# OpenGuard: Self-Hosted Static Code Analysis (SCA) with Local AI Auto-Fixes (Gemma 4) > Source: > Published: 2026-05-20 19:38:55+00:00 *This is a submission for the Gemma 4 Challenge: Build with Gemma 4* ## What I Built **OpenGuard** is a developer-centric, self-hosted static code analysis (SCA) platform designed to act as an open-source alternative to tools like SonarQube. Built with **OpenGrep** (a Semgrep fork), **FastAPI**, **PostgreSQL**, and **React**, it enables developers to scan codebases, compute real-time project security health scores, track issues across historical scans, and manage remediation efforts via a native Jira-style Kanban board. To bridge the gap between finding a vulnerability and fixing it, OpenGuard features an **AI-driven remediation pipeline**. With a single click on any code vulnerability, OpenGuard packages the entire target file, localizes the error coordinates, and calls a local **Gemma 4** instance to generate high-fidelity, contextual explanations and beautified drop-in code fixes. ## Demo Our platform features a highly responsive, premium dashboard engineered with an editorial design aesthetic. The UI utilizes a warm parchment background, bold ink-black typography, and serif-led headings for a state-of-the-art experience: - **Interactive Project Dashboard**: A clean visual split of issues by severity level (Critical, High, Medium, Low) featuring semantic color-coding. The dashboard includes a dynamic, natively animated SVG Security Health Gauge and an interactive historical trend chart with hover-activated data tooltips. - **Kanban Board**: A Jira-like ticket board allowing developers to transition issues between*Backlog*,*Todo*,*In Progress*, and*Done*. Each issue card features visual tags showing its historical persistence, severity badges, and details. - **AI Fix Interface**: An interactive code viewer inside the ticket details that displays the native explanation alongside a pre-formatted, syntax-highlighted code block containing the recommended fix. - **End-User Packaging**: The entire infrastructure is packaged into a seamless, single-command Docker Compose environment with an easy-to-install Python CLI (`openguard scan` ) for scanning local repositories. ## Code The complete source code for OpenGuard is open-source and available on GitHub: ## How I Used Gemma 4 OpenGuard leverages the local inference capabilities of **Gemma 4** (`gemma4:e4b` ) served via Ollama. ### Why Gemma 4? Vulnerabilities are rarely self-contained; they require systemic understanding of the surrounding code. We chose the **Gemma 4 9B parameter model** because of its excellent performance in coding tasks and its ability to process large instruction sets locally. ### Implementation Details: - **Large Context Processing (128K Tokens)**: In order to provide accurate fixes without hallucinating, we supply Gemma 4 with the** entire source file**(up to a 128K context limit) rather than just the isolated line of code. This allows the model to understand local variables, imports, and architectural patterns. - **Structured JSON Output**: To build a reliable API, we configured the Ollama request with the format constraint`json` and structured the prompt to guarantee responses matching: ``` { "explanation": "Brief context on why this is a vulnerability.", "code_fix": "The fully corrected file or function block." } ``` This ensures that the frontend can parse the response natively and present the suggested fix in a beautiful, copyable code block without raw markdown delimiters (``` `) bleeding into the UI.` - **Optimized Development Loop**: The AI responses are cached in the PostgreSQL database so that recurring views are instant, with a`--force` flag implemented to let developers request a fresh generation when needed. Gemma 4 provides the speed of local developer workflows with the intelligence of a security expert, making local static analysis interactive and highly actionable. ### Reach Out Built by **Suyash Srivastava**. If you have any feedback, questions, or are interested in collaborating on OpenGuard or similar AI-driven developer tooling, I'd love to hear from you! 📧 Contact me at: [suyashmtech+openanlyzer@gmail.com](mailto:suyashmtech+openanlyzer@gmail.com)