{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"awesome-semgrep","slug":"semgrep","name":"Semgrep","type":"mcp","url":"https://github.com/semgrep/mcp","page_url":"https://unfragile.ai/semgrep","categories":["mcp-servers"],"tags":[],"pricing":{"model":"open_source","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"awesome-semgrep__cap_0","uri":"capability://safety.moderation.static.code.pattern.matching.via.semgrep.rules","name":"static code pattern matching via semgrep rules","description":"Executes Semgrep's pattern-based static analysis engine through MCP protocol, allowing AI agents to run custom YAML-defined rules against codebases to detect security vulnerabilities, code quality issues, and compliance violations. Uses Semgrep's proprietary syntax (combining regex, metavariables, and structural patterns) to match code across 30+ languages without requiring AST compilation by the agent itself.","intents":["I want my AI agent to scan code for security vulnerabilities without shipping code to external APIs","I need to enforce custom linting rules across a codebase as part of an automated security workflow","I want to detect specific anti-patterns (e.g., hardcoded credentials, unsafe SQL) in real-time during code review"],"best_for":["Security teams building AI-powered code scanning agents","DevSecOps engineers integrating static analysis into LLM-based CI/CD workflows","Enterprise teams requiring on-premise code analysis without cloud transmission"],"limitations":["Requires Semgrep CLI to be installed and accessible on the agent's system — no pure Python/Node.js fallback","Pattern matching performance degrades on very large codebases (>1M LOC) without proper rule optimization","Custom rule development requires learning Semgrep's YAML syntax; no visual rule builder exposed through MCP","No built-in incremental scanning — each invocation re-scans the entire target unless filtered by file path"],"requires":["Semgrep CLI 1.45.0 or later installed and in system PATH","MCP server implementation (Node.js 18+ or Python 3.9+)","Read access to target codebase files","Optional: Semgrep Pro account for access to proprietary rule registry"],"input_types":["file paths (relative or absolute)","code snippets (as strings)","directory paths for recursive scanning","YAML rule definitions (custom or from registry)"],"output_types":["structured JSON findings (vulnerability location, severity, message)","SARIF format (standard for static analysis results)","plain text summaries"],"categories":["safety-moderation","code-generation-editing"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_1","uri":"capability://code.generation.editing.multi.language.code.scanning.with.language.specific.rule.sets","name":"multi-language code scanning with language-specific rule sets","description":"Routes code analysis through Semgrep's language detection and rule filtering system, automatically selecting and applying language-specific rule sets (Python, JavaScript, Java, Go, C#, etc.) based on file extension or content analysis. MCP integration allows agents to scan polyglot codebases without manually specifying which rules apply to which files.","intents":["I want to scan a monorepo with multiple languages and automatically apply the right security rules to each file type","I need language-specific vulnerability patterns (e.g., SQL injection in Python vs. Java) applied intelligently","I want my agent to understand which rules are relevant without me specifying language context"],"best_for":["Teams maintaining polyglot microservices or monorepos","AI agents building automated security dashboards across heterogeneous codebases","Developers needing language-agnostic security scanning in CI/CD pipelines"],"limitations":["Language detection relies on file extensions; ambiguous cases (e.g., .js for both Node.js and browser code) may apply incorrect rule sets","Performance scales linearly with number of files; scanning 10k+ files across 5+ languages can exceed 30 seconds","Some language-specific rules have false positive rates (e.g., 15-20% for Python type-related rules) requiring manual triage"],"requires":["Semgrep CLI with language packs for target languages","File system access with readable file extensions","Optional: Language-specific parsers (e.g., tree-sitter) for structural analysis"],"input_types":["directory paths (auto-detects languages)","file lists with language hints","code snippets with language specification"],"output_types":["language-tagged findings (e.g., 'python.security.injection')","aggregated reports grouped by language","per-language severity distributions"],"categories":["code-generation-editing","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_2","uri":"capability://code.generation.editing.real.time.vulnerability.remediation.suggestions.via.ai.integration","name":"real-time vulnerability remediation suggestions via ai integration","description":"Combines Semgrep findings with LLM context to generate code fix suggestions, leveraging the MCP protocol to pass vulnerability metadata (location, pattern, severity) to the AI agent, which then generates contextual remediation code. Semgrep provides structured finding data (line number, matched code, rule ID) that the agent uses to construct targeted fix prompts.","intents":["I want my AI agent to not just find vulnerabilities but suggest concrete code fixes","I need to auto-generate pull requests with security fixes for detected issues","I want to understand WHY a pattern is vulnerable and see a corrected version"],"best_for":["AI-powered code review systems that need to suggest fixes alongside findings","Automated remediation workflows in security-focused CI/CD","Developer