- Claude Code: hooks and plugins
- Codex: MCP
- Cursor: hooks and MCP
- GitHub Copilot (Visual Studio, JetBrains, Xcode, Eclipse): MCP
- Kiro: MCP
- VS Code: MCP
- Devin (Windsurf): Cascade hooks
Prerequisites
- A Semgrep account
Connect to your IDE
- Claude Code
- Codex
- Cursor
- GitHub Copilot
- VS Code
- Devin (Windsurf)
- Kiro
- Other IDEs
Claude Code uses Semgrep’s hosted remote server by default, so you do not need to install the Semgrep CLI locally.The plugin registers a post-tool hook so Claude Code scans every file it writes. Learn more about Claude Code plugins and hooks.
1
Start a Claude Code instance:
2
Open the plugin manager:
3
Go to Discover, search for Semgrep, and click Install.
4
Tell Claude to load the plugin:
5
Start a new session in Claude to begin the Semgrep login flow:
Run Semgrep Guardian locally
Run Semgrep Guardian locally
The remote server is the recommended default. If you need to run Semgrep locally instead, you can install the local plugin from the
semgrep/guardian-local repo.2
Start a Claude Code instance:
3
Add the Semgrep marketplace:
4
Install the plugin from the marketplace:
5
Tell Claude to load the plugin:
6
Set up the plugin:
Install the Semgrep CLI
Every IDE except Claude Code runs Semgrep from a locally installed CLI. (Claude Code uses Semgrep’s hosted remote server by default and does not need a local CLI.)1
Install the Semgrep CLI using Homebrew, pipx, or uv. This requires Python 3.10 or later (the Semgrep CLI needs it at runtime regardless of how it was installed):
2
Verify that you’ve installed the latest version of Semgrep:
3
Sign in to your Semgrep account and install the Semgrep Pro engine:
semgrep login launches a browser window. You can also use the activation link printed in the terminal.Enterprise deployment guide
To roll out Semgrep Guardian across an organization, standardize the install so every developer’s agent picks up the plugin automatically instead of relying on each developer to install it by hand.Use your agent’s built-in enterprise controls
Most coding agents let you pin an approved marketplace or plugin for your whole team. This is the simplest way to make Guardian available (or required) everywhere:- Claude Code: Require marketplaces for your team
- Cursor: Team marketplaces
Deploy through a mobile device management (MDM) platform for more granularity
Deploy through your MDM platform to scope rollout by device group, or to combine Guardian with other managed configuration deployed via your MDM. Anthropic maintains a set of MDM deployment examples and best practices that cover managed settings for macOS (.plist and .mobileconfig profiles via Jamf, Kandji, and similar) and Windows (PowerShell file deployment or ADMX/registry policy via Intune and Group Policy), along with how to verify that managed settings are applied.
Get help with a custom rollout
Reach out if you want help building something custom for your MDM or agent fleet. You can find us in Semgrep’s#mcp Slack community or check out our support options.
Additional resources
- Semgrep’s
#mcpSlack community - The Semgrep MCP server repo on GitHub