AI agents.
About
Connect Tracecat to Semgrep to run SAST scans and pull AppSec Platform findings for AppSec engineers and security agents reviewing code changes. You can scan a repository on demand with default or custom rules and inspect the AST for any snippet. From there, pull platform findings for a project, draft new detection rules, and triage pull requests with precision.
Setup
- 1
Create an access token
The Semgrep MCP server runs scans locally without auth. To pull findings from the Semgrep AppSec Platform you set the `SEMGREP_APP_TOKEN` environment variable with a token generated from your Semgrep account settings.
- 2
Select the
Semgreptile in the Tracecat MCP catalogOpen the
MCP catalogin your workspace, select theSemgreptile, and paste your access token. - 3
Enable
Semgrepin your agentIn your
ai.agentaction orAgents→toolstab, selectSemgrepfrom theMCP integrationsdropdown.
Tools
security_check | Scan code for security vulnerabilities with Semgrep's default rulesets. |
semgrep_scan | Run a Semgrep scan against a given code path with a chosen config. |
semgrep_scan_with_custom_rule | Run a scan using a custom Semgrep rule supplied at call time. |
get_abstract_syntax_tree | Return the AST for a snippet, useful when authoring custom rules. |
semgrep_findings | Fetch findings from the Semgrep AppSec Platform for a project or org. |
supported_languages | List languages Semgrep can parse and scan today. |
semgrep_rule_schema | Return the JSON Schema for Semgrep rule files. |
write_custom_semgrep_rule | Prompt-style helper that guides the agent through writing a new rule. |