MCP Tool Reference Low Risk

semgrep_scan

Scan code files with a given config string

Part of the Semgrep MCP server. Enforce policies on this tool with Intercept, the open-source MCP proxy.

semgrep/mcp Other

WHEN AI AGENTS USE THIS TOOL

AI agents call semgrep_scan to perform operations in Semgrep. While the risk category is not fully classified, applying a rate limit gives you visibility into how often the tool is called and prevents unexpected bursts of activity from autonomous agents.

WHY ENFORCE A POLICY ON SEMGREP_SCAN

Applying a policy to semgrep_scan gives you an audit trail of every call an AI agent makes. Even for low-risk tools, visibility into agent behaviour helps you debug issues, optimise workflows, and maintain compliance with your organisation's security requirements.

RECOMMENDED POLICY

Apply a rate limit to control usage and monitor for unexpected behaviour.

semgrep.yaml 
tools:
  semgrep_scan:
    rules:
      - action: allow
        rate_limit:
          max: 60
          window: 60

See the full Semgrep policy for all 8 tools.

DETAILS

Tool Name

semgrep_scan

Category

Other

MCP Server

Semgrep MCP Server

Risk Level

Low

MORE SEMGREP TOOLS

security_check Other
Scan code for security vulnerabilities
semgrep_findings Other
Fetch findings from the Semgrep AppSec Platform API
semgrep_rule_schema Other
Fetch the latest Semgrep rule JSON Schema
semgrep_scan_with_custom_rule Other
Scan code files using a custom Semgrep rule
supported_languages Other
Return the list of languages Semgrep supports
get_abstract_syntax_tree Read
Output the Abstract Syntax Tree of code
write_custom_semgrep_rule Write
Provide guidance for creating Semgrep rules

SIMILAR OTHER TOOLS ON OTHER SERVERS

analytics Algolia
Access Algolia analytics data
monitoring Algolia
Monitor Algolia service status
recommend Algolia
Access Algolia recommendation features
abtesting Algolia
Manage A/B tests
collections Algolia
Manage query suggestions collections
usage Algolia
Access Algolia usage data

RELATED READING

FREQUENTLY ASKED QUESTIONS

What does the semgrep_scan tool do?

Scan code files with a given config string. It is categorised as a Other tool in the Semgrep MCP Server, which means it performs auxiliary operations.

How do I enforce a policy on semgrep_scan?

Add a rule in your Intercept YAML policy under the tools section for semgrep_scan. You can allow, deny, rate-limit, or validate arguments. Then run Intercept as a proxy in front of the Semgrep MCP server.

What risk level is semgrep_scan?

semgrep_scan is a Other tool with low risk. Read-only tools are generally safe to allow by default.

Can I rate-limit semgrep_scan?

Yes. Add a rate_limit block to the semgrep_scan rule in your Intercept policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.

How do I block semgrep_scan completely?

Set action: deny in the Intercept policy for semgrep_scan. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.

What MCP server provides semgrep_scan?

semgrep_scan is provided by the Semgrep MCP server (semgrep/mcp). Intercept sits as a proxy in front of this server to enforce policies before tool calls reach the server.

ENFORCE POLICIES ON SEMGREP

Open source. One binary. Zero dependencies.

VIEW ON GITHUB Full Semgrep policy →