A deterministic security scanner for C, Rust, Go, Python, and 20+ other languages. 414 curated patterns — hand-written and regression-tested. Ran it on NASA's nasa/IDF flight-software repo and found real bugs (PR #107 submitted, pending review). The LLM only verifies; the scanner does the work. Runs 100% on your hardware. SARIF output for CI.
Head-to-head with Semgrep, Semgrep Pro, CodeQL on OWASP Benchmark v1.2 →
The audit pipeline is a first-class primitive, not a chat instruction you have to negotiate with the model.
Pattern library runs deterministically across your tree. Optional LLM verifier downgrades false positives. Produces AUDIT_REPORT.md + SARIF.
Each pattern ships with a fix template. Size guards, bounded copies, RAII wrappers applied automatically. Diff-previewed before write.
Branch + commit + LLM-generated PR description grounded in the finding evidence. Auto-fork and submit when you don't own the repo.
LLM-first tools send your whole codebase to a cloud model and hope it notices the bug. KCode flips it: a deterministic scanner pre-filters to ~10k tokens of actual candidates, then a local LLM verifies. Faster, cheaper, provable.
Not LLM-generated. Every pattern is hand-written, ships with positive + negative fixtures, and survives a CI regression harness on every release.
The deterministic scanner does the heavy lifting. The LLM only verifies — seeing ~10k tokens of pre-filtered candidates instead of 300k+ of raw source.
C, C++, Rust, Go, Python, Java, JavaScript, TypeScript, PHP, Ruby, Swift, Kotlin, C#, Scala, Haskell, Zig, Dart, Lua, SQL — plus framework packs for Flask, Rails, React.
Output is SARIF v2.1.0 — drop-in compatible with GitHub Code Scanning. Findings appear as inline PR comments. Ships as a one-line GitHub Action.
Found on nasa/IDF: pointer arithmetic, unreachable code, resource leaks. PR #107 has the diffs. Not a synthetic benchmark — production-grade flight-software code.
Audit runs on your GPU. Source never leaves your machine. Cloud LLM verification is optional, not required. No telemetry, no upload.
KCode's scanner produces the candidates; a small local model verifies them. Gemma 4 31B abliterated runs on consumer hardware — your source never leaves the machine. Auto-selected per your GPU.
| Model | Size | Min VRAM | Best for |
|---|---|---|---|
| mnemo:mark6-pico | 2.6 GB | 3 GB | Compact 4B abliterated — 4GB GPUs or CPU |
| mnemo:mark6-nano | 6 GB | 12 GB | Fast dense 8B — 12GB GPUs |
| mnemo:mark6-mini | 13.5 GB | 16 GB | Gemma 4 dense 14B — 16GB GPUs |
| mnemo:mark6-mid | 18.6 GB | 24 GB | Gemma 4 31B Q4_K_M — 24GB GPUs |
| mnemo:mark6-max | 33 GB | 36 GB | Gemma 4 31B Q8_0 — best quality, 32GB+ GPUs |
| mnemo:mark6-31b | 33 GB | 36 GB | Full Gemma 4 31B abliterated — flagship model |
GGUF format — works on NVIDIA (CUDA), AMD (ROCm), Apple Silicon (Metal), and CPU
Single binary, no dependencies. The setup wizard handles everything automatically.
Free & open-source (Apache 2.0). The setup wizard handles everything automatically.
The scanner is free and open source. Pro adds cloud verification for tricky cases and the /fix + /pr automation. No cloud lock-in, no telemetry, no code upload.
Full scanner, unlimited local audits, community support
Cloud verification, /fix + /pr, priority support
Everything in Pro, permanent license, no subscription
Volume licensing: contact sales
414 patterns, 20+ languages, 10k tokens per run, SARIF out of the box. Source never leaves your hardware. Download KCode and audit your repo in a single command.