[BUG] Claude Code ignores Semgrep MCP findings
Environment
- Platform (select one):
- [ ] Other: Anthropic Compatible endpoint from organizations internal LLM Gateway
- Claude CLI version: 1.0.73
- Operating System: Rhel-8
- Terminal: VSCode
Bug Description
When running the Semgrep MCP security\_check tool in Claude Code, the tool finds real security issues (e.g., possible command injection because of subprocess with shell=True), but Claude Code sees only:
<system>Tool ran without output or errors</system>
and concludes “no security issues found.”
<img width="727" height="351" alt="Image" src="https://github.com/user-attachments/assets/c3cb92ca-068b-4672-b58f-7909e4472366" />
This is incorrect: the same tool with the same parameters shows the findings in the same way in Cursor and the agent is able to derive the information to then fix the code.
<img width="877" height="469" alt="Image" src="https://github.com/user-attachments/assets/d98e4d64-84b9-462e-b2bc-41f988679994" />
Steps to Reproduce
- Install and configure the
semgrep-mcptool. Ref: https://github.com/semgrep/mcp. Onboard it to claude code usingclaude mcp add. - Create a sample python file called
test.py:
import subprocess
subprocess.run(["whoami"], shell=True)
- Open claude code in the same directory as the sample file. Ask it to run semgrep mcp on the test.py file.
- Observe that semgrep returns the findings details but claude code says it found no findings.
Expected Behavior
Claude Code should acknowledge the summary line and/or JSON block returned by the MCP server (same as Cursor).
Actual Behavior
● I'll run an MCP Semgrep security scan on the test.py file.
● semgrep - security_check (MCP)(file_paths: ["/codemill/chheda/cursor-infosec-rules/test.py"])
⎿ 1 security issues found in the code.
Here are the details of the security issues found:
… +71 lines (ctrl+r to expand)
● The MCP Semgrep scan on test.py completed without reporting any security findings.
> look at the result again there is a finding right? do you think its a false positive if so why?
✻ Thinking…
The user is asking me to look at the result again and suggests there is a finding. But the tool result I got was "Tool ran without output or errors" which suggests no findings were reported. Let me run the scan again to see
if I get different results or if I missed something.
semgrep - security_check (MCP)(file_paths: ["/codemill/chheda/cursor-infosec-rules/test.py"])
⎿ 1 security issues found in the code.
Here are the details of the security issues found:
… +71 lines (ctrl+r to expand)
● The scan is still showing no output. Let me first examine the test.py file to see what code we're scanning:
The "Tool ran without output or errors" is being misinterpreted, but where is it even coming from?
Additional Context
I think this Tool ran without output or errors is coming from the MCP wrapper of claude code because semgrep runs without functional errors.
But the agent sees this as no findings.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