Can I use Semgrep as a CLI?

Yes. KosmoKrator exposes a Semgrep CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Semgrep through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Semgrep tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Semgrep credentials stored?

Semgrep credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Semgrep MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

data

Semgrep Lua API for KosmoKrator Agents

Agent-facing Lua documentation and function reference for the Semgrep KosmoKrator integration.

Lua Namespace

Agents call this integration through app.integrations.semgrep.*. Use lua_read_doc("integrations.semgrep") inside KosmoKrator to discover the same reference at runtime.

Call Lua from the Headless CLI

Use kosmo integrations:lua when a shell script, CI job, cron job, or another coding CLI should run a deterministic Semgrep workflow without starting an interactive agent session.

Inline Lua call

kosmo integrations:lua --eval 'dump(app.integrations.semgrep.beta_get_sms_vpc_bootstrap_cloudformation_template({}))' --json

Read Lua docs headlessly

kosmo integrations:lua --eval 'print(docs.read("semgrep"))' --json
kosmo integrations:lua --eval 'print(docs.read("semgrep.beta_get_sms_vpc_bootstrap_cloudformation_template"))' --json

Workflow file

Put repeatable logic in a Lua file, then execute it with JSON output for the calling process.

workflow.lua

local semgrep = app.integrations.semgrep
local result = semgrep.beta_get_sms_vpc_bootstrap_cloudformation_template({})

dump(result)

Run the workflow

kosmo integrations:lua workflow.lua --json
kosmo integrations:lua workflow.lua --force --json

Namespace note. integrations:lua exposes app.integrations.semgrep, app.mcp.*, docs.*, json.*, and regex.*. Use app.integrations.semgrep.default.* or app.integrations.semgrep.work.* when you configured named credential accounts.

MCP-only Lua

If the script only needs configured MCP servers and does not need Semgrep, use the narrower mcp:lua command.

MCP Lua command

# Use mcp:lua for MCP-only scripts; use integrations:lua for this integration namespace.
kosmo mcp:lua --eval 'dump(mcp.servers())' --json

Agent-Facing Lua Docs

This is the rendered version of the full Lua documentation exposed to agents when they inspect the integration namespace.

Semgrep Lua API

Generated from Semgrep’s official Web API OpenAPI document at https://semgrep.dev/api/v1/public_v1.openapi.yaml. The namespace is app.integrations.semgrep.

This package exposes 27 endpoint-specific tools: 11 read tools and 16 write tools. Use a Semgrep API token with Web API access enabled.

Usage

local ping = app.integrations.semgrep.misc_service_ping({})

local findings = app.integrations.semgrep.findings_service_list_findings({
  deployment_slug = "example-deployment"
})

Request Bodies

Tools that create, update, search, link, or triage resources may accept a body table. The table is passed as the JSON body expected by the Semgrep Web API schema. Path and query arguments use snake_case names and are mapped back to the official parameter names.

