• Semgrep Plugin
• MCP

Semgrep Plugin

Semgrep's plugin integrates natively with AI coding agents like Cursor, Claude Code, and Windsurf to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them.

This guide covers setup for Cursor, Windsurf, and Claude Code, but the plugin works with any MCP client.

Prerequisites

• Python 3.10 or later
• Homebrew or Pip to install Semgrep
• A Semgrep account

Installation

Claude Code

1. Install Semgrep:

   # install through homebrew
   brew install semgrep
   
   # install through pip
   python3 -m pip install semgrep

2. Verify that you've installed the latest version of Semgrep by running the following:

   semgrep --version

3. Start a new Claude Code instance in the terminal:

   claude

4. Open the plugin browser:

   /plugin

5. Go to Discover, search for Semgrep, and click Install.

6. Set up the Semgrep plugin by running the following skill. This also installs the Semgrep CLI:

   /setup-semgrep-plugin

Cursor

1. Install Semgrep:

   # install through homebrew
   brew install semgrep
   
   # install through pip
   python3 -m pip install semgrep

2. Verify that you've installed the latest version of Semgrep by running the following:

   semgrep --version

3. Log in to Semgrep and install Semgrep Pro:

   semgrep login && semgrep install-semgrep-pro

4. Find Semgrep in the Cursor Plugin Marketplace, or open Cursor > ⌘⇧J > Plugins. Search "Semgrep" and click Add to Cursor.

5. Restart Cursor to apply configuration.

Windsurf

1. Install Semgrep:

   # install through homebrew
   brew install semgrep
   
   # install through pip
   python3 -m pip install semgrep

2. Verify that you've installed the latest version of Semgrep by running the following:

   semgrep --version

3. Log in to Semgrep and install Semgrep Pro:

   semgrep login && semgrep install-semgrep-pro

4. Create a hooks.json file at ~/.codeium/windsurf/hooks.json and paste the following configuration:

   {
     "hooks": {
       "post_write_code": [
         {
           "command": "semgrep mcp -k post-tool-cli-scan -a windsurf",
           "show_output": true
         }
       ]
     }
   }

5. Restart Windsurf to apply hook configuration.

Other IDEs

1. Install Semgrep:

   # install through homebrew
   brew install semgrep
   
   # install through pip
   python3 -m pip install semgrep

2. Verify that you've installed the latest version of Semgrep by running the following:

   semgrep --version

3. Sign in to your Semgrep account. Running this command launches a browser window, but you can also use the link that's returned in the CLI to proceed:

   semgrep login

   In the Semgrep CLI login, click Activate to proceed.

4. Return to the CLI, and install the Semgrep Pro engine:

   semgrep install-semgrep-pro

5. Add the Semgrep MCP Server to your IDE. Semgrep provides sample configuration information that you can use as a starting point for your configuration. Refer to your IDE's documentation for specific details on where to add the MCP server configuration information.

Scan your code

1. Open up your IDE's AI chat window.
2. Ensure that you're in the correct context to use Semgrep.
3. Prompt your IDE to scan with Semgrep.

By default, the MCP Server runs all three Semgrep products: Code, Supply Chain, and Secrets.

Additional resources

• Semgrep's #mcp Slack community
• The Semgrep MCP server repo on GitHub

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.