Documentation Index
Fetch the complete documentation index at: https://docs.semgrep.dev/llms.txt
Use this file to discover all available pages before exploring further.
Semgrep Guardian integrates natively with AI coding agents like Claude Code and Cursor to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them.
The plugin uses each IDE’s native hook or MCP system:
This guide covers setup for each of the preceding products listed, but the plugin works with any MCP client.
Prerequisites
- Python 3.10 or later (the Semgrep CLI requires it at runtime regardless of how it was installed)
- Homebrew,
pipx, or uv to install Semgrep
- A Semgrep account
Install the Semgrep CLI
These steps are the same regardless of which IDE you use.
Install Semgrep using Homebrew, pipx, or uv:@@ -50,86 +48,129 @@
# or, install using uv (https://docs.astral.sh/uv/)
uv tool install semgrep
Sign in to your Semgrep account and install the Semgrep Pro engine:semgrep login && semgrep install-semgrep-pro
semgrep login launches a browser window. You can also use the activation link printed in the terminal. Connect to your IDE
Claude Code
Codex
Cursor
GitHub Copilot
VS Code
Windsurf
Other IDEs
Start a new Claude Code instance in the terminal: Go to Discover, search for Semgrep, and click Install.
Update your ~/.codex/config.toml file and paste the following:[mcp_servers.semgrep]
command = "semgrep"
args = ["mcp"]
Restart Cursor to apply configuration.
In Cursor’s chat, run the /setup-semgrep-plugin skill to finish wiring up the plugin.The plugin uses Cursor hooks (afterFileEdit and stop) to scan code as the agent writes it, and exposes Semgrep tools through Cursor MCP. Use this tab for GitHub Copilot in Visual Studio, JetBrains IDEs, Xcode, or Eclipse. (For Copilot in VS Code, use the VS Code tab.)Register the Semgrep MCP server with your IDE’s Copilot configuration. The JSON shape is the same across IDEs: {
"servers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}
Restart your IDE and open Copilot Chat. Semgrep tools become available in Agent mode.
Add the Semgrep MCP server to VS Code. Create .vscode/mcp.json in your workspace (or run the MCP: Open User Configuration command from the Command Palette for a user-wide entry) and paste the following: {
"servers": {
"semgrep": {
"command": "semgrep",
"args": ["mcp"]
}
}
}
Verify that you’ve installed the latest version of Semgrep by running the following: Reload VS Code. Semgrep tools become available in the Copilot Chat Agent mode.
Create a hooks.json file at ~/.codeium/windsurf/hooks.json and paste the following configuration:{
"hooks": {
"post_write_code": [
{
"command": "semgrep mcp -k post-tool-cli-scan -a windsurf",
"show_output": true
}
]
}
}
Restart Windsurf to apply hook configuration.
post_write_code event fires after Cascade writes or modifies any file. Learn more about Windsurf Cascade hooks.Add the Semgrep MCP Server to your IDE. Semgrep provides sample configuration information that you can use as a starting point. Refer to your IDE’s documentation for specific details on where to add the MCP server configuration.If your IDE supports a post-write or post-tool hook, point it at semgrep mcp -k post-tool-cli-scan -a <ide-name> to scan generated code automatically. The Windsurf tab above shows this pattern. Scan your code
Open up your IDE’s AI chat window.
Ensure that you’re in the correct context to use Semgrep.
Prompt your IDE to scan with Semgrep.
Additional resources