education tools that explain vulnerabilities with corrected code examples"],"limitations":["Fix quality depends on LLM capability and context window; complex multi-file refactors may exceed token limits","No built-in validation that generated fixes actually resolve the vulnerability — requires separate testing step","Semgrep provides finding location but not always the full context needed for LLM to generate correct fixes (e.g., function signature, imports)","Fix generation latency adds 2-5 seconds per finding due to LLM inference time"],"requires":["Semgrep CLI with structured output (JSON/SARIF)","LLM API access (OpenAI, Anthropic, or local model)","Full source code context (not just snippets) for accurate fix generation","Optional: Code formatter (prettier, black) to normalize generated fixes"],"input_types":["Semgrep findings (JSON with location, rule ID, matched code)","source code context (surrounding lines, function body)","rule metadata (description, severity, CWE mapping)"],"output_types":["code patches (unified diff format)","suggested code blocks (with line numbers)","remediation explanations (natural language + code)"],"categories":["code-generation-editing","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_3","uri":"capability://code.generation.editing.custom.rule.development.and.testing.via.mcp","name":"custom rule development and testing via mcp","description":"Exposes Semgrep's rule validation and testing framework through MCP, allowing agents to create, validate, and test custom YAML rules against code samples without manual CLI invocation. Agents can iterate on rule definitions, run them against test cases, and receive structured feedback on rule syntax and matching accuracy.","intents":["I want my agent to learn from past security findings and create custom rules to catch similar issues","I need to validate a new security rule against a test suite before deploying it to production","I want to generate organization-specific linting rules based on code patterns I've observed"],"best_for":["Security teams building custom rule libraries for proprietary code patterns","AI agents that learn and adapt security rules based on codebase analysis","Organizations with domain-specific compliance requirements (e.g., PCI-DSS, HIPAA)"],"limitations":["Rule syntax is YAML-based and requires understanding Semgrep's pattern language; agents need training data on rule structure","No visual feedback on rule matching — agents must interpret JSON test results to debug rules","Rule performance optimization requires manual tuning; agents cannot automatically optimize slow rules","Testing is limited to provided test cases; no fuzzing or adversarial testing built into MCP"],"requires":["Semgrep CLI with rule development tools","Understanding of Semgrep pattern syntax (metavariables, operators, language-specific constructs)","Test code samples that cover positive and negative cases","Write access to rule storage (local files or registry)"],"input_types":["YAML rule definitions (custom syntax)","test code snippets (positive and negative examples)","rule metadata (description, severity, CWE mapping)"],"output_types":["rule validation results (syntax errors, warnings)","test execution reports (pass/fail per test case)","rule performance metrics (execution time, false positive rate)"],"categories":["code-generation-editing","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_4","uri":"capability://data.processing.analysis.codebase.wide.security.posture.assessment.and.reporting","name":"codebase-wide security posture assessment and reporting","description":"Aggregates Semgrep findings across an entire codebase to generate security posture reports, calculating metrics like vulnerability density (issues per KLOC), severity distribution, and trend analysis over time. MCP integration allows agents to request full-codebase scans and receive summarized metrics suitable for dashboards, compliance reports, and executive summaries.","intents":["I want a security score for my codebase that I can track over time","I need to generate compliance reports showing vulnerability remediation progress","I want to identify which parts of my codebase have the highest security risk"],"best_for":["Security teams generating compliance and audit reports","AI agents building security dashboards and trend analysis","Engineering leaders tracking security metrics across teams and projects"],"limitations":["Metrics are based on static analysis findings only — does not account for runtime vulnerabilities or business logic flaws","Vulnerability density metrics can be misleading for small codebases or those with high test-to-code ratios","Historical trend analysis requires persistent storage of scan results; MCP does not provide built-in time-series database","Severity scoring is based on Semgrep's rule definitions; may not align with organization's risk model"],"requires":["Complete codebase access for full-codebase scanning","Semgrep CLI with all relevant rule sets installed","Optional: External storage (database, time-series DB) for historical trend tracking","Optional: Custom severity mapping to align with organizational risk model"],"input_types":["codebase directory path","rule filter criteria (severity, language, CWE)","time range (for trend analysis)"],"output_types":["aggregated metrics (total issues, severity distribution, density)","per-component breakdowns (by file, directory, language)","trend reports (issues over time, remediation velocity)","compliance-ready summaries (CVSS scores, CWE mappings)"],"categories":["data-processing-analysis","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_5","uri":"capability://memory.knowledge.integration.with.managed.semgrep.rule.registry.and.updates","name":"integration