Dev.to

Vibe Check: Securing AI-Generated Code Using MCP

Using generative artificial intelligence is a boon for the experimental nature that comes from building software. The unfortunate truth is that AI-generated code suffers from some of the same issues a software developer often faces, rapid prototyping of new features prioritizes fast delivery over securely implementing new features. This is a great use case for tools like Semgrep that are purpose-built to catch security vulnerabilities by scanning source code. Let’s start by getting some terminology out of the way and then below is a video demo for how the workflow all comes together when integrated so that a source code scanning tool like Semgrep can add security checking to the AI-generated code from a tool like Cursor. What is Vibe Coding What started as a social media meme has become synonymous with an iterative workflow using an AI assistant to rapidly generate source code. This approach is accessible to many regardless of experience as a software developer by using an LLM and natural language prompts. A key challenge is that the source-code generated by this approach is easy for hackers and mischief-makers to exploit security vulnerabilities. What is Cursor Cursor has been gaining momentum as an integrated development environment fork of Visual Studio Code that has been optimized for the type of iterative vibe coding development workflow. Cursor has built-in AI chat and code generation that supports a vibe coding workflow. What is Semgrep Used For Semgrep is a fast, powerful static analysis tool that uses a rule-based engine to scan source-code and identify security vulnerabilities, bugs, and other code quality issues. It is used by many enterprises and developers as part of a traditional software development lifecycle. There is a free open-source community edition that can be used for scanning individual source code listings as well as a managed platform and services for more sophisticated and professional development teams and workflows. Semgrep supports most popular programming languages with semantically aware searches to ensure a high signal to noise ratio when it comes to identifying security flaws. What is MCP Used For Similar to design patterns that have been used when architecting web applications, MCP provides an open standard for controlling how AI Models behave. It defines a set of APIs that act as a bridge or intermediary between web services and an application. The reason this is important is that it creates a standardized protocol for AI models to interact with web services, database instances, local tools, etc. that can provide additional data sources that provide context to the model without the model itself needing to build a custom integration with each one. The end-user who is vibe coding with Cursor doesn’t need to fully understand how MCP works, it is the context service and the IDE that are using it as an intermediary. While the subsequent example uses Cursor, the value of MCP is it also can be used with Copilot, Windsurf, Claude Desktop, OpenAI, or any MCP client. It also lets us integrate services like Semgrep into the LLM context. Setting Up a Security-Aware Semgrep MCP Server When this all comes together, the Cursor IDE will use any configured MCP integrations as additional context for working with the LLM. To accomplish this, you’ll host a small server that can handle the protocol to interact with Semgrep. There are complete instructions and troubleshooting tips in the semgrep/mcp repository README. 1. Access Your Semgrep API Key You’ll need to sign in or sign-up for a Semgrep.dev account in order to get an API Token. Example for ~/.cursor/mcp.json but any method of setting the environment will work: "env": { "SEMGREP_APP_TOKEN": "" } 2. Run the Semgrep MCP Server The semgrep-mcp server is written in Python so can be installed with a package manager like uv. There is also a docker container that can be pulled: docker run -i --rm ghcr.io/semgrep/mcp -t stdio 3. Integrate the Server with Cursor You’ll also modify the ~/.cursor/mcp.json to include instructions for running semgrep: { "mcpServers": { "semgrep": { "command": "uvx", "args": ["semgrep-mcp"] } } } 4. Give it a try That’s it, just three steps. The semgrep-mcp server is open-source if you want to learn more about how it works. Demo of a Semgrep Cursor MCP Workflow If all goes well, your experience should be similar to this video recording: For additional information, questions about the project, or any trouble getting the demo working… Drop into the community slack Schedule time for a demo Open an issue or pull request at semgrep/mcp Read more about Giving AppSec a Seat at the Vibe Coding Table

Apr 14, 2025 - 18:17
 0
Vibe Check: Securing AI-Generated Code Using MCP

Using generative artificial intelligence is a boon for the experimental nature that comes from building software. The unfortunate truth is that AI-generated code suffers from some of the same issues a software developer often faces, rapid prototyping of new features prioritizes fast delivery over securely implementing new features. This is a great use case for tools like Semgrep that are purpose-built to catch security vulnerabilities by scanning source code.