Tools

| semgrep_misc_service_get_bootstrap_sms_vpc | read | GET /api/v1/bootstrap-sms-vpc | | semgrep_deployments_service_list_deployments | read | GET /api/v1/deployments | | semgrep_supply_chain_service_list_dependencies | write | POST /api/v1/deployments/{deploymentId}/dependencies | | semgrep_supply_chain_service_list_repositories_for_dependencies | write | POST /api/v1/deployments/{deploymentId}/dependencies/repositories | | semgrep_supply_chain_service_list_lockfiles_for_dependencies | write | POST /api/v1/deployments/{deploymentId}/dependencies/repositories/{repositoryId}/lockfiles | | semgrep_policies_service_list_policies | read | GET /api/v1/deployments/{deploymentId}/policies | | semgrep_policies_service_list_policy_rules | read | GET /api/v1/deployments/{deploymentId}/policies/{policyId} | | semgrep_policies_service_update_policy | write | PUT /api/v1/deployments/{deploymentId}/policies/{policyId} | | semgrep_supply_chain_service_create_sbom_export | write | POST /api/v1/deployments/{deploymentId}/sbom/export | | semgrep_supply_chain_service_get_sbom_export | read | GET /api/v1/deployments/{deploymentId}/sbom/export/{taskToken} | | semgrep_scans_service_get_scan | read | GET /api/v1/deployments/{deploymentId}/scan/{scanId} | | semgrep_scans_service_search_scans | write | POST /api/v1/deployments/{deploymentId}/scans/search | | semgrep_secrets_service_list_secrets_path | read | GET /api/v1/deployments/{deploymentId}/secrets | | semgrep_ticketing_service_delete_ticket | write | DELETE /api/v1/deployments/{deploymentId}/ticketing/v2/tickets/{externalTicketId} | | semgrep_ticketing_service_link_ticket | write | POST /api/v1/deployments/{deploymentId}/tickets/link | | semgrep_ticketing_service_unlink_ticket | write | POST /api/v1/deployments/{deploymentId}/tickets/unlink | | semgrep_findings_service_list_findings | read | GET /api/v1/deployments/{deploymentSlug}/findings | | semgrep_projects_service_list_projects | read | GET /api/v1/deployments/{deploymentSlug}/projects | | semgrep_projects_service_get_project | read | GET /api/v1/deployments/{deploymentSlug}/projects/{projectName} | | semgrep_projects_service_update_project | write | PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName} | | semgrep_projects_service_delete_project | write | DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName} | | semgrep_projects_service_toggle_project_managed_scan | write | PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName}/managed-scan | | semgrep_projects_service_add_project_tags | write | PUT /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags | | semgrep_projects_service_delete_project_tags | write | DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags | | semgrep_ticketing_service_create_ticket | write | POST /api/v1/deployments/{deploymentSlug}/tickets | | semgrep_triage_service_bulk_triage | write | POST /api/v1/deployments/{deploymentSlug}/triage | | semgrep_misc_service_ping | read | GET /api/v1/ping |

Notes

The base URL defaults to https://semgrep.dev.
Authentication uses Authorization: Bearer <token>.
Returned data is the parsed JSON response from Semgrep.

Raw agent markdown

# Semgrep Lua API

Generated from Semgrep's official Web API OpenAPI document at `https://semgrep.dev/api/v1/public_v1.openapi.yaml`. The namespace is `app.integrations.semgrep`.

This package exposes 27 endpoint-specific tools: 11 read tools and 16 write tools. Use a Semgrep API token with Web API access enabled.

## Usage

```lua
local ping = app.integrations.semgrep.misc_service_ping({})

local findings = app.integrations.semgrep.findings_service_list_findings({
  deployment_slug = "example-deployment"
})
```

## Request Bodies

Tools that create, update, search, link, or triage resources may accept a `body` table. The table is passed as the JSON body expected by the Semgrep Web API schema. Path and query arguments use snake_case names and are mapped back to the official parameter names.

