• Semgrep Guardian

Semgrep Guardian

Semgrep Guardian integrates natively with AI coding agents like Claude Code and Cursor to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them.

The plugin uses each IDE's native hook or MCP system:

• Claude Code: hooks and plugins
• Codex: MCP
• Cursor: hooks and MCP
• GitHub Copilot (Visual Studio, JetBrains, Xcode, Eclipse): MCP
• VS Code: MCP
• Windsurf: Cascade hooks

This guide covers setup for each of the preceding products listed, but the plugin works with any MCP client.

Prerequisites

• Python 3.10 or later (the Semgrep CLI requires it at runtime regardless of how it was installed)
• Homebrew, pipx, or uv to install Semgrep
• A Semgrep account

Install the Semgrep CLI

These steps are the same regardless of which IDE you use.

1. Install Semgrep using Homebrew, pipx, or uv:

   # install using Homebrew
   brew install semgrep
   
   # or, install using pipx (https://pipx.pypa.io/stable/how-to/install-pipx/)
   pipx install semgrep
   
   # or, install using uv (https://docs.astral.sh/uv/)
   uv tool install semgrep

2. Verify that you've installed the latest version of Semgrep:

   semgrep --version

3. Sign in to your Semgrep account and install the Semgrep Pro engine:

   semgrep login && semgrep install-semgrep-pro

   semgrep login launches a browser window. You can also use the activation link printed in the terminal.

Connect to your IDE

Claude Code

1. Start a new Claude Code instance in the terminal:

   claude

2. Open the plugin manager:

   /plugin

3. Go to Discover, search for Semgrep, and click Install.

4. Set up the Guardian:

   /setup-semgrep-plugin

The plugin registers a post-tool hook so Claude Code scans every file it writes. Learn more about Claude Code plugins and hooks.

Codex

1. Update your ~/.codex/config.toml file and paste the following:

   [mcp_servers.semgrep]
   command = "semgrep"
   args = ["mcp"]

Codex does not expose a post-write hook, so Semgrep tools are surfaced through MCP and invoked when the agent calls them. Learn more about Codex MCP configuration.

Cursor

1. Find Semgrep in the Cursor Plugin Marketplace, or open Cursor > ⌘⇧J > Plugins. Search "Semgrep" and click Add to Cursor.

2. Restart Cursor to apply configuration.

3. In Cursor's chat, run the /setup-semgrep-plugin skill to finish wiring up the plugin.

The plugin uses Cursor hooks (afterFileEdit and stop) to scan code as the agent writes it, and exposes Semgrep tools through Cursor MCP.

GitHub Copilot

Use this tab for GitHub Copilot in Visual Studio, JetBrains IDEs, Xcode, or Eclipse. (For Copilot in VS Code, use the VS Code tab.)

1. Register the Semgrep MCP server with your IDE's Copilot configuration. The JSON shape is the same across IDEs:

   {
     "servers": {
       "semgrep": {
         "command": "semgrep",
         "args": ["mcp"]
       }
     }
   }

   Follow your IDE's instructions for where to put this entry: Extending Copilot Chat with MCP servers covers Visual Studio, JetBrains, Xcode, and Eclipse.

2. Restart your IDE and open Copilot Chat. Semgrep tools become available in Agent mode.

Copilot does not expose a post-write hook, so Semgrep tools are invoked when the agent calls them through MCP.

VS Code

1. Add the Semgrep MCP server to VS Code. Create .vscode/mcp.json in your workspace (or run the MCP: Open User Configuration command from the Command Palette for a user-wide entry) and paste the following:

   {
     "servers": {
       "semgrep": {
         "command": "semgrep",
         "args": ["mcp"]
       }
     }
   }

2. Reload VS Code. Semgrep tools become available in the Copilot Chat Agent mode.

VS Code does not expose a post-write hook today, so Semgrep tools are invoked when the agent calls them through MCP. Learn more about adding and managing MCP servers in VS Code.

Windsurf

1. Create a hooks.json file at ~/.codeium/windsurf/hooks.json and paste the following configuration:

   {
     "hooks": {
       "post_write_code": [
         {
           "command": "semgrep mcp -k post-tool-cli-scan -a windsurf",
           "show_output": true
         }
       ]
     }
   }

2. Restart Windsurf to apply hook configuration.

The post_write_code event fires after Cascade writes or modifies any file. Learn more about Windsurf Cascade hooks.

Other IDEs

Add the Semgrep MCP Server to your IDE. Semgrep provides sample configuration information that you can use as a starting point. Refer to your IDE's documentation for specific details on where to add the MCP server configuration.

If your IDE supports a post-write or post-tool hook, point it at semgrep mcp -k post-tool-cli-scan -a <ide-name> to scan generated code automatically. The Windsurf tab above shows this pattern.

Scan your code

1. Open up your IDE's AI chat window.
2. Ensure that you're in the correct context to use Semgrep.
3. Prompt your IDE to scan with Semgrep.

By default, the Semgrep Guardian runs all three Semgrep products: Code, Supply Chain, and Secrets.

Additional resources

• Semgrep's #mcp Slack community
• The Semgrep MCP server repo on GitHub

---

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.