Let’s start by getting some terminology out of the way and then below is a video demo for how the workflow all comes together when integrated so that a source code scanning tool like Semgrep can add security checking to the AI-generated code from a tool like Cursor.

What is Vibe Coding

What started as a social media meme has become synonymous with an iterative workflow using an AI assistant to rapidly generate source code. This approach is accessible to many regardless of experience as a software developer by using an LLM and natural language prompts.

A key challenge is that the source-code generated by this approach is easy for hackers and mischief-makers to exploit security vulnerabilities.

What is Cursor

Cursor has been gaining momentum as an integrated development environment fork of Visual Studio Code that has been optimized for the type of iterative vibe coding development workflow. Cursor has built-in AI chat and code generation that supports a vibe coding workflow.

What is Semgrep Used For

Semgrep is a fast, powerful static analysis tool that uses a rule-based engine to scan source-code and identify security vulnerabilities, bugs, and other code quality issues. It is used by many enterprises and developers as part of a traditional software development lifecycle. There is a free open-source community edition that can be used for scanning individual source code listings as well as a managed platform and services for more sophisticated and professional development teams and workflows.

Semgrep supports most popular programming languages with semantically aware searches to ensure a high signal to noise ratio when it comes to identifying security flaws.

What is MCP Used For

Similar to design patterns that have been used when architecting web applications, MCP provides an open standard for controlling how AI Models behave. It defines a set of APIs that act as a bridge or intermediary between web services and an application.

The reason this is important is that it creates a standardized protocol for AI models to interact with web services, database instances, local tools, etc. that can provide additional data sources that provide context to the model without the model itself needing to build a custom integration with each one.

The end-user who is vibe coding with Cursor doesn’t need to fully understand how MCP works, it is the context service and the IDE that are using it as an intermediary. While the subsequent example uses Cursor, the value of MCP is it also can be used with Copilot, Windsurf, Claude Desktop, OpenAI, or any MCP client. It also lets us integrate services like Semgrep into the LLM context.

Setting Up a Security-Aware Semgrep MCP Server

When this all comes together, the Cursor IDE will use any configured MCP integrations as additional context for working with the LLM. To accomplish this, you’ll host a small server that can handle the protocol to interact with Semgrep.

Semgrep MCP Setup with Cursor

There are complete instructions and troubleshooting tips in the semgrep/mcp repository README.

1. Access Your Semgrep API Key

You’ll need to sign in or sign-up for a Semgrep.dev account in order to get an API Token.

Example for ~/.cursor/mcp.json but any method of setting the environment will work:

"env": {
  "SEMGREP_APP_TOKEN": ""
}

2. Run the Semgrep MCP Server

The semgrep-mcp server is written in Python so can be installed with a package manager like uv. There is also a docker container that can be pulled:

docker run -i --rm ghcr.io/semgrep/mcp -t stdio

3. Integrate the Server with Cursor

You’ll also modify the ~/.cursor/mcp.json to include instructions for running semgrep:

{
  "mcpServers": {
    "semgrep": {
      "command": "uvx",
      "args": ["semgrep-mcp"]
    }
  }
}

4. Give it a try

That’s it, just three steps. The semgrep-mcp server is open-source if you want to learn more about how it works.

Demo of a Semgrep Cursor MCP Workflow

If all goes well, your experience should be similar to this video recording:

For additional information, questions about the project, or any trouble getting the demo working…

Read More

Tags:

Previous Article

Architecting on AWS: Building Resilient, High-Performing Cloud Infrastructures

Next Article

Tried printing 'Hello' in Malbolge...

Related Posts

How Svelte 5 Made Me Understand Nuxt

How Svelte 5 Made Me Understand Nuxt

Feb 27, 2025  0

The Role of AI in Modern Data Science: Trends and Future Prospects

The Role of AI in Modern Data Science: Trends and Futur...

Feb 13, 2025  0

Hello, devs!

Hello, devs!

Mar 18, 2025  0