Semgrep × Cursor Hooks: Making Security Reliable for Agents

Building for agents, not just developers 

We're excited to be an ecosystem partner for Cursor Hooks in the category of code security and best practices!

At Semgrep, we think carefully about how security tools should serve both developers and the coding agents acting on their behalf. AI can be powerful at finding bugs and reasoning about security, but foundational AppSec can’t depend on a stochastic AI “remembering” to run a scan or load the right security context. Security teams need guarantees: when code changes, certain checks must run, every time.

Protocols like MCP make security tools available to AI, but they don’t ensure they’re actually used. Deterministic execution is the missing piece that turns security from a suggestion into a guardrail for developers and their coding agents.

Enforceable security for stochastic agents

Hooks let Semgrep enforce security at precise points in an agent’s workflow: 

• After Cursor’s agent edits files, the afterFileEdit hook records exactly which files were changed.

• When an agent completes its loop, a stop hook triggers a Semgrep scan on all changed files. The agent is prompted to remediate all findings, and will regenerate code until all findings are fixed. 

• Cursor’s Cloud Distribution feature lets AppSec teams roll out preconfigured Semgrep hooks to every developer machine in a few clicks. This gives security teams confidence that all code generation in Cursor runs with consistent, enforced guardrails (local Semgrep installation required). 

Before hooks, securing coding agents with Semgrep required individual developers to opt in and explicitly prompt for security checks. Now, agent security is easy to deploy, deterministic, and fully observable across the organization. 🚀

What’s next: Secure code by default 

Hooks are not just for enforcing security after code is written. They also let us give models security context before they generate code. 

In upcoming versions, we plan to use Cursor’s beforeSubmitPrompt hook to inject relevant security context before any code is generated. Agents will start with information about known safe libraries, packages, and secure coding practices. Over time, this context will become organization-specific, incorporating threat models, internal frameworks, and custom security standards.

Looking forward

We’re excited to be working closely with Cursor as they launch Hooks. It’s a solid foundation for building tools that assume agents are first-class participants in software development. In terms of principles, this means we believe:

• Security should be callable via APIs, and invocable deterministically by hooks and workflows — not left to agent discretion.
  

• Security should live in the system, not the prompt. Developers shouldn’t have to spend time thinking about what security context or directions they need to paste into a prompt for the output to be safe. 
  

• An organization’s guardrails and policies shouldn’t exclude AI coding agents

Learn more about Cursor Hooks, and make sure to Semgrep’s new Cursor integration today!