{"slug": "openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4", "title": "OpenGuard: Self-Hosted Static Code Analysis (SCA) with Local AI Auto-Fixes (Gemma 4)", "summary": "OpenGuard is an open-source, self-hosted static code analysis platform that serves as an alternative to tools like SonarQube, enabling developers to scan codebases, track security issues, and manage remediation efforts. It features an AI-driven remediation pipeline that uses a local Gemma 4 instance to generate contextual explanations and drop-in code fixes for vulnerabilities with a single click. The platform is built with OpenGrep, FastAPI, PostgreSQL, and React, and its complete source code is available on GitHub.", "body_md": "*This is a submission for the Gemma 4 Challenge: Build with Gemma 4*\n\n## What I Built\n\n**OpenGuard** is a developer-centric, self-hosted static code analysis (SCA) platform designed to act as an open-source alternative to tools like SonarQube. Built with **OpenGrep** (a Semgrep fork), **FastAPI**, **PostgreSQL**, and **React**, it enables developers to scan codebases, compute real-time project security health scores, track issues across historical scans, and manage remediation efforts via a native Jira-style Kanban board.\n\nTo bridge the gap between finding a vulnerability and fixing it, OpenGuard features an **AI-driven remediation pipeline**. With a single click on any code vulnerability, OpenGuard packages the entire target file, localizes the error coordinates, and calls a local **Gemma 4** instance to generate high-fidelity, contextual explanations and beautified drop-in code fixes.\n\n## Demo\n\nOur platform features a highly responsive, premium dashboard engineered with an editorial design aesthetic. The UI utilizes a warm parchment background, bold ink-black typography, and serif-led headings for a state-of-the-art experience:\n\n-\n**Interactive Project Dashboard**: A clean visual split of issues by severity level (Critical, High, Medium, Low) featuring semantic color-coding. The dashboard includes a dynamic, natively animated SVG Security Health Gauge and an interactive historical trend chart with hover-activated data tooltips. -\n**Kanban Board**: A Jira-like ticket board allowing developers to transition issues between*Backlog*,*Todo*,*In Progress*, and*Done*. Each issue card features visual tags showing its historical persistence, severity badges, and details. -\n**AI Fix Interface**: An interactive code viewer inside the ticket details that displays the native explanation alongside a pre-formatted, syntax-highlighted code block containing the recommended fix. -\n**End-User Packaging**: The entire infrastructure is packaged into a seamless, single-command Docker Compose environment with an easy-to-install Python CLI (`openguard scan`\n\n) for scanning local repositories.\n\n## Code\n\nThe complete source code for OpenGuard is open-source and available on GitHub:\n\n## How I Used Gemma 4\n\nOpenGuard leverages the local inference capabilities of **Gemma 4** (`gemma4:e4b`\n\n) served via Ollama.\n\n### Why Gemma 4?\n\nVulnerabilities are rarely self-contained; they require systemic understanding of the surrounding code. We chose the **Gemma 4 9B parameter model** because of its excellent performance in coding tasks and its ability to process large instruction sets locally.\n\n### Implementation Details:\n\n-\n**Large Context Processing (128K Tokens)**: In order to provide accurate fixes without hallucinating, we supply Gemma 4 with the** entire source file**(up to a 128K context limit) rather than just the isolated line of code. This allows the model to understand local variables, imports, and architectural patterns. -\n**Structured JSON Output**: To build a reliable API, we configured the Ollama request with the format constraint`json`\n\nand structured the prompt to guarantee responses matching:\n\n```\n   {\n     \"explanation\": \"Brief context on why this is a vulnerability.\",\n     \"code_fix\": \"The fully corrected file or function block.\"\n   }\n```\n\nThis ensures that the frontend can parse the response natively and present the suggested fix in a beautiful, copyable code block without raw markdown delimiters (```\n\n`) bleeding into the UI.`\n\n-\n**Optimized Development Loop**: The AI responses are cached in the PostgreSQL database so that recurring views are instant, with a`--force`\n\nflag implemented to let developers request a fresh generation when needed.\n\nGemma 4 provides the speed of local developer workflows with the intelligence of a security expert, making local static analysis interactive and highly actionable.\n\n### Reach Out\n\nBuilt by **Suyash Srivastava**. If you have any feedback, questions, or are interested in collaborating on OpenGuard or similar AI-driven developer tooling, I'd love to hear from you!\n\n📧 Contact me at: [suyashmtech+openanlyzer@gmail.com](mailto:suyashmtech+openanlyzer@gmail.com)", "url": "https://wpnews.pro/news/openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4", "canonical_source": "https://dev.to/suyashsrivastavadev/openguard-ai-288m", "published_at": "2026-05-20 19:38:55+00:00", "updated_at": "2026-05-20 20:02:57.780969+00:00", "lang": "en", "topics": ["developer-tools", "cybersecurity", "open-source", "artificial-intelligence", "large-language-models"], "entities": ["OpenGuard", "Gemma 4", "OpenGrep", "Semgrep", "FastAPI", "PostgreSQL", "React", "Ollama"], "alternates": {"html": "https://wpnews.pro/news/openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4", "markdown": "https://wpnews.pro/news/openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4.md", "text": "https://wpnews.pro/news/openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4.txt", "jsonld": "https://wpnews.pro/news/openguard-self-hosted-static-code-analysis-sca-with-local-ai-auto-fixes-gemma-4.jsonld"}}