quodeq 1.0.7

Source code quality evaluation platform powered by AI

AI-powered code quality and security scanner

v1.0.7

Watch the 2-min demo · Website · Blog · Releases

---

AI models can now autonomously find and exploit zero-day vulnerabilities across operating systems, browsers, and web applications. Thousands of previously unknown flaws uncovered in weeks, not years.

The code you ship today will be read by models that can spot what humans miss. But the tools to prepare for this are locked behind enterprise contracts and partner programs.

Quodeq exists to change that.

Open source. MIT license. Runs locally. No telemetry. No account. No servers.

Scans any codebase with AI across six quality dimensions from ISO 25010: Security, Reliability, Maintainability, Performance, Flexibility, and Usability.

Every finding maps to a CWE identifier. You get grades, violations with line numbers, and a fix plan. Cloud providers (Claude, Gemini, Codex) for speed. Local models via Ollama for privacy.

---

What It Finds

CRITICAL  src/db.py:15        SQL Injection via string concatenation     CWE-89
          query = f"SELECT * FROM users WHERE id = {user_id}"

HIGH      src/auth.py:42      Hardcoded credentials in source code       CWE-798
          credentials = {"user": "admin", "pass": "secret123"}

MEDIUM    src/api.py:88       Missing rate limiting on login endpoint     CWE-307
          @app.route("/login", methods=["POST"])

MINOR     src/utils.py:23     Bare except clause hides errors             CWE-396
          except: pass

Each finding includes a reason, the offending code, and a fix plan. Results are stored as JSON on your machine.

---

Getting Started

1. Prerequisites

OS	Command
macOS	brew install python node pipx
Debian / Ubuntu	sudo apt install -y python3.12 python3-pip pipx nodejs npm
Fedora / RHEL	sudo dnf install -y python3.12 python3-pip pipx nodejs npm
Arch	sudo pacman -S python python-pipx nodejs npm

Debian/Ubuntu heads-up: nodejs and npm are separate packages. apt install nodejs alone is not enough. If you also use the native desktop window (not --browser), you'll need sudo apt install -y python3-gi gir1.2-webkit2-4.1 too — otherwise quodeq will auto-fall-back to opening the dashboard in your default browser.

Minimum versions: Python 3.12+, Node.js 18+, npm 9+.

2. Install quodeq

pipx install quodeq    # isolated, recommended
# or: pip install quodeq

3. Pick an AI provider

Quodeq needs an LLM to do the evaluation. You have two options:

Local, free, private — Ollama with Gemma 4:

# install ollama from https://ollama.com/download, then:
ollama pull gemma4-26b-32k
ollama serve    # runs in the background

Cloud, faster — one of the agentic CLIs (at least one):

• Claude Code — npm install -g @anthropic-ai/claude-code
• Codex CLI — npm install -g @openai/codex
• Gemini CLI — npm install -g @anthropic-ai/gemini-cli

4. Launch the dashboard

quodeq

The dashboard opens at http://127.0.0.1:4173. Use Settings → AI Provider to select the one you installed in step 3, then Evaluate to point at a project and start your first scan.

If the native window doesn't show up (common on Linux without GTK), run quodeq --browser instead.

macOS App (beta)

Download the .dmg from Releases, open it, and drag Quodeq.app to Applications. On first launch:

xattr -cr /Applications/Quodeq.app    # Required for unsigned apps

Or right-click the app, select Open, then click Open in the dialog.

---

Dashboard

• Grades and scores per dimension with A-F letter grades, numeric scores, and trends across runs
• Violations explorer to drill into findings by file, principle, or CWE classification
• Code map showing a visual heatmap of where issues concentrate in your codebase
• Custom standards to create your own evaluation dimensions or import from the library

Click any dimension, file, or principle to explore the details. Dismiss false positives directly from the UI.

Running quodeq is equivalent to quodeq dashboard. Both open the same UI.

CLI

quodeq evaluate /path/to/project
quodeq evaluate /path/to/project --scope src/api    # Scoped to a subdirectory
quodeq evaluate /path/to/project -d security        # Single dimension

---

AI Providers

Choose what fits your workflow. Configure in Settings from the dashboard.

Provider	Type	Getting started
Ollama	Local	Free, private, code never leaves your machine
Claude Code	Cloud	Best balance of speed, quality, and cost
Codex CLI	Cloud	OpenAI models
Gemini CLI	Cloud	Google models

For local analysis we recommend Gemma 4 (gemma4:26b). Reducing the context window to 32k still gives good results and allows running multiple subagents in parallel.

---

How It Works

1. Detect languages, frameworks, and project structure
2. Analyze with AI agents that read the code using read-only tools
3. Collect findings as structured JSONL via tool calls
4. Score against ISO 25010 principles with CWE classifications
5. Report per-dimension grades, violations, compliance, and fix plans

Results are stored in ~/.quodeq/evaluations/ and persist across sessions. Works with any language. The AI analysis engine reads and understands code regardless of the tech stack.

Quodeq scores each principle on a 0 to 10 scale using four independent constraints. Full details in the scoring formula documentation.

Standards

By default, Quodeq evaluates the six ISO 25010 dimensions. It also ships with Clean Architecture and Domain-Driven Design standards. You can create your own from the dashboard, or ask any AI to generate one as a .json file and import it.

---

Development

Run from a fresh checkout:

git clone https://github.com/quodeq/quodeq.git && cd quodeq
uv sync                   # install Python deps into .venv/
uv run quodeq             # launch the dashboard
uv run pytest             # run the test suite

Same OS prerequisites apply as for the pipx install — Node.js 18+ + npm for the dashboard UI, and a configured LLM provider (Ollama or Claude Code / Codex CLI / Gemini CLI) before you can actually scan anything.

If the dashboard window doesn't appear on Linux, run uv run quodeq --browser (the native window needs python3-gi + gir1.2-webkit2-4.1, which aren't pulled in by the pip wheel).

Changelog

See CHANGELOG.md for release history.

License

MIT. See LICENSE.