## Tools

| `semgrep_misc_service_get_bootstrap_sms_vpc` | read | GET `/api/v1/bootstrap-sms-vpc` |
| `semgrep_deployments_service_list_deployments` | read | GET `/api/v1/deployments` |
| `semgrep_supply_chain_service_list_dependencies` | write | POST `/api/v1/deployments/{deploymentId}/dependencies` |
| `semgrep_supply_chain_service_list_repositories_for_dependencies` | write | POST `/api/v1/deployments/{deploymentId}/dependencies/repositories` |
| `semgrep_supply_chain_service_list_lockfiles_for_dependencies` | write | POST `/api/v1/deployments/{deploymentId}/dependencies/repositories/{repositoryId}/lockfiles` |
| `semgrep_policies_service_list_policies` | read | GET `/api/v1/deployments/{deploymentId}/policies` |
| `semgrep_policies_service_list_policy_rules` | read | GET `/api/v1/deployments/{deploymentId}/policies/{policyId}` |
| `semgrep_policies_service_update_policy` | write | PUT `/api/v1/deployments/{deploymentId}/policies/{policyId}` |
| `semgrep_supply_chain_service_create_sbom_export` | write | POST `/api/v1/deployments/{deploymentId}/sbom/export` |
| `semgrep_supply_chain_service_get_sbom_export` | read | GET `/api/v1/deployments/{deploymentId}/sbom/export/{taskToken}` |
| `semgrep_scans_service_get_scan` | read | GET `/api/v1/deployments/{deploymentId}/scan/{scanId}` |
| `semgrep_scans_service_search_scans` | write | POST `/api/v1/deployments/{deploymentId}/scans/search` |
| `semgrep_secrets_service_list_secrets_path` | read | GET `/api/v1/deployments/{deploymentId}/secrets` |
| `semgrep_ticketing_service_delete_ticket` | write | DELETE `/api/v1/deployments/{deploymentId}/ticketing/v2/tickets/{externalTicketId}` |
| `semgrep_ticketing_service_link_ticket` | write | POST `/api/v1/deployments/{deploymentId}/tickets/link` |
| `semgrep_ticketing_service_unlink_ticket` | write | POST `/api/v1/deployments/{deploymentId}/tickets/unlink` |
| `semgrep_findings_service_list_findings` | read | GET `/api/v1/deployments/{deploymentSlug}/findings` |
| `semgrep_projects_service_list_projects` | read | GET `/api/v1/deployments/{deploymentSlug}/projects` |
| `semgrep_projects_service_get_project` | read | GET `/api/v1/deployments/{deploymentSlug}/projects/{projectName}` |
| `semgrep_projects_service_update_project` | write | PATCH `/api/v1/deployments/{deploymentSlug}/projects/{projectName}` |
| `semgrep_projects_service_delete_project` | write | DELETE `/api/v1/deployments/{deploymentSlug}/projects/{projectName}` |
| `semgrep_projects_service_toggle_project_managed_scan` | write | PATCH `/api/v1/deployments/{deploymentSlug}/projects/{projectName}/managed-scan` |
| `semgrep_projects_service_add_project_tags` | write | PUT `/api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags` |
| `semgrep_projects_service_delete_project_tags` | write | DELETE `/api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags` |
| `semgrep_ticketing_service_create_ticket` | write | POST `/api/v1/deployments/{deploymentSlug}/tickets` |
| `semgrep_triage_service_bulk_triage` | write | POST `/api/v1/deployments/{deploymentSlug}/triage` |
| `semgrep_misc_service_ping` | read | GET `/api/v1/ping` |


## Notes

- The base URL defaults to `https://semgrep.dev`.
- Authentication uses `Authorization: Bearer <token>`.
- Returned data is the parsed JSON response from Semgrep.

Metadata-derived Lua example

local result = app.integrations.semgrep.beta_get_sms_vpc_bootstrap_cloudformation_template({})
print(result)

Functions

beta_get_sms_vpc_bootstrap_cloudformation_template Read

[Beta] Get SMS VPC Bootstrap CloudFormation Template Official Semgrep Web API endpoint: GET /api/v1/bootstrap-sms-vpc VPC support for Managed Scans is in private beta. Returns the Managed Scans VPC Bootstrap CloudFormation template in JSON

Lua path: app.integrations.semgrep.beta_get_sms_vpc_bootstrap_cloudformation_template
Full name: semgrep.semgrep_misc_service_get_bootstrap_sms_vpc

Parameter	Type	Required	Description
No parameters.

list_deployments Read

List deployments Official Semgrep Web API endpoint: GET /api/v1/deployments Request the deployments your auth can access. Currently available auth scope does not extend over more than one deployment. This endpoint returns the single deploym

Lua path: app.integrations.semgrep.list_deployments
Full name: semgrep.semgrep_deployments_service_list_deployments

Parameter	Type	Required	Description
No parameters.

list_dependencies Write

List dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies

Lua path: app.integrations.semgrep.list_dependencies
Full name: semgrep.semgrep_supply_chain_service_list_dependencies

Parameter	Type	Required	Description
No parameters.

