OpenGuard: Self-Hosted Static Code Analysis (SCA) with Local AI Auto-Fixes (Gemma 4)

OpenGuard is an open-source, self-hosted static code analysis platform that serves as an alternative to tools like SonarQube, enabling developers to scan codebases, track security issues, and manage remediation efforts. It features an AI-driven remediation pipeline that uses a local Gemma 4 instance to generate contextual explanations and drop-in code fixes for vulnerabilities with a single click. The platform is built with OpenGrep, FastAPI, PostgreSQL, and React, and its complete source code is available on GitHub.

This is a submission for the Gemma 4 Challenge: Build with Gemma 4 What I Built OpenGuard is a developer-centric, self-hosted static code analysis SCA platform designed to act as an open-source alternative to tools like SonarQube. Built with OpenGrep a Semgrep fork , FastAPI , PostgreSQL , and React , it enables developers to scan codebases, compute real-time project security health scores, track issues across historical scans, and manage remediation efforts via a native Jira-style Kanban board. To bridge the gap between finding a vulnerability and fixing it, OpenGuard features an AI-driven remediation pipeline . With a single click on any code vulnerability, OpenGuard packages the entire target file, localizes the error coordinates, and calls a local Gemma 4 instance to generate high-fidelity, contextual explanations and beautified drop-in code fixes. Demo Our platform features a highly responsive, premium dashboard engineered with an editorial design aesthetic. The UI utilizes a warm parchment background, bold ink-black typography, and serif-led headings for a state-of-the-art experience: - Interactive Project Dashboard : A clean visual split of issues by severity level Critical, High, Medium, Low featuring semantic color-coding. The dashboard includes a dynamic, natively animated SVG Security Health Gauge and an interactive historical trend chart with hover-activated data tooltips. - Kanban Board : A Jira-like ticket board allowing developers to transition issues between Backlog , Todo , In Progress , and Done . Each issue card features visual tags showing its historical persistence, severity badges, and details. - AI Fix Interface : An interactive code viewer inside the ticket details that displays the native explanation alongside a pre-formatted, syntax-highlighted code block containing the recommended fix. - End-User Packaging : The entire infrastructure is packaged into a seamless, single-command Docker Compose environment with an easy-to-install Python CLI openguard scan for scanning local repositories. Code The complete source code for OpenGuard is open-source and available on GitHub: How I Used Gemma 4 OpenGuard leverages the local inference capabilities of Gemma 4 gemma4:e4b served via Ollama. Why Gemma 4? Vulnerabilities are rarely self-contained; they require systemic understanding of the surrounding code. We chose the Gemma 4 9B parameter model because of its excellent performance in coding tasks and its ability to process large instruction sets locally. Implementation Details: - Large Context Processing 128K Tokens : In order to provide accurate fixes without hallucinating, we supply Gemma 4 with the entire source file up to a 128K context limit rather than just the isolated line of code. This allows the model to understand local variables, imports, and architectural patterns. - Structured JSON Output : To build a reliable API, we configured the Ollama request with the format constraint json and structured the prompt to guarantee responses matching: { "explanation": "Brief context on why this is a vulnerability.", "code fix": "The fully corrected file or function block." } This ensures that the frontend can parse the response natively and present the suggested fix in a beautiful, copyable code block without raw markdown delimiters bleeding into the UI. - Optimized Development Loop : The AI responses are cached in the PostgreSQL database so that recurring views are instant, with a --force flag implemented to let developers request a fresh generation when needed. Gemma 4 provides the speed of local developer workflows with the intelligence of a security expert, making local static analysis interactive and highly actionable. Reach Out Built by Suyash Srivastava . If you have any feedback, questions, or are interested in collaborating on OpenGuard or similar AI-driven developer tooling, I'd love to hear from you 📧 Contact me at: suyashmtech+openanlyzer@gmail.com mailto:suyashmtech+openanlyzer@gmail.com