Add Semgrep MCP shared workflow and daily security scan #11454
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add a shared agentic workflow for loading semgrep MCP
Add Semgrep MCP shared workflow for static analysis
Jan 23, 2026
This was referenced Jan 23, 2026
pelikhan
reviewed
Jan 23, 2026
Comment on lines
29
to
83
| ## Semgrep MCP Server | ||
|
|
||
| Semgrep is a fast, open-source static analysis tool for finding bugs, detecting security vulnerabilities, and enforcing code standards. It supports multiple languages and custom rules. | ||
|
|
||
| ### Available Tools | ||
|
|
||
| The Semgrep MCP server provides the following tools for code analysis: | ||
|
|
||
| - **semgrep_rule_schema**: Retrieves the schema required to write a Semgrep rule, lists available fields, and verifies rule syntax | ||
| - **get_supported_languages**: Lists all programming languages supported by Semgrep | ||
| - **semgrep_scan**: Scans code files for security vulnerabilities, bugs, and code quality issues using default rules | ||
| - **semgrep_scan_local**: Performs scans on local files and returns results in JSON format | ||
| - **semgrep_scan_with_custom_rule**: Runs a scan using a custom rule on provided code and returns findings | ||
| - **semgrep_findings**: Fetches findings from the Semgrep AppSec Platform API (requires Semgrep Cloud authentication) | ||
|
|
||
| ### Basic Usage | ||
|
|
||
| To use Semgrep in your workflow, simply import this shared configuration: | ||
|
|
||
| ```yaml | ||
| imports: | ||
| - shared/mcp/semgrep.md | ||
| ``` | ||
|
|
||
| The MCP server will enable the agent to perform static analysis on code, including: | ||
| - Security vulnerability detection | ||
| - Bug finding | ||
| - Code quality checks | ||
| - Custom rule validation | ||
| - Language-specific pattern matching | ||
|
|
||
| ### Example Patterns | ||
|
|
||
| **Security Scanning:** | ||
| ``` | ||
| Use semgrep to scan the repository for SQL injection vulnerabilities | ||
| ``` | ||
|
|
||
| **Custom Rule Testing:** | ||
| ``` | ||
| Test this custom Semgrep rule against the code in src/auth.go | ||
| ``` | ||
|
|
||
| **Language Support:** | ||
| ``` | ||
| Check which languages are supported by Semgrep for our multi-language repository | ||
| ``` | ||
|
|
||
| ### More Information | ||
|
|
||
| - Official Documentation: https://semgrep.dev/docs/ | ||
| - Rule Examples: https://semgrep.dev/explore | ||
| - Writing Rules: https://semgrep.dev/docs/writing-rules/overview | ||
| - Supported Languages: https://semgrep.dev/docs/supported-languages | ||
| - Docker Image: https://hub.docker.com/r/semgrep/semgrep |
Contributor
There was a problem hiding this comment.
@copilot this is a help manual for a editing agent but not the prompt. Make it a xml comment.
Contributor
Author
There was a problem hiding this comment.
Done. Converted the documentation section to XML comment block (similar to arxiv.md pattern). The help manual is now wrapped in <!-- --> and won't be visible to agents. Fixed in commit f233069.
Address PR feedback - wrap help manual in XML comment block Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
|
@copilot review agentic workflows and import semgrep where appropriate |
Import shared/mcp/semgrep.md in 6 workflows: - static-analysis-report.md: Enhance static analysis with semgrep - daily-malicious-code-scan.md: Add semgrep for malicious pattern detection - code-scanning-fixer.md: Enable semgrep for automated security fixes - security-fix-pr.md: Add semgrep for security vulnerability analysis - code-simplifier.md: Use semgrep for code quality improvements - go-fan.md: Add semgrep for Go code analysis Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Reviewed and added semgrep import to 6 security and code quality workflows:
All workflows compile successfully with the semgrep MCP server configured. Fixed in commit 1cc4977. |
Copilot
AI
changed the title
Add Semgrep MCP shared workflow for static analysis
Add Semgrep MCP shared workflow for static analysis and integrate into security workflows
Jan 23, 2026
pelikhan
reviewed
Jan 23, 2026
| reviewers: [copilot] | ||
| timeout-minutes: 20 | ||
| imports: | ||
| - shared/mcp/semgrep.md |
.github/workflows/go-fan.md
Outdated
.github/workflows/security-fix-pr.md
Outdated
| strict: true | ||
| imports: | ||
| - shared/mcp/gh-aw.md | ||
| - shared/mcp/semgrep.md |
Remove shared/mcp/semgrep.md import from: - code-scanning-fixer.md - go-fan.md - security-fix-pr.md - static-analysis-report.md As requested in PR review feedback. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
Add Semgrep MCP shared workflow for static analysis and integrate into security workflows
Add Semgrep MCP shared workflow for static analysis
Jan 23, 2026
pelikhan
reviewed
Jan 23, 2026
Contributor
pelikhan
left a comment
pelikhan
left a comment
There was a problem hiding this comment.
Add daily semgrep workflow
imports:
- shared/mcp/semgrep.md
on: daily !
workflow_dispatch:
Scan the repository for SQL injection vulnerabilities using Semgrep.
.github/workflows/code-simplifier.md
Outdated
- Removed semgrep import from code-simplifier.md - Removed semgrep import from daily-malicious-code-scan.md - Created new daily-semgrep-scan.md workflow for SQL injection scanning As requested in PR feedback. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Contributor
Author
Created daily-semgrep-scan.md workflow with daily schedule and workflow_dispatch trigger. The workflow scans for SQL injection vulnerabilities using Semgrep. Fixed in commit 7dc9b70. |
Copilot
AI
changed the title
Add Semgrep MCP shared workflow for static analysis
Add Semgrep MCP shared workflow and daily security scan
Jan 23, 2026
pelikhan
reviewed
Jan 23, 2026
| schedule: daily | ||
| workflow_dispatch: | ||
| permissions: | ||
| contents: read |
Contributor
There was a problem hiding this comment.
@copilot use crate code scanning alert safe output to publish results
Contributor
Author
There was a problem hiding this comment.
Added code scanning alert safe output configuration to daily-semgrep-scan.md:
- Added
security-events: readpermission - Configured
create-code-scanning-alertwith driver "Semgrep Security Scanner"
Semgrep findings will now be published as code scanning alerts. Fixed in commit 0b9228f.
Configure daily-semgrep-scan.md to publish results as code scanning alerts: - Added security-events: read permission - Added safe-outputs with create-code-scanning-alert configuration - Set driver name to "Semgrep Security Scanner" As requested in PR feedback. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
pelikhan
approved these changes
Jan 23, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Plan: Add Semgrep MCP Shared Workflow
.github/workflows/shared/mcp/semgrep.mdsemgrep/semgrepimageentrypointArgswith["semgrep", "mcp", "-t", "stdio"]for MCP interfaceChanges
Created Shared MCP Configuration
.github/workflows/shared/mcp/semgrep.mdsemgrep/semgrep:latestsemgrep mcp -t stdioviaentrypointArgssemgrep_scan,semgrep_scan_local,semgrep_scan_with_custom_rule,get_supported_languages,semgrep_rule_schema,semgrep_findingsCreated Daily Semgrep Workflow
.github/workflows/daily-semgrep-scan.mdUsage
Workflows can now use Semgrep for static analysis by importing the shared configuration:
The MCP gateway spawns the Semgrep container with stdio transport, making all security scanning capabilities available to agents through the Model Context Protocol. Results are published as code scanning alerts for easy tracking and remediation in GitHub's Security tab.
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.