Ship fast and safe.

No secrets leave your Mac.

A local pre-commit gate for teams shipping with AI coding tools. Catches secrets, vulnerabilities, and bad patterns before git does — entirely on your machine.

26 secret patterns11 languages43 tests passing<1ms Layer 1

Download for Mac View on GitHub

LocalForge

Check it out on Product Hunt →

macOS 14+ · Apple Silicon · MIT License · Zero cloud

zsh · local-forge

How the 3-layer pipeline works

Every commit passes three gates in under 10 seconds — entirely on-device.

git commit

Staged diff

Layer 1

Rust Regex

< 1ms · BLOCKS

Layer 2

CoreML / ANE

~200ms · BLOCKS

Layer 3

Qwen LLM

~5-8s · ADVISORY

Report

Terminal + App

26 patterns

across 13 providers — AWS, GCP, Azure, Stripe, GitHub, Anthropic…

0.754 F1

CoreML trained on 297 samples across 11 languages on Apple Neural Engine

< 10s total

full 3-layer pipeline, entirely offline, no cloud required

Layer 1 · Rust Regex

Blocks secrets before they ship.

26 patterns across 13 providers, compiled once at boot and matched in under 1ms. The fastest gate in the pipeline — no LLM needed to catch an exposed AWS key.

AWS, GCP, Azure, Stripe, GitHub tokens
SSH private keys, Anthropic & OpenAI keys
Hard blocks the commit — no bypass

pre-commit hook output

$ git commit -m 'update config'

LocalForge · scanning staged diff…

L1 Checking 26 secret patterns…

L1 ✗ MATCH: AWS_SECRET_KEY detected

in: config/aws.py (line 14)

✗ Commit BLOCKED — remove the secret and retry

Layer 3 · Qwen2.5-Coder

Semantic review by a local LLM.

SQL injection, XSS, command injection, dead functions, and logic bugs — reviewed across 11 languages by Qwen2.5-Coder running locally via MLX. Advisory only, never blocks.

SQL injection, XSS, command injection
Dead code, unhandled errors, logic flaws
11 languages — Python, Rust, TS, Go, Java…

advisory report

LocalForge Advisory — commit a3f2c1d

[MEDIUM] SQL injection risk

in: models/user.py · fetch_records()

String interpolation in raw SQL query.

Fix: use parameterised queries or an ORM

[LOW] Unhandled exception path

in: api/routes.py · create_user()

Missing try/except around db.commit()

Native App

A live window into every commit.

The SwiftUI app streams real-time scan events from every protected repo. Monitor tab shows each layer result as it runs. Repos tab manages hook status across all projects with one-click upgrades.

Live stream from ~/.localforge/hook.log
Multi-repo management — Active / Outdated / Missing
Scan Folder discovers all git repos automatically

LocalForge● Active

MonitorRepos

INFOScanning — files: api/routes.py

L1Rust regex: ready — 26 patterns active

L2CoreML score: 0.214 — clean

L3[LOW] No critical issues found

INFOScanning — files: models/user.py

L2CoreML score: 0.789 — BLOCKED

ERRCommit BLOCKED — secret detected

Installation

Install once. Protect every commit.

`localforge --install` wires the pre-commit hook, copies the binary to PATH, and auto-detects your Qwen model in HuggingFace cache — all in one command.

Sets up ~/.localforge/ and installs hook (v4)
Auto-detects Qwen from HuggingFace cache
Works per-repo: localforge --install /path/to/repo

one-command install

bash

$ ./scripts/install_hook.sh ~/Developer/my-app

✓ Binary copied to ~/.localforge/bin/

✓ PATH added to ~/.zshrc

✓ CoreML model installed

✓ Qwen2.5-Coder detected in HF cache

✓ Pre-commit hook (v4) installed

✓ Repo registered in LocalForge.app

LocalForge is active. All commits are now protected.

Team Setup

Ship security culture with --install-org.

Generates a turnkey shell script your team runs once. Drop it in your setup docs or Makefile — every engineer is protected without any per-user configuration.

Generates a shareable install script
Paste into dev setup docs or Makefile
Auto PATH setup — no manual steps

team install

bash

$ localforge --install-org

# Generated: localforge-team-setup.sh

# Share with your team. Run once per machine.

✓ Script written to ./localforge-team-setup.sh

# In your Makefile or setup docs:

curl -sSL <url> | bash

MCP Server

Connect your IDE via MCP.

A JSON-RPC 2.0 server lets Cursor, VS Code, and any MCP-compatible tool query LocalForge directly. Integrate scan results into your editor workflow.

JSON-RPC 2.0 · MCP-compliant
Works with Cursor, VS Code, any MCP client
Query scan results from your editor

VS Code / Cursor

MCP Server (JSON-RPC 2.0)

LocalForge Engine

MCP-compliant · JSON-RPC 2.0

What LocalForge catches

Seven categories of issues caught across three layers — from regex patterns to semantic LLM review.

Hardcoded SecretsBLOCKS

AWS, GCP, Stripe, GitHub, Anthropic keys caught before they reach git history.

AWS_SECRET_KEY = "AKIAIOSFODNN7EXAMPLE"

SQL InjectionBLOCKS

Raw string interpolation in queries flagged with parameterised query suggestions.

query = f"SELECT * FROM users WHERE id={id}"

XSS VulnerabilitiesBLOCKS

Unescaped user input inserted into DOM contexts identified across JS/TS.

el.innerHTML = userInput

Command InjectionBLOCKS

Unsanitised variables passed to shell commands — blocked before commit.

os.system(f'ls {user_path}')

Dead FunctionsADVISORY

Unreachable and unused code detected across 11 languages to keep the diff clean.

fn unused_helper() { ... } // never called

Unhandled ErrorsADVISORY

Missing try/except, unchecked Results, and swallowed panics surfaced before merge.

db.commit() // no exception handler

Logic BugsADVISORY

Off-by-one, incorrect conditionals, and edge-case gaps caught by Qwen semantic review.

if i <= len(arr): # should be <

v2.0.0 Release

See it in action

A live walkthrough of LocalForge intercepting a commit, running all three layers, and blocking a hardcoded secret — entirely on-device.

What developers say

Real reviews from engineers using LocalForge.

No reviews for now.

Be the first to leave one.

Start protecting your commits today.

Install in one command. Runs entirely on your Mac. Free and open source.