You install a CLI, run a scan, and suddenly your source code, your environment variables, and your dependency tree are uploaded to a SaaS platform you think you trust (or at least one that tries very hard to make you think that).
I built Kekkai to reject that model.
The Architecture of Privacy
Kekkai is a "Local-First" orchestrator.
- Scanners: It runs standard tools (Trivy, Semgrep) in hardened Docker containers with no network access.
- Intelligence: It uses Local LLMs (Ollama support) for threat modeling and false positive analysis. Your code never leaves your GPU.
- Storage: Triage decisions (
.kekkaiignore) are stored as code in your repo, not in a proprietary database.
The "Context" Problem (v2.2 Update)
The biggest challenge with local scanners is the "Context Gap." You see a vulnerability log, but you don't see the code.
In the latest release (v2.2.1), I added a secure code context viewer to the TUI. It reads the file locally, sanitizes the path (to prevent traversal attacks), and renders the vulnerable block using Rich syntax highlighting. You can triage 50 findings in 5 minutes without ever touching your mouse or opening VS Code.
Stop Feeding the Cloud.
You can have enterprise-grade scanning without the enterprise-grade data leaks.
Get it here:
https://github.com/kademoslabs/kekkai
Auto-install via pre-commit:
- repo: https://github.com/kademoslabs/kekkai
rev: v2.1.0
hooks:
- id: kekkai-scanLove to get your thoughts on the tool, feel free to roast