Writing on code quality and AI
Notes, findings, and field reports from reviewing AI-generated codebases.
We never get your codebase — just metadata. And you can keep even that local.
A code scanner asks for a lot of trust: you're pointing it at your source. So here's exactly what ik does and doesn't send. Your source code never leaves the machine — uploads carry findings and metadata, not file contents — secret values are masked before they're stored, the AI runs locally, and if you want zero upload, local-only scanning is one setting away.
"Too many findings, and I don't know where to start"
The first time a friend ran ik on his own code, his feedback wasn't about accuracy — it was 'this is a wall of findings and I have no idea what to fix first.' He was right. Here's how we turned 15 checks into one grade you can read in a second, and a remediation list that puts the file you should open next at the top.
False green: the scariest bug in a code scanner
A scanner that crashes is annoying. A scanner that reports '0 problems' when it actually did nothing is dangerous — it manufactures false confidence. Three times this year, ik silently skipped a check and called it a pass. Here's how each one happened, and the rule we now scan ourselves by.
A half-billion-parameter model lives inside our scanner
Two of ik's checks — semantic duplication and magic-number labelling — run a 0.5B local LLM that ships with the binary. No API key, no network call, your code never leaves the machine. Here's why we embedded a model instead of calling one, what it does well, and the Metal crash that ate a week.
One pass, every language: moving ik's analysis in-process
We replaced the external CLIs ik used for complexity and duplicate detection with an in-process library, chamele. It made the analysis never-skip, work across 27 languages, and unlock three new structural checks — but broader analysis meant walking the repo up to five times per scan. Here's the trade, and the shared-cache fix that collapses it back to one walk: −3.5s on Prometheus, −9.2s on Django.
What 5,299 scans taught us about AI-written code
Three weeks ago we shared results from 1,961 scans. We've now scanned 5,299. The bigger dataset didn't weaken the signal — it made it clearer. AI-marked repos commit secrets at 3.2× the rate. After adjusting for size, they still score 8–11 points lower. Some earlier claims held up. A few changed.
What 1,961 scans told us about AI-written code
We scanned 1,961 repositories in 18 days. 38.4% of first-time scans landed in D or F. Here is what the full dataset says — including the part of the AI gap we had to correct.
Welcome to the inkode blog
Why we're writing — field notes on code quality in the age of AI-generated software, and what we find when we point our scanner at real codebases.