{"id":47680719,"url":"https://github.com/quodeq/quodeq","last_synced_at":"2026-05-10T09:14:15.065Z","repository":{"id":343886269,"uuid":"1166862990","full_name":"quodeq/quodeq","owner":"quodeq","description":"AI-powered code quality and security scanner. Open source, MIT, runs locally. \u003c๐Ÿงญ\u003e","archived":false,"fork":false,"pushed_at":"2026-05-01T22:32:00.000Z","size":10670,"stargazers_count":12,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"develop","last_synced_at":"2026-05-01T23:11:42.032Z","etag":null,"topics":["ai-tools","cli","code-analysis","code-quality","cwe","devtools","iso-25010","llm","open-source","python","quality-assurance","security","static-analysis","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://quodeq.ai","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quodeq.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-02-25T17:32:28.000Z","updated_at":"2026-05-01T22:31:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"b869f037-ffc5-45fe-8ecf-145bbbcbf105","html_url":"https://github.com/quodeq/quodeq","commit_stats":null,"previous_names":["quodeq/quodeq"],"tags_count":23,"template":false,"template_full_name":null,"purl":"pkg:github/quodeq/quodeq","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quodeq%2Fquodeq","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quodeq%2Fquodeq/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quodeq%2Fquodeq/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quodeq%2Fquodeq/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quodeq","download_url":"https://codeload.github.com/quodeq/quodeq/tar.gz/refs/heads/develop","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quodeq%2Fquodeq/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32517232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-tools","cli","code-analysis","code-quality","cwe","devtools","iso-25010","llm","open-source","python","quality-assurance","security","static-analysis","vulnerability-scanner"],"created_at":"2026-04-02T13:58:58.494Z","updated_at":"2026-05-10T09:14:15.056Z","avatar_url":"https://github.com/quodeq.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"res/quodeq-logo-dark.svg\" /\u003e\n \u003cimg src=\"res/quodeq-logo.svg\" alt=\"Quodeq\" width=\"340\" /\u003e\n \u003c/picture\u003e\n\u003c/p\u003e\n\n\u003ch2 align=\"center\"\u003eAI-powered code quality and security scanner\u003c/h2\u003e\n\u003cp align=\"center\"\u003e\u003cstrong\u003ev1.1.2\u003c/strong\u003e\u003c/p\u003e\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://github.com/quodeq/quodeq/actions/workflows/test.yml\"\u003e\u003cimg src=\"https://github.com/quodeq/quodeq/actions/workflows/test.yml/badge.svg\" alt=\"Tests\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://github.com/quodeq/quodeq/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-blue.svg\" alt=\"MIT License\" /\u003e\u003c/a\u003e\n \u003ca href=\"https://pypi.org/project/quodeq/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/quodeq.svg\" alt=\"PyPI\" /\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"https://www.youtube.com/watch?v=C9feqpR5BMI\u0026list=PLJjpl8sE7W-U1HMePWdGis7w834NPYD3R\"\u003eWatch the 2-min demo\u003c/a\u003e ยท \u003ca href=\"https://quodeq.ai\"\u003eWebsite\u003c/a\u003e ยท \u003ca href=\"https://quodeq.ai/blog/\"\u003eBlog\u003c/a\u003e ยท \u003ca href=\"https://github.com/quodeq/quodeq/releases/latest\"\u003eReleases\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nAI models can now autonomously find and exploit zero-day vulnerabilities across operating systems, browsers, and web applications. Thousands of previously unknown flaws uncovered in weeks, not years.\n\nThe code you ship today will be read by models that can spot what humans miss. But the tools to prepare for this are locked behind enterprise contracts and partner programs.\n\nQuodeq exists to change that.\n\n**Open source. MIT license. Runs locally. No telemetry. No account. No servers.**\n\nScans any codebase with AI across six quality dimensions from [ISO 25010](https://www.iso.org/standard/35733.html):\n**Security**, **Reliability**, **Maintainability**, **Performance**, **Flexibility**, and **Usability**.\n\nEvery finding maps to a [CWE](https://cwe.mitre.org/) identifier. You get grades, violations with line numbers, and a fix plan. Cloud providers (Claude, Gemini, Codex) for speed. Local models via [Ollama](https://ollama.com) for privacy.\n\n---\n\n## What It Finds\n\n```\nCRITICAL src/db.py:15 SQL injection via string concatenation CWE-89\n query = f\"SELECT * FROM users WHERE id = {user_id}\"\n\nMAJOR src/auth.py:42 Hardcoded credentials in source code CWE-798\n credentials = {\"user\": \"admin\", \"pass\": \"secret123\"}\n\nMINOR src/utils.py:23 Bare except clause hides errors CWE-396\n except: pass\n\nCOMPLIANT src/api.py:88 Parameterized query prevents injection CWE-89\n cursor.execute(\"SELECT * FROM users WHERE id = ?\", (user_id,))\n```\n\nEach finding includes a reason, the offending code, and a fix plan. Results are stored as JSON on your machine.\n\n---\n\n## Getting Started\n\n### 1. Prerequisites\n\n| OS | Command |\n|---|---|\n| **macOS** | `brew install python node pipx` |\n| **Windows** _(experimental)_ | `winget install Python.Python.3.13 OpenJS.NodeJS` then `python -m pip install --user pipx \u0026\u0026 python -m pipx ensurepath` |\n| **Debian / Ubuntu** | `sudo apt install -y python3.12 python3-pip pipx nodejs npm` |\n| **Fedora / RHEL** | `sudo dnf install -y python3.12 python3-pip pipx nodejs npm` |\n| **Arch** | `sudo pacman -S python python-pipx nodejs npm` |\n\n\u003e **Debian/Ubuntu heads-up:** `nodejs` and `npm` are separate packages. `apt install nodejs` alone is not enough. If you also use the native desktop window (not `--browser`), you'll need `sudo apt install -y python3-gi gir1.2-webkit2-4.1` too โ€” otherwise quodeq will auto-fall-back to opening the dashboard in your default browser.\n\n\u003e **Windows heads-up:** Windows is supported on a best-effort basis. The full test suite runs green on `windows-latest` in CI, but we don't have a Windows machine to smoke-test the dashboard or end-to-end runs against โ€” so please [open an issue](https://github.com/quodeq/quodeq/issues) if anything misbehaves.\n\nMinimum versions: Python 3.12+, Node.js 18+, npm 9+.\n\n### 2. Install quodeq\n\n```bash\npipx install quodeq # isolated, recommended\n# or: pip install quodeq\n```\n\n### 3. Pick an AI provider\n\nQuodeq needs an LLM to do the evaluation. You have two options:\n\n**Local, free, private** โ€” [Ollama](https://ollama.com/download) with Gemma 4:\n```bash\n# install ollama from https://ollama.com/download, then:\nollama pull gemma4-26b-32k\nollama serve # runs in the background\n```\n\n**Cloud, faster** โ€” one of the agentic CLIs (at least one):\n- [Claude Code](https://docs.anthropic.com/en/docs/claude-code/overview) โ€” `npm install -g @anthropic-ai/claude-code`\n- [Codex CLI](https://developers.openai.com/codex/quickstart) โ€” `npm install -g @openai/codex`\n- [Gemini CLI](https://geminicli.com/docs/get-started/installation/) โ€” `npm install -g @anthropic-ai/gemini-cli`\n\n### 4. Launch the dashboard\n\n```bash\nquodeq\n```\n\nThe dashboard opens at `http://127.0.0.1:7863`. Use **Settings โ†’ AI Provider** to select the one you installed in step 3, then **Evaluate** to point at a project and start your first scan.\n\nIf the native window doesn't show up (common on Linux without GTK), run `quodeq --browser` instead.\n\n### macOS App (beta)\n\nDownload the `.dmg` from [Releases](https://github.com/quodeq/quodeq/releases/latest), open it, and drag `Quodeq.app` to Applications. On first launch:\n\n```bash\nxattr -cr /Applications/Quodeq.app # Required for unsigned apps\n```\n\nOr right-click the app, select Open, then click Open in the dialog.\n\n---\n\n## Dashboard\n\n\u003cp align=\"center\"\u003e\n \u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"res/dashboard-dark.png\" /\u003e\n \u003cimg src=\"res/dashboard.png\" alt=\"Quodeq Dashboard\" width=\"900\" /\u003e\n \u003c/picture\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n\n- **Grades and scores** per dimension with A-F letter grades, numeric scores, and trends across runs\n- **Violations explorer** to drill into findings by file, principle, or CWE classification\n- **Code map** showing a visual heatmap of where issues concentrate in your codebase\n- **Custom standards** to create your own evaluation dimensions or import from the library\n\nClick any dimension, file, or principle to explore the details. Dismiss false positives directly from the UI.\n\nRunning `quodeq` is equivalent to `quodeq dashboard`. Both open the same UI.\n\n### CLI\n\n```bash\nquodeq evaluate /path/to/project\nquodeq evaluate /path/to/project --scope src/api # Scoped to a subdirectory\nquodeq evaluate /path/to/project -d security # Single dimension\n```\n\n---\n\n## AI Providers\n\nChoose what fits your workflow. Configure in **Settings** from the dashboard.\n\n| Provider | Type | Getting started |\n|---|---|---|\n| [Ollama](https://ollama.com/download) | Local | Free, private, code never leaves your machine |\n| [llama.cpp](https://github.com/ggml-org/llama.cpp) | Local | Run any GGUF directly. Supports speculative decoding (MTP) via a draft model |\n| [Claude Code](https://code.claude.com/docs/en/quickstart) | Cloud | Best balance of speed, quality, and cost |\n| [Codex CLI](https://developers.openai.com/codex/quickstart) | Cloud | OpenAI models |\n| [Gemini CLI](https://geminicli.com/docs/get-started/installation/) | Cloud | Google models |\n\n\u003e For local analysis we recommend [Gemma 4](https://deepmind.google/models/gemma/gemma-4/) ([`gemma4:26b`](https://ollama.com/library/gemma4:26b)). Reducing the context window to 32k still gives good results and allows running multiple subagents in parallel.\n\n### Using llama.cpp\n\nllama.cpp is one process per model, fixed at launch. Start `llama-server` yourself, then point Quodeq at it from **Settings โ†’ AI Provider โ†’ llama.cpp**.\n\n```bash\n# Quodeq creates ~/.quodeq/logs/ on first launch โ€” just redirect there\n# and the CONSOLE button picks it up automatically.\nllama-server -m path/to/target.gguf --port 8080 \\\n \u003e ~/.quodeq/logs/llama-server.log 2\u003e\u00261\n\n# Speculative decoding (MTP), pair a target with a smaller drafter\nllama-server -m path/to/target.gguf -md path/to/drafter.gguf --port 8080 \\\n \u003e ~/.quodeq/logs/llama-server.log 2\u003e\u00261\n```\n\nQuodeq probes `http://localhost:8080` and looks for the log file at `~/.quodeq/logs/llama-server.log` (or platform-standard locations like `~/Library/Logs/llama-server.log` on macOS). Override with `LLAMACPP_LOG_FILE`. To use a different port or host, set `LLAMACPP_BASE_URL`. To switch models, stop `llama-server` and relaunch with a different `-m`.\n\n---\n\n## How It Works\n\n1. **Detect** languages, frameworks, and project structure\n2. **Analyze** with AI agents that read the code using read-only tools\n3. **Collect** findings as structured JSONL via tool calls\n4. **Score** against [ISO 25010](https://www.iso.org/standard/35733.html) principles with [CWE](https://cwe.mitre.org/) classifications\n5. **Report** per-dimension grades, violations, compliance, and fix plans\n\nResults are stored in `~/.quodeq/evaluations/` and persist across sessions. Works with any language. The AI analysis engine reads and understands code regardless of the tech stack.\n\nQuodeq scores each principle on a 0 to 10 scale using four independent constraints. Full details in [the scoring formula documentation](src/quodeq/core/scoring/README.md).\n\n### Standards\n\nBy default, Quodeq evaluates the six ISO 25010 dimensions. It also ships with **Clean Architecture** and **Domain-Driven Design** standards. You can create your own from the dashboard, or ask any AI to generate one as a `.json` file and import it.\n\n---\n\n## Development\n\nRun from a fresh checkout:\n\n```bash\ngit clone https://github.com/quodeq/quodeq.git \u0026\u0026 cd quodeq\nuv sync # install Python deps into .venv/\nuv run quodeq # launch the dashboard\nuv run pytest # run the test suite\n```\n\nSame OS prerequisites apply as for the pipx install โ€” Node.js 18+ + npm for the dashboard UI, and a configured LLM provider (Ollama or Claude Code / Codex CLI / Gemini CLI) before you can actually scan anything.\n\nIf the dashboard window doesn't appear on Linux, run `uv run quodeq --browser` (the native window needs `python3-gi` + `gir1.2-webkit2-4.1`, which aren't pulled in by the pip wheel).\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for release history.\n\n## License\n\nMIT. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquodeq%2Fquodeq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquodeq%2Fquodeq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquodeq%2Fquodeq/lists"}