with managed semgrep rule registry and updates","description":"Connects to Semgrep's managed rule registry (2000+ community rules, proprietary rules for Pro users) through MCP, allowing agents to fetch, update, and manage rule sets without manual downloads. Agents can subscribe to rule updates, check for new vulnerabilities matching their codebase, and maintain synchronized rule versions across scanning operations.","intents":["I want my agent to automatically use the latest security rules without manual updates","I need to know when new vulnerability patterns are discovered that affect my codebase","I want to use Semgrep Pro's proprietary rules in my automated scanning pipeline"],"best_for":["Teams running continuous security scanning with up-to-date rule coverage","AI agents that need to adapt to emerging vulnerability patterns","Organizations with Semgrep Pro subscriptions seeking to leverage proprietary rules"],"limitations":["Registry access requires internet connectivity; offline scanning uses cached rules only","Rule updates can introduce new false positives; agents should implement result filtering or manual review gates","Semgrep Pro rules are proprietary and require authentication; MCP must securely handle API credentials","Rule registry updates are asynchronous; agents cannot guarantee real-time access to newest rules"],"requires":["Internet connectivity for registry access","Semgrep CLI with registry sync capability","Optional: Semgrep Pro API key for proprietary rule access","Optional: Local caching mechanism for offline scanning"],"input_types":["rule filter criteria (language, severity, CWE, category)","rule version specifications","authentication credentials (API key for Pro rules)"],"output_types":["rule metadata (ID, description, severity, CWE mapping)","rule update notifications (new rules, rule changes)","rule availability status (free vs. Pro)"],"categories":["memory-knowledge","automation-workflow"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_6","uri":"capability://code.generation.editing.contextual.code.analysis.with.cross.file.dependency.tracking","name":"contextual code analysis with cross-file dependency tracking","description":"Analyzes code patterns across file boundaries, tracking variable assignments, function calls, and data flow to detect vulnerabilities that span multiple files. MCP integration allows agents to request cross-file analysis for specific patterns (e.g., tainted data flow from user input to SQL query) without manually managing file dependencies.","intents":["I want to detect vulnerabilities that span multiple files (e.g., unsanitized user input passed to SQL query)","I need to understand data flow across my codebase to identify injection vulnerabilities","I want to find where a vulnerable function is called from, even if it's in a different file"],"best_for":["Security teams analyzing complex codebases with deep call chains","AI agents building data-flow-aware vulnerability detection","Teams detecting supply chain vulnerabilities (e.g., vulnerable dependencies used across files)"],"limitations":["Cross-file analysis requires full codebase indexing; performance degrades significantly for large codebases (>100k files)","Data flow analysis is limited to syntactic patterns; does not perform full taint tracking or symbolic execution","Requires language-specific parsers for accurate cross-file resolution; some languages (e.g., dynamic languages) have limited support","False negatives are common for complex control flow (e.g., indirect function calls, reflection)"],"requires":["Full codebase access (not just individual files)","Semgrep CLI with cross-file analysis enabled","Language-specific parsers (tree-sitter or equivalent) for accurate AST analysis","Sufficient memory for codebase indexing (typically 2-4x codebase size)"],"input_types":["codebase directory path","pattern definitions (with cross-file scope)","entry point specifications (e.g., user input sources)"],"output_types":["cross-file findings (with file paths and line numbers)","data flow paths (showing how data flows from source to sink)","call chain analysis (function call sequences across files)"],"categories":["code-generation-editing","planning-reasoning"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_7","uri":"capability://safety.moderation.automated.compliance.checking.against.security.standards","name":"automated compliance checking against security standards","description":"Maps Semgrep findings to compliance frameworks (OWASP Top 10, CWE, PCI-DSS, HIPAA, SOC 2) and generates compliance reports showing which standards are violated and remediation status. MCP integration allows agents to request compliance assessments and receive structured reports suitable for audit trails and compliance dashboards.","intents":["I need to demonstrate compliance with OWASP Top 10 or other security standards","I want to map my security findings to CWE IDs for compliance reporting","I need to track remediation progress against specific compliance requirements"],"best_for":["Compliance and audit teams generating compliance reports","AI agents building compliance dashboards for regulated industries","Organizations undergoing security audits or certifications (SOC 2, ISO 27001, PCI-DSS)"],"limitations":["Compliance mapping is based on Semgrep's rule metadata; custom rules may not have compliance mappings","Compliance assessment is limited to static analysis findings; does not account for operational controls or policies","Some compliance standards require manual verification (e.g., access control policies) that cannot be automated","Compliance