Setup
- Go to Integrations and find Semgrep
- Click Connect
- Enter your Semgrep API token (get one here — optional for basic scanning, required for cloud features)
- Click Save — Proliferate will test the connection automatically
Basic scanning works without an API token. The token is needed for Semgrep AppSec Platform features like fetching cloud findings.
Available tools
| Tool | Description |
|---|---|
security_check | Quick security scan of code (high-level convenience tool) |
semgrep_scan | Scan code with a given config (e.g., auto, p/docker, p/xss). Accepts an array of file path + content objects. |
semgrep_scan_with_custom_rule | Scan using custom Semgrep YAML rules |
semgrep_findings | Fetch findings from the Semgrep AppSec Platform (requires API token) |
get_abstract_syntax_tree | Get the AST of provided code |
supported_languages | List all supported languages |
semgrep_rule_schema | Fetch the latest Semgrep rule JSON schema |
Use cases
- Scan code diffs in PR review automations and flag security findings as comments
- Enforce org-specific coding standards via custom rules (e.g., “no raw SQL outside
db.ts”) - Detect leaked API keys, tokens, and credentials in commits
The tools listed above may not be exhaustive and can change as Semgrep updates their MCP server. See Semgrep MCP documentation for the latest.