Blog

Writing on code quality and AI

Notes, findings, and field reports from reviewing AI-generated codebases.

27
June 27, 2026 · inkode team

We never get your codebase — just metadata. And you can keep even that local.

A code scanner asks for a lot of trust: you're pointing it at your source. So here's exactly what ik does and doesn't send. Your source code never leaves the machine — uploads carry findings and metadata, not file contents — secret values are masked before they're stored, the AI runs locally, and if you want zero upload, local-only scanning is one setting away.

privacyengineeringtooling
Read the piece →
27
June 27, 2026 · inkode team

"Too many findings, and I don't know where to start"

The first time a friend ran ik on his own code, his feedback wasn't about accuracy — it was 'this is a wall of findings and I have no idea what to fix first.' He was right. Here's how we turned 15 checks into one grade you can read in a second, and a remediation list that puts the file you should open next at the top.

productengineering
Read the piece →
20
June 20, 2026 · inkode team

False green: the scariest bug in a code scanner

A scanner that crashes is annoying. A scanner that reports '0 problems' when it actually did nothing is dangerous — it manufactures false confidence. Three times this year, ik silently skipped a check and called it a pass. Here's how each one happened, and the rule we now scan ourselves by.

engineeringtoolingpost-mortem
Read the piece →
09
June 9, 2026 · inkode team

A half-billion-parameter model lives inside our scanner

Two of ik's checks — semantic duplication and magic-number labelling — run a 0.5B local LLM that ships with the binary. No API key, no network call, your code never leaves the machine. Here's why we embedded a model instead of calling one, what it does well, and the Metal crash that ate a week.

engineeringAItooling
Read the piece →
03
June 3, 2026 · inkode team

One pass, every language: moving ik's analysis in-process

We replaced the external CLIs ik used for complexity and duplicate detection with an in-process library, chamele. It made the analysis never-skip, work across 27 languages, and unlock three new structural checks — but broader analysis meant walking the repo up to five times per scan. Here's the trade, and the shared-cache fix that collapses it back to one walk: −3.5s on Prometheus, −9.2s on Django.

engineeringperformancetooling
Read the piece →
12
May 12, 2026 · inkode team

What 5,299 scans taught us about AI-written code

Three weeks ago we shared results from 1,961 scans. We've now scanned 5,299. The bigger dataset didn't weaken the signal — it made it clearer. AI-marked repos commit secrets at 3.2× the rate. After adjusting for size, they still score 8–11 points lower. Some earlier claims held up. A few changed.

dataAIresearch
Read the piece →
24
April 24, 2026 · inkode team

What 1,961 scans told us about AI-written code

We scanned 1,961 repositories in 18 days. 38.4% of first-time scans landed in D or F. Here is what the full dataset says — including the part of the AI gap we had to correct.

dataAIresearch
Read the piece →
15
April 15, 2026 · inkode team

Welcome to the inkode blog

Why we're writing — field notes on code quality in the age of AI-generated software, and what we find when we point our scanner at real codebases.

announcement
Read the piece →