SecScan: A Local LLM-Powered Code Security Scanner That Balances Privacy and Efficiency

SecScan is a security scanning tool fully based on local large language models (LLMs). It achieves 100% offline inference via LM Studio, addressing the data leakage risks and compliance issues that developers face when uploading private code to the cloud for analysis. It supports multi-dimensional code review, architectural threat modeling, sandboxed vulnerability validation, and other features, allowing users to complete the entire process from review to validation in a local environment while balancing privacy protection and scanning efficiency.

SecScan was created by developer jhammant to explore whether local LLMs can perform useful initial security reviews on real code. Its design philosophy centers on privacy: by integrating LM Studio as the inference backend, it ensures that source code never leaves the local machine, eliminating the risk of data leakage. This provides a viable alternative to cloud-based security scanning services for enterprises and individual developers with strict requirements for data sovereignty.

SecScan uses a multi-lens scanning mechanism, offering six review perspectives: Security Lens (detects injection vulnerabilities, hardcoded keys, etc.), Quality Lens (identifies dead code, resource leaks, etc.), Performance Lens (captures bottlenecks like N+1 queries), Reliability Lens (discovers hidden issues like missing timeouts), Correctness Lens (checks for logical flaws), and CI/CD Lens (targets configuration anti-patterns). Additionally, it can extract high-level application architecture information and identify cross-component security issues (such as authentication bypasses, SSRF attack surfaces, and trust boundary violations), enabling threat modeling from a global perspective.

To mitigate LLM hallucination issues, SecScan introduces two deterministic scanning methods: regex-based key detection (similar to the gitleaks rule set) and OSV.dev dependency vulnerability queries (parsing dependency manifests to obtain CVE information). It also supports sandboxed vulnerability validation: generating non-destructive PoCs in an isolated Docker environment. Users can customize configurations, and manual review is required before execution. Container configurations are strictly restricted (read-only file system, isolated network, etc.) to ensure safety without damage.

For large repositories or slow model scenarios, SecScan offers a shunting mode (--no-files parameter) that skips file-by-file LLM analysis and retains only core steps like architecture extraction and threat modeling, reducing scanning time from hours to 15 minutes. The tool is developed in Python, supports CLI and TUI interfaces, and is easy to use: after cloning the repository, installing dependencies, and running LM Studio, you can scan repositories/local code via commands, with results output in Markdown and JSON formats.

SecScan emphasizes ethical usage: it should only be applied to code you have permission to test, and responsible disclosure principles are encouraged. PoC generation rejects destructive payloads, and the sandbox environment has multiple restrictions, but manual review is still recommended. In summary, SecScan proves that local LLMs can effectively perform security reviews, resolving the conflict between privacy and functionality. Looking ahead, as local LLM performance improves, such tools will play a more important role in secure development processes.