Hybrid code analysis tool with AI-powered explanations
Project description
Qodacode
Enterprise Code Intelligence Scanner - Hybrid security analysis with AI-powered explanations.
What is Qodacode?
Qodacode is a hybrid code analysis tool that combines:
- Deterministic Detection Engine: 4000+ security rules with zero false positives
- AI Explanations: Learn why issues matter with multi-provider AI support
- Supply Chain Security: Typosquatting and dependency attack detection
Three interfaces, one engine: CLI, TUI (interactive terminal), and MCP Server (for AI coding assistants).
Quick Start
# Install
pip install qodacode
# Quick security scan
qodacode check
# Interactive terminal interface
qodacode
# Full security audit
qodacode audit
macOS (Homebrew Python)
If you get permission errors with pip:
# Use pipx instead
pipx install qodacode
# Or use pip with --user flag
pip install --user qodacode
Troubleshooting
"command not found" after install:
# Check where qodacode is installed
which qodacode
# If conflicts with old version in /opt/homebrew/bin/
rm /opt/homebrew/bin/qodacode
pipx install qodacode --force
Python version error: Qodacode requires Python 3.10+. Check your version:
python3 --version
Features
Security Analysis
- Secret Detection: API keys, passwords, tokens, credentials
- SAST: SQL injection, XSS, command injection, path traversal
- Syntax Validation: Catch errors before runtime
- Custom Rules: Project-specific patterns
Supply Chain Security
- Typosquatting Detection: Catches malicious package impersonators
- Known Malware Database: 30+ confirmed attack packages
- Homoglyph Detection: Unicode lookalike attacks
- Keyboard Proximity Analysis: Adjacent key typos
AI-Powered Learning
- Junior Mode: Get explanations for every issue found
- Multi-Provider: OpenAI, Anthropic, Google Gemini, Grok
- Batch Processing: Efficient API usage
False Positive Reduction
- Semantic Context Analysis: Auto-filters safe patterns like
os.environ,decrypt(), test fixtures - Inline Ignore:
# qodacode-ignore: SEC-001to suppress specific lines .qodacodeignore: Gitignore-style exclusion patterns- Baseline Mode: For legacy projects - only show NEW issues
Interfaces
CLI Commands
qodacode check # Quick scan (syntax + secrets)
qodacode check --baseline # Only show NEW issues (not in baseline)
qodacode audit # Full security audit
qodacode typosquat # Check dependencies for attacks
qodacode baseline save # Save current issues as baseline
qodacode baseline show # View baseline info
qodacode doctor # Verify installation
TUI (Interactive Terminal)
Launch with qodacode (no arguments):
/check Quick scan
/audit Full audit
/typosquat Supply chain check
/ready Production ready?
/mode Toggle Junior/Senior mode
/api Configure AI provider
/export Save results
/help Show commands
MCP Server (AI Integration)
11 tools for AI coding assistants:
| Tool | Description |
|---|---|
quick_check |
Fast syntax + secrets scan |
full_audit |
Complete security analysis |
analyze_file |
Single file deep analysis |
check_dependencies |
Typosquatting detection |
get_issues |
Retrieve current issues |
explain_issue |
AI explanation for issue |
fix_issue |
Get fix suggestion |
get_project_status |
Overall project health |
configure_mode |
Set Junior/Senior mode |
list_rules |
Available detection rules |
search_patterns |
Search for code patterns |
Production Verdict
Qodacode gives a clear answer: Can I deploy this code?
if critical_issues > 0:
NOT READY - Fix N critical issues
else:
READY FOR PRODUCTION (N warnings)
Philosophy: Only critical issues block deployment. High/Medium/Low are technical debt to track, not security blockers.
