This is a submission for the Gemma 4 Challenge: Build with Gemma 4
What I Built
AOYS is a Visual Studio Code Extension created to leverage the power of a local Gemma 4 model to scan your code and return issues. Gemma is passed a directive to act as a security scanning tool, supercharged with language specific SAST rules, and instructed to view the code from an attacker's mindset to only return exploitable issues. This keeps the returned problems lean and generally free of false positives or unexploitable issues.
The extension by default connects to any Gemma model on localhost, but can be configured to run on any URL just as long as it's served by Ollama. In my demo and my recommendation, I run Gemma on another device on my local network. This way it stays local but the computations are done off your working rig. The Full Scan mode is the first time it runs on the repo which will gather all the files to scan. This takes by far the longest, however, after a full scan is complete, a cache is made of scanned files so only changed files are scanned for new or fixed problems.
The idea driving this is how do we make an easy to use scanning tool that presents problems in a way Developers want? My preference, as a developer, is:
- ollama run gemma4:31b
- install AOYS and configure the URL
- click Full Scan
Now it runs in the background and drops the issues into the Problems tab. Problems are how VS Code handles errors, warnings, and other info already making this the familiar interface for developers. Also, this gives you the opportunity to see the problems and click auto fix to have GH Copilot fix them for you. This keeps you in the loop on what is a security issue and how to fix it.
AOYS is an excellent entry for developers who may be new to security scans, or developers that want to get ahead of issues before pushing their code up. From what I've seen personally, Gemma does a great job at finding real issues and already has a leg up on some of the industry leading tools on the market today.
Demo
Code
nickburnette-source
/
aoys
Angel on your shoulder: always watching, fighting the good fight.
AOYS — Angel on Your Shoulder
A fully local AI security scanner for VS Code. No cloud. No telemetry. No API keys. Just a local Ollama model watching your code for real exploitable vulnerabilities — while you work.
Support Development
☕ Buy me a coffee → https://buymeacoffee.com/nily
What It Does
AOYS runs your code through a local LLM (Gemma 4 by default) with an attacker's mindset. It doesn't just run pattern matching — it reasons about your code the way a red-teamer would, catching design-level vulnerabilities that static rules cannot.
It augments LLM reasoning with Semgrep's public security rule packs, giving you the best of both: rules-based precision and AI-powered depth.
Results appear directly in VS Code's Problems panel with file and line numbers — no separate dashboard, no context switching.
Features
🔒 Attacker-Mindset Analysis
Goes beyond traditional SAST. Finds exploitable vulnerabilities across categories:
- Injection — SQL, command…
How I Used Gemma 4
I used Gemma 4 31B Dense right out of the box as well as a few of the smaller ones. If you're running this on the same machine you develop on, then I would recommend a smaller model. One of the cool things about this extension is it auto detects the strongest Gemma model running, but you can hover over the AOYS badge in the lower right and select whichever model you want to use. I did not see any difference at all between 31B and E4B for the small repo I tested it on, but results will likely be noticeable on larger, more complex code bases.
Top comments (0)