Open-source code security scanner Quodeq runs fully on local AI models

Quodeq is an open-source code quality and that runs entirely on your own computer using through Ollama (such as Gemma), so no code ever leaves the machine. It requires no account and collects no telemetry; install it with pipx install quodeq and use its local dashboard to view results. It checks code across six ISO 25010 categories: security, reliability, , performance, flexibility, and usability.

Each finding includes a CWE ID (a standard vulnerability ), the exact line involved, a reason, and a suggested fix. Code that passes checks is marked COMPLIANT, so you can see what was actually reviewed, not just what was flagged. Results are saved as s.

For faster results, it can also connect to cloud tools like Claude Code, Codex, or Gemini CLI, though local-only operation is the default, and the project's own CI pipeline runs entirely on Ollama with no API keys. On an M4-Max with 64GB of RAM using the gemma4:26b model, it scans about 6-10 files per minute, which the creator admits is not fast.

Key points

  • Runs local models (e.g., gemma4:26b) via Ollama, sending no code externally
  • Installs with pipx install quodeq and includes a local dashboard
  • Scores code against six ISO 25010 categories: security, reliability, , performance, flexibility, usability
  • Each finding includes a CWE ID, line location, reason, and fix suggestion, with clean code marked COMPLIANT
  • Scans roughly 6-10 files per minute on an M4-Max with 64GB RAM, and can also route to cloud LLMs for speed
Read original