Detection Engine
| Engine | Coverage |
|---|---|
| Core Engine | Syntax errors, custom patterns |
| Secret Detection | 50+ secret patterns (API keys, tokens, passwords) |
| Deep SAST | 4000+ security rules across languages |
| Supply Chain | Typosquatting, malware, homoglyphs |
Architecture
Qodacode uses a hybrid architecture for performance and security:
┌─────────────────────────────────────────────────┐
│ Interfaces (Python) │
│ CLI, TUI, MCP Server, LSP │
├─────────────────────────────────────────────────┤
│ Orchestration Layer (Python) │
│ Multi-engine coordination, deduplication │
├─────────────────────────────────────────────────┤
│ Core Algorithms (Rust - compiled) │
│ Fingerprinting, similarity, pattern matching │
├─────────────────────────────────────────────────┤
│ Detection Engines │
│ Semgrep, Gitleaks, Tree-sitter, OSV │
└─────────────────────────────────────────────────┘
The Rust core module (qodacode_core) provides optimized algorithms:
- Fingerprinting: Stable issue IDs using BLAKE3
- Similarity: Levenshtein distance for typosquatting
- Homoglyphs: Unicode lookalike detection
- Pattern Matching: Aho-Corasick for safe pattern recognition
Falls back to pure Python when Rust extension is not available.
Configuration
Configuration is stored in .qodacode/config.json:
{
"mode": "junior",
"language": "en",
"ai": {
"api_key": "sk-...",
"provider": "openai"
}
}
AI Provider Detection
API keys are auto-detected by prefix:
| Prefix | Provider |
|---|---|
sk-ant-* |
Anthropic (Claude) |
sk-* |
OpenAI (GPT) |
xai-* |
Grok (xAI) |
AIza* |
Google Gemini |
Severity Levels
| Level | Meaning | Action |
|---|---|---|
| Critical | Security vulnerability | Must fix before deploy |
| High | Significant issue | Should fix, doesn't block |
| Medium | Code quality concern | Review when possible |
| Low | Minor suggestion | Nice to have |
Languages Supported
- Python
- JavaScript/TypeScript
- Go
- Java
- More coming...
Why Qodacode?
| Feature | Qodacode | Traditional Linters |
|---|---|---|
| Hybrid Analysis | Deterministic + AI | Rules only |
| Supply Chain | Typosquatting detection | No |
| AI Explanations | Multi-provider | No |
| Interactive TUI | Modern terminal UI | No |
| MCP Integration | AI assistant ready | No |
Requirements
- Python 3.10 or higher
- pip (Python package manager)
External Dependencies
Qodacode automatically manages external binaries:
- Gitleaks: Downloaded on first use to
~/.qodacode/bin/(or uses system-installed version if available) - Semgrep: Installed via pip as a Python dependency
Acknowledgments
Qodacode orchestrates best-in-class open source security tools:
- Semgrep - Lightweight static analysis for many languages (LGPL-2.1)
- Gitleaks - Secret detection and prevention (MIT)
- Tree-sitter - Incremental parsing system (MIT)
- OSV - Open Source Vulnerabilities database (Apache-2.0)
These projects are the detection engines. Qodacode adds orchestration, deduplication, AI explanations, and unified interfaces (CLI, TUI, MCP).
License
AGPL-3.0 License - see LICENSE for details.
Links
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file qodacode-1.0.2.tar.gz.
File metadata
- Download URL: qodacode-1.0.2.tar.gz
- Upload date:
- Size: 678.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
74faf72e1543550daac48f3ce60b1f904ae096833c1d14c33a26570b5cd40caf
|
|
| MD5 |
eac11fe8aed69786aa48c76479dcbb92
|
|
| BLAKE2b-256 |
c3beb48e6f0159572c4825ff47d8d018a47359fd41249a24268bf4ff9bf68258
|
File details
Details for the file qodacode-1.0.2-py3-none-any.whl.
File metadata
- Download URL: qodacode-1.0.2-py3-none-any.whl
- Upload date:
- Size: 187.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fe58a5fcf4e5c45c34c4ec615d184a073a1676ed8137f7d1a408a228a0e6a925
|
|
| MD5 |
d3644785579bffe3d6fc3454b7c5e8a4
|
|
| BLAKE2b-256 |
672b6fd95c591b7191da7a491a9e4d03d54994c6de0c644e5fa2e7cecaedb607
|