reports are only as accurate as the underlying rule set; gaps in rule coverage create false compliance"],"requires":["Semgrep rules with compliance metadata (CWE, OWASP, etc.)","Compliance framework definitions (mapping rules to standards)","Optional: External compliance database for standard definitions"],"input_types":["Semgrep findings (with rule IDs)","compliance framework selection (OWASP, CWE, PCI-DSS, etc.)","remediation status (for tracking progress)"],"output_types":["compliance assessment reports (standards violated, pass/fail status)","remediation roadmaps (prioritized by compliance impact)","audit-ready summaries (with evidence of remediation)"],"categories":["safety-moderation","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"awesome-semgrep__cap_8","uri":"capability://automation.workflow.incremental.scanning.and.change.based.vulnerability.detection","name":"incremental scanning and change-based vulnerability detection","description":"Scans only modified files or changed code sections to detect new vulnerabilities introduced in recent commits, reducing scanning time from minutes to seconds. MCP integration allows agents to request incremental scans by providing file change lists (from git diffs or file modification timestamps), enabling real-time feedback in CI/CD pipelines.","intents":["I want to scan only the code I just changed, not the entire codebase","I need fast security feedback in my CI/CD pipeline (sub-second latency)","I want to detect if my changes introduced new vulnerabilities before merging"],"best_for":["CI/CD pipelines requiring fast security gates (pre-commit, pre-push)","AI agents providing real-time security feedback during development","Teams with large codebases where full scans are too slow for developer feedback loops"],"limitations":["Incremental scanning misses vulnerabilities in unchanged code that interact with changed code (e.g., new call to vulnerable function)","Requires accurate change detection; git-based change lists may miss indirect changes (e.g., configuration changes affecting behavior)","Performance improvement depends on change size; scanning 1000+ changed files provides minimal speedup vs. full scan","Incremental results must be merged with baseline findings; agents need logic to track cumulative vulnerability state"],"requires":["Change detection mechanism (git diff, file timestamps, or explicit file list)","Baseline scan results (for comparison with incremental results)","Optional: Git repository access for change history"],"input_types":["file change list (paths of modified files)","git diff output (for precise line-level changes)","baseline scan results (for delta calculation)"],"output_types":["incremental findings (new vulnerabilities in changed files)","delta report (findings added, removed, or changed)","change impact analysis (which changes introduced vulnerabilities)"],"categories":["automation-workflow","code-generation-editing"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":26,"verified":false,"data_access_risk":"high","permissions":["Semgrep CLI 1.45.0 or later installed and in system PATH","MCP server implementation (Node.js 18+ or Python 3.9+)","Read access to target codebase files","Optional: Semgrep Pro account for access to proprietary rule registry","Semgrep CLI with language packs for target languages","File system access with readable file extensions","Optional: Language-specific parsers (e.g., tree-sitter) for structural analysis","Semgrep CLI with structured output (JSON/SARIF)","LLM API access (OpenAI, Anthropic, or local model)","Full source code context (not just snippets) for accurate fix generation"],"failure_modes":["Requires Semgrep CLI to be installed and accessible on the agent's system — no pure Python/Node.js fallback","Pattern matching performance degrades on very large codebases (>1M LOC) without proper rule optimization","Custom rule development requires learning Semgrep's YAML syntax; no visual rule builder exposed through MCP","No built-in incremental scanning — each invocation re-scans the entire target unless filtered by file path","Language detection relies on file extensions; ambiguous cases (e.g., .js for both Node.js and browser code) may apply incorrect rule sets","Performance scales linearly with number of files; scanning 10k+ files across 5+ languages can exceed 30 seconds","Some language-specific rules have false positive rates (e.g., 15-20% for Python type-related rules) requiring manual triage","Fix quality depends on LLM capability and context window; complex multi-file refactors may exceed token limits","No built-in validation that generated fixes actually resolve the vulnerability — requires separate testing step","Semgrep provides finding location but not always the full context needed for LLM to generate correct fixes (e.g., function signature, imports)","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.05,"quality":0.28,"ecosystem":0.39999999999999997,"match_graph":0.25,"freshness":0.52,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.15,"match_graph":0.23,"freshness":0.12}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-06-17T09:51:04.049Z","last_scraped_at":"2026-05-03T14:00:15.503Z","last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=semgrep","compare_url":"https://unfragile.ai/compare?artifact=semgrep"}},"signature":"I1YoWzqf20SMqklyZgMeCpbM5pr/Kbk+NE5Ea6fi3rWxY8dlGswXCwxJyQ4J9alAZsOtqAC5UA0aBXbotedrAA==","signedAt":"2026-06-21T01:36:14.477Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/semgrep","artifact":"https://unfragile.ai/semgrep","verify":"https://unfragile.ai/api/v1/verify?slug=semgrep","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}