Semgrep Guardian

Semgrep Guardian integrates natively with AI coding agents like Claude Code and Cursor to catch security issues before they ship. It bundles the Semgrep MCP server, Hooks, and Skills into a single install, and scans every file an agent generates using Semgrep Code, Supply Chain, and Secrets. When findings are detected, the agent is prompted to regenerate code until Semgrep returns clean results or you choose to dismiss them. The plugin uses each IDE’s native hook or MCP system:

Claude Code: hooks and plugins
Codex: MCP
Cursor: hooks and MCP
GitHub Copilot (Visual Studio, JetBrains, Xcode, Eclipse): MCP
VS Code: MCP
Windsurf: Cascade hooks

This guide covers setup for each of the preceding products listed, but the plugin works with any MCP client.

Prerequisites

Python 3.10 or later (the Semgrep CLI requires it at runtime regardless of how it was installed)
Homebrew, pipx, or uv to install Semgrep
A Semgrep account

Install the Semgrep CLI

These steps are the same regardless of which IDE you use.

Install Semgrep using Homebrew, pipx, or uv:

@@ -50,86 +48,129 @@
# or, install using uv (https://docs.astral.sh/uv/)
uv tool install semgrep

Verify that you’ve installed the latest version of Semgrep:

semgrep --version

semgrep login && semgrep install-semgrep-pro

semgrep login launches a browser window. You can also use the activation link printed in the terminal.

Connect to your IDE

Start a new Claude Code instance in the terminal:

claude

Open the plugin manager:

/plugin

Go to Discover, search for Semgrep, and click Install.

Set up the Guardian:

/setup-semgrep-plugin

The plugin registers a post-tool hook so Claude Code scans every file it writes. Learn more about Claude Code plugins and hooks.

Alternative: Use Semgrep’s hosted remote server (beta)

Early access beta.

If you can’t install the Semgrep CLI locally, you can use Semgrep’s hosted remote server instead.

Start a Claude Code instance:

claude

Add the Semgrep marketplace:

/plugin marketplace add semgrep/guardian-claude

Install the plugin from the marketplace:

/plugin install semgrep-plugin@semgrep-guardian-claude

Tell Claude to load the plugin:

/reload-plugins

Start a new session in Claude to begin the Semgrep login flow:

/clear

Alternatively, exit and relaunch Claude Code.

Update your ~/.codex/config.toml file and paste the following:

[mcp_servers.semgrep]
command = "semgrep"
args = ["mcp"]

Codex does not expose a post-write hook, so Semgrep tools are surfaced through MCP and invoked when the agent calls them. Learn more about Codex MCP configuration.

Find Semgrep in the Cursor Plugin Marketplace, or open Cursor > ⌘⇧J > Plugins. Search “Semgrep” and click Add to Cursor.

Restart Cursor to apply configuration.

In Cursor’s chat, run the /setup-semgrep-plugin skill to finish wiring up the plugin.The plugin uses Cursor hooks (afterFileEdit and stop) to scan code as the agent writes it, and exposes Semgrep tools through Cursor MCP.

Use this tab for GitHub Copilot in Visual Studio, JetBrains IDEs, Xcode, or Eclipse. (For Copilot in VS Code, use the VS Code tab.)

  {
    "servers": {
      "semgrep": {
          "command": "semgrep",
          "args": ["mcp"]
      }
    }
  }

Follow your IDE’s instructions for where to put this entry: Extending Copilot Chat with MCP servers covers Visual Studio, JetBrains, Xcode, and Eclipse.

Restart your IDE and open Copilot Chat. Semgrep tools become available in Agent mode.

Copilot does not expose a post-write hook, so Semgrep tools are invoked when the agent calls them through MCP.

Add the Semgrep MCP server to VS Code. Create .vscode/mcp.json in your workspace (or run the MCP: Open User Configuration command from the Command Palette for a user-wide entry) and paste the following:

  {
    "servers": {
      "semgrep": {
          "command": "semgrep",
          "args": ["mcp"]
      }
    }
  }

Verify that you’ve installed the latest version of Semgrep by running the following:

semgrep --version

Reload VS Code. Semgrep tools become available in the Copilot Chat Agent mode.

VS Code does not expose a post-write hook today, so Semgrep tools are invoked when the agent calls them through MCP. Learn more about adding and managing MCP servers in VS Code.

Create a hooks.json file at ~/.codeium/windsurf/hooks.json and paste the following configuration:

{
  "hooks": {
    "post_write_code": [
      {
        "command": "semgrep mcp -k post-tool-cli-scan -a windsurf",
        "show_output": true
      }
    ]
  }
}

Restart Windsurf to apply hook configuration.

The post_write_code event fires after Cascade writes or modifies any file. Learn more about Windsurf Cascade hooks.

Add the Semgrep MCP Server to your IDE. Semgrep provides sample configuration information that you can use as a starting point. Refer to your IDE’s documentation for specific details on where to add the MCP server configuration.If your IDE supports a post-write or post-tool hook, point it at semgrep mcp -k post-tool-cli-scan -a <ide-name> to scan generated code automatically. The Windsurf tab above shows this pattern.

Scan your code

Open up your IDE’s AI chat window.

Ensure that you’re in the correct context to use Semgrep.

Prompt your IDE to scan with Semgrep.

By default, the Semgrep Guardian runs all three Semgrep products: Code, Supply Chain, and Secrets.

Additional resources

Semgrep’s #mcp Slack community
The Semgrep MCP server repo on GitHub

Documentation Index

​Prerequisites

​Install the Semgrep CLI

​Connect to your IDE

​Scan your code

​Additional resources

Prerequisites

Install the Semgrep CLI

Connect to your IDE

Scan your code

Additional resources