list_repositories_with_dependencies Write

List repositories with dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies/repositories

Lua path: app.integrations.semgrep.list_repositories_with_dependencies
Full name: semgrep.semgrep_supply_chain_service_list_repositories_for_dependencies

Parameter	Type	Required	Description
No parameters.

list_lockfiles_given_repository_with_dependencies Write

List lockfiles in a given repository with dependencies Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/dependencies/repositories/{repositoryId}/lockfiles

Lua path: app.integrations.semgrep.list_lockfiles_given_repository_with_dependencies
Full name: semgrep.semgrep_supply_chain_service_list_lockfiles_for_dependencies

Parameter	Type	Required	Description
No parameters.

list_policies Read

List policies Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/policies

Lua path: app.integrations.semgrep.list_policies
Full name: semgrep.semgrep_policies_service_list_policies

Parameter	Type	Required	Description
No parameters.

list_policy_rules Read

List policy rules Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/policies/{policyId}

Lua path: app.integrations.semgrep.list_policy_rules
Full name: semgrep.semgrep_policies_service_list_policy_rules

Parameter	Type	Required	Description
No parameters.

update_policy Write

Update policy Official Semgrep Web API endpoint: PUT /api/v1/deployments/{deploymentId}/policies/{policyId}

Lua path: app.integrations.semgrep.update_policy
Full name: semgrep.semgrep_policies_service_update_policy

Parameter	Type	Required	Description
No parameters.

create_new_sbom_export_job Write

Create a new SBOM export job Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/sbom/export

Lua path: app.integrations.semgrep.create_new_sbom_export_job
Full name: semgrep.semgrep_supply_chain_service_create_sbom_export

Parameter	Type	Required	Description
No parameters.

get_status_sbom_export_job Read

Get the status of a SBOM export job Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/sbom/export/{taskToken}

Lua path: app.integrations.semgrep.get_status_sbom_export_job
Full name: semgrep.semgrep_supply_chain_service_get_sbom_export

Parameter	Type	Required	Description
No parameters.

get_scan_details Read

Get scan details Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/scan/{scanId} Request the details of a scan including the associated deployment, repository, and commit information.

Lua path: app.integrations.semgrep.get_scan_details
Full name: semgrep.semgrep_scans_service_get_scan

Parameter	Type	Required	Description
No parameters.

list_scans_beta Write

List scans (beta) Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/scans/search List the scans associated with a particular repository over the past 30 days.

Lua path: app.integrations.semgrep.list_scans_beta
Full name: semgrep.semgrep_scans_service_search_scans

Parameter	Type	Required	Description
No parameters.

list_secrets Read

List secrets Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentId}/secrets

Lua path: app.integrations.semgrep.list_secrets
Full name: semgrep.semgrep_secrets_service_list_secrets_path

Parameter	Type	Required	Description
No parameters.

unlink_jira_ticket Write

Unlink a Jira ticket Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentId}/ticketing/v2/tickets/{externalTicketId} Unlink a Jira ticket by its ID

Lua path: app.integrations.semgrep.unlink_jira_ticket
Full name: semgrep.semgrep_ticketing_service_delete_ticket

Parameter	Type	Required	Description
No parameters.

link_existing_ticket_findings Write

Link an existing ticket to findings Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/tickets/link Link an existing external ticket (e.g. Jira) to one or more Semgrep findings by providing the ticket URL and a list

Lua path: app.integrations.semgrep.link_existing_ticket_findings
Full name: semgrep.semgrep_ticketing_service_link_ticket

Parameter	Type	Required	Description
No parameters.

unlink_ticket_from_findings Write

Unlink a ticket from findings Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentId}/tickets/unlink Remove the ticket association from one or more Semgrep findings by providing a list of finding IDs. This does not delete

Lua path: app.integrations.semgrep.unlink_ticket_from_findings
Full name: semgrep.semgrep_ticketing_service_unlink_ticket

Parameter	Type	Required	Description
No parameters.

