Semgrep Code Quality MCP Server

A cloud-deployed Model Context Protocol (MCP) server providing static code analysis, security vulnerability scanning, and code quality checks powered by Semgrep.

---

What is this Actor?

This Actor provides AI agents (like Claude, GPT, or custom LLM applications) with powerful code analysis capabilities through the MCP protocol. It enables:

• Real-time security scanning of code snippets and files
• Vulnerability detection with OWASP/CWE classification
• Custom rule enforcement for project-specific standards
• Multi-language support for 30+ programming languages

Key Features

Security Scanning Detect critical vulnerabilities: SQL Injection Cross-Site Scripting (XSS) Command Injection Path Traversal Hardcoded Secrets

Standards Compliance Map findings to industry standards: OWASP Top 10 (2021) CWE Top 25 SANS Top 25 PCI-DSS requirements

---

Supported Languages

---

How to Use

Option 1: Direct API Call

Send MCP tool requests to the Actor's API endpoint:

curl -X POST "https://api.apify.com/v2/acts/YOUR_USERNAME~semgrep-mcp-server/runs?token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "tool": "security_check",
    "arguments": {
      "code": "import os; os.system(user_input)",
      "language": "python"
    }
  }'

Option 2: Standby Mode (Persistent Connection)

For continuous MCP connections (e.g., Claude Desktop):

1. Enable standby in Actor input: "enableStandby": true
2. Enable "Standby mode" in Apify Console → Actor Settings
3. Connect to: https://YOUR_ACTOR_URL.apify.actor/mcp

---

MCP Tools Reference

security_check

Quick security scan for a single code snippet.

Parameter	Type	Required	Description
code	string	Yes	Code to analyze
language	string	Yes	Programming language
filename	string	No	Filename for context

Example:

{
  "tool": "security_check",
  "arguments": {
    "code": "eval(request.GET['cmd'])",
    "language": "python"
  }
}

semgrep_scan

Full configurable scan with multiple files and rulesets.

Parameter	Type	Required	Description
codeFiles	array	Yes	Array of {path, content} objects
config	string	No	Ruleset (default: "auto")
severity	array	No	Filter: ERROR, WARNING, INFO
exclude	array	No	Patterns to exclude
timeout	number	No	Timeout in seconds (10-300)

Example:

{
  "tool": "semgrep_scan",
  "arguments": {
    "codeFiles": [
      {"path": "app.py", "content": "from flask import *\n@app.route('/search')\ndef search():\n    return render_template_string(request.args['q'])"},
      {"path": "utils.py", "content": "import subprocess\ndef run(cmd): subprocess.call(cmd, shell=True)"}
    ],
    "config": "p/security-audit",
    "severity": ["ERROR", "WARNING"]
  }
}

semgrep_scan_custom_rule

Scan using a custom Semgrep YAML rule.

Parameter	Type	Required	Description
code	string	Yes	Code to analyze
rule	string	Yes	Custom rule in YAML
language	string	Yes	Programming language

Example:

{
  "tool": "semgrep_scan_custom_rule",
  "arguments": {
    "code": "console.log('DEBUG:', secret)",
    "language": "javascript",
    "rule": "rules:\n  - id: no-debug-logs\n    pattern: console.log('DEBUG:', ...)\n    message: Remove debug statements before production\n    languages: [javascript]\n    severity: WARNING"
  }
}

supported_languages

Returns list of all supported programming languages.

list_rulesets

Returns available Semgrep rulesets for scanning.

---

Input Configuration

Parameter	Type	Default	Description
semgrepAppToken	string	-	Optional Semgrep AppSec Platform token for managed rules
defaultConfig	string	"auto"	Default ruleset (e.g., "p/security-audit", "p/owasp-top-ten")
enableMetrics	boolean	false	Enable anonymous usage metrics
enableStandby	boolean	false	Enable persistent MCP server mode
standbyIdleTimeout	integer	120	Auto-exit after N seconds idle (30-3600)

---

Popular Rulesets

Ruleset	Description	Use Case
auto	Automatic detection	General scanning
p/security-audit	Comprehensive security	Security reviews
p/owasp-top-ten	OWASP Top 10	Compliance checks
p/cwe-top-25	CWE Top 25	Vulnerability assessment
p/secrets	Secrets detection	Credential scanning
p/ci	CI/CD optimized	Pipeline integration
p/python	Python-specific	Python projects
p/javascript	JavaScript-specific	JS/TS projects

---

Output Schema

Scan results are stored in the Apify dataset:

{
  "scanId": "550e8400-e29b-41d4-a716-446655440000",
  "timestamp": "2024-12-21T10:00:00Z",
  "tool": "security_check",
  "language": "python",
  "totalFindings": 2,
  "severity": "ERROR",
  "findings": [
    {
      "ruleId": "python.lang.security.audit.dangerous-system-call",
      "severity": "ERROR",
      "message": "Detected dangerous system call with user input",
      "file": "app.py",
      "line": 15,
      "column": 5,
      "category": "security",
      "cwe": ["CWE-78"],
      "owasp": ["A03:2021"]
    }
  ]
}

---

Pricing

Event	Price	Description
scan-code	$0.01	Per semgrep_scan call
security-check	$0.02	Per security_check call
custom-rule-scan	$0.03	Per custom rule scan

---

Resources

• Semgrep Documentation
• Semgrep Rules Registry
• Model Context Protocol Specification
• Apify MCP Integration Guide

---

License

MIT