LocalForge

The Qwen2.5-Coder LLM layer forms the third major capability, performing semantic code review across 11 languages using a locally-run large language model via MLX. This advisory layer takes approximately 5-8 seconds to analyze code for complex issues including SQL injection risks, XSS vulnerabilities, command injection, dead functions, unhandled errors, and logic bugs. Unlike the blocking layers, this component provides recommendations rather than hard blocks, allowing developers to review potential issues while maintaining workflow flexibility. The system supports multiple programming languages including Python, Rust, TypeScript, Go, and Java, offering comprehensive code quality assessment that goes beyond basic security scanning.

LocalForge operates through a sophisticated three-layer pipeline that processes every commit in under 10 seconds entirely on-device. The workflow begins when a developer initiates a git commit, triggering the pre-commit hook that captures the staged diff for analysis. Layer 1 immediately applies Rust regex patterns to catch obvious secrets, followed by Layer 2's CoreML analysis for intermediate detection, and concluding with Layer 3's LLM semantic review for advanced code quality assessment. Results stream to both the terminal and the native SwiftUI application, providing real-time feedback throughout the scanning process. The entire system requires zero cloud connectivity and maintains complete privacy by processing all data locally on the user's Mac.

In concrete use cases, developers working with AI assistants might generate code that includes an accidental AWS secret key exposure. LocalForge would detect this during Layer 1 scanning in under 1 millisecond, immediately blocking the commit and preventing the secret from entering version control. Another scenario involves a developer creating a database query with string interpolation that creates SQL injection vulnerability—Layer 3 would flag this as a medium-risk issue with specific recommendations for parameterized queries. Teams using the tool report catching dead functions, unhandled exceptions, and logic bugs before they cause production issues, maintaining code quality while accelerating development velocity through early problem detection.

LocalForge targets development teams using AI coding tools on macOS systems, specifically requiring macOS 14+ and Apple Silicon hardware. The tool integrates with standard development workflows through pre-commit hooks and supports multiple programming languages including Python, Rust, TypeScript, Go, and Java. Available under the MIT License as free and open-source software, LocalForge includes MCP Server compatibility for integration with IDEs like Cursor and VS Code. The installation process involves a single command that sets up the pre-commit hook, copies the binary to PATH, and auto-detects Qwen models from HuggingFace cache. This comprehensive local scanning solution ensures teams can ship code faster while maintaining security and quality standards without cloud dependencies.