open-code-review

The AI code review agent born at Alibaba's scale — combining deterministic engineering with LLM intelligence for precise, token-efficient reviews.

9.9Kstars
650forks
Apache License 2.0
Go

Open Code Review is an AI-powered code review CLI that originated as Alibaba Group’s internal official code review assistant. Over two years it served tens of thousands of developers and caught millions of code defects at production scale before being open-sourced for the broader community. The core idea is simple to configure — point it at any OpenAI-compatible or Anthropic endpoint and run ocr review.

Unlike general-purpose agents that send raw diffs to a language model and hope for the best, Open Code Review wraps the LLM in a deterministic engineering harness. File selection, