Hybrid code analysis tool with AI-powered explanations
Project description
Qodacode
Enterprise Code Intelligence Scanner - Hybrid security analysis with AI-powered explanations.
What is Qodacode?
Qodacode is a hybrid code analysis tool that combines:
- Deterministic Detection Engine: 4000+ security rules with zero false positives
- AI Explanations: Learn why issues matter with multi-provider AI support
- Supply Chain Security: Typosquatting and dependency attack detection
Three interfaces, one engine: CLI, TUI (interactive terminal), and MCP Server (for AI coding assistants).
Quick Start
# Install
pip install qodacode
# Quick security scan
qodacode check
# Interactive terminal interface
qodacode
# Full security audit
qodacode audit
Features
Security Analysis
- Secret Detection: API keys, passwords, tokens, credentials
- SAST: SQL injection, XSS, command injection, path traversal
- Syntax Validation: Catch errors before runtime
- Custom Rules: Project-specific patterns
Supply Chain Security
- Typosquatting Detection: Catches malicious package impersonators
- Known Malware Database: 30+ confirmed attack packages
- Homoglyph Detection: Unicode lookalike attacks
- Keyboard Proximity Analysis: Adjacent key typos
AI-Powered Learning
- Junior Mode: Get explanations for every issue found
- Multi-Provider: OpenAI, Anthropic, Google Gemini, Grok
- Batch Processing: Efficient API usage
Interfaces
CLI Commands
qodacode check # Quick scan (syntax + secrets)
qodacode audit # Full security audit
qodacode typosquat # Check dependencies for attacks
qodacode doctor # Verify installation
qodacode version # Show version
TUI (Interactive Terminal)
Launch with qodacode (no arguments):
/check Quick scan
/audit Full audit
/typosquat Supply chain check
/ready Production ready?
/mode Toggle Junior/Senior mode
/api Configure AI provider
/export Save results
/help Show commands
MCP Server (AI Integration)
11 tools for AI coding assistants:
| Tool | Description |
|---|---|
quick_check |
Fast syntax + secrets scan |
full_audit |
Complete security analysis |
analyze_file |
Single file deep analysis |
check_dependencies |
Typosquatting detection |
get_issues |
Retrieve current issues |
explain_issue |
AI explanation for issue |
fix_issue |
Get fix suggestion |
get_project_status |
Overall project health |
configure_mode |
Set Junior/Senior mode |
list_rules |
Available detection rules |
search_patterns |
Search for code patterns |
Production Verdict
Qodacode gives a clear answer: Can I deploy this code?
if critical_issues > 0:
NOT READY - Fix N critical issues
else:
READY FOR PRODUCTION (N warnings)
Philosophy: Only critical issues block deployment. High/Medium/Low are technical debt to track, not security blockers.
Detection Engine
| Engine | Coverage |
|---|---|
| Core Engine | Syntax errors, custom patterns |
| Secret Detection | 50+ secret patterns (API keys, tokens, passwords) |
| Deep SAST | 4000+ security rules across languages |
| Supply Chain | Typosquatting, malware, homoglyphs |
Configuration
Configuration is stored in .qodacode/config.json:
{
"mode": "junior",
"language": "en",
"ai": {
"api_key": "sk-...",
"provider": "openai"
}
}
AI Provider Detection
API keys are auto-detected by prefix:
| Prefix | Provider |
|---|---|
sk-ant-* |
Anthropic (Claude) |
sk-* |
OpenAI (GPT) |
xai-* |
Grok (xAI) |
AIza* |
Google Gemini |
Severity Levels
| Level | Meaning | Action |
|---|---|---|
| Critical | Security vulnerability | Must fix before deploy |
| High | Significant issue | Should fix, doesn't block |
| Medium | Code quality concern | Review when possible |
| Low | Minor suggestion | Nice to have |
Languages Supported
- Python
- JavaScript/TypeScript
- Go
- Java
- More coming...
Why Qodacode?
| Feature | Qodacode | Traditional Linters |
|---|---|---|
| Hybrid Analysis | Deterministic + AI | Rules only |
| Supply Chain | Typosquatting detection | No |
| AI Explanations | Multi-provider | No |
| Interactive TUI | Modern terminal UI | No |
| MCP Integration | AI assistant ready | No |
Requirements
- Python 3.10 or higher
- pip (Python package manager)
License
MIT License - see LICENSE for details.
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qodacode-0.5.0.tar.gz.
File metadata
- Download URL: qodacode-0.5.0.tar.gz
- Upload date:
- Size: 286.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
138f353fb71804c85f6291c1aa7801e2a50b36133fe9a8c63628e7cf2529a060
|
|
| MD5 |
209737e0150c92f7e3af3505f0b7d54b
|
|
| BLAKE2b-256 |
4cc98092939847d07fc5d3081e02efc5365699cff6645d60ef5ede1d0315d59b
|
File details
Details for the file qodacode-0.5.0-py3-none-any.whl.
File metadata
- Download URL: qodacode-0.5.0-py3-none-any.whl
- Upload date:
- Size: 137.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3992ba822be0b400466a2b9e0eeb2903a85cb89ce07144d8bdec28c60a464a66
|
|
| MD5 |
85558d59bc55dbdb58b9a26417686559
|
|
| BLAKE2b-256 |
67f699ac9ce5dfb014bf501d762f820fc297bffa8498f72857dd1627309aecf3
|