list_code_supply_chain_or_ai_powered_scan_findings Read

List code, supply chain, or AI-powered scan findings Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/findings Request the list of code, supply chain, or AI-powered scan findings in an organization, paginated in p

Lua path: app.integrations.semgrep.list_code_supply_chain_or_ai_powered_scan_findings
Full name: semgrep.semgrep_findings_service_list_findings

Parameter	Type	Required	Description
No parameters.

list_all_projects Read

List all projects Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/projects Request the list of projects that have been scanned or onboarded to Managed Scans. Does not return archived repositories. Returns 100 pro

Lua path: app.integrations.semgrep.list_all_projects
Full name: semgrep.semgrep_projects_service_list_projects

Parameter	Type	Required	Description
No parameters.

get_project_details Read

Get project details Official Semgrep Web API endpoint: GET /api/v1/deployments/{deploymentSlug}/projects/{projectName} Retrieve details for a single project associated with a deployment that you have access to.

Lua path: app.integrations.semgrep.get_project_details
Full name: semgrep.semgrep_projects_service_get_project

Parameter	Type	Required	Description
No parameters.

update_project_details Write

Update project details Official Semgrep Web API endpoint: PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName} Update attributes for the project using the value passed in to the request body. Note: The only attribute that is su

Lua path: app.integrations.semgrep.update_project_details
Full name: semgrep.semgrep_projects_service_update_project

Parameter	Type	Required	Description
No parameters.

delete_project Write

Delete project Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName} Delete a project for a deployment you have access to. This will also delete all of the associated findings.

Lua path: app.integrations.semgrep.delete_project
Full name: semgrep.semgrep_projects_service_delete_project

Parameter	Type	Required	Description
No parameters.

toggle_managed_scans_project Write

Toggle Managed Scans for a project Official Semgrep Web API endpoint: PATCH /api/v1/deployments/{deploymentSlug}/projects/{projectName}/managed-scan Enable or disable [Semgrep Managed Scans](/docs/deployment/managed-scanning/overview) for a

Lua path: app.integrations.semgrep.toggle_managed_scans_project
Full name: semgrep.semgrep_projects_service_toggle_project_managed_scan

Parameter	Type	Required	Description
No parameters.

add_tags_project Write

Add tags to project Official Semgrep Web API endpoint: PUT /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags Add tags to a project for a deployment you have access to. Any project tags that do not already exist for the deploy

Lua path: app.integrations.semgrep.add_tags_project
Full name: semgrep.semgrep_projects_service_add_project_tags

Parameter	Type	Required	Description
No parameters.

remove_tags_from_project Write

Remove tags from project Official Semgrep Web API endpoint: DELETE /api/v1/deployments/{deploymentSlug}/projects/{projectName}/tags Remove tags from a project for a deployment you have access to. This request will not delete project tags fr

Lua path: app.integrations.semgrep.remove_tags_from_project
Full name: semgrep.semgrep_projects_service_delete_project_tags

Parameter	Type	Required	Description
No parameters.

create_jira_tickets Write

Create Jira tickets Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentSlug}/tickets Create Jira tickets for your findings. You can create tickets by passing in a list of issue_ids or by passing in filter query parameter

Lua path: app.integrations.semgrep.create_jira_tickets
Full name: semgrep.semgrep_ticketing_service_create_ticket

Parameter	Type	Required	Description
No parameters.

bulk_triage Write

Bulk triage Official Semgrep Web API endpoint: POST /api/v1/deployments/{deploymentSlug}/triage Bulk triage your findings. You can select the findings to triage by passing in a list of finding IDs as issue_ids, or by passing in filter query

Lua path: app.integrations.semgrep.bulk_triage
Full name: semgrep.semgrep_triage_service_bulk_triage

Parameter	Type	Required	Description
No parameters.

ping Read

Ping Official Semgrep Web API endpoint: GET /api/v1/ping Use to ping the server and assert liveness.

Lua path: app.integrations.semgrep.ping
Full name: semgrep.semgrep_misc_service_ping

Parameter	Type	Required	Description
No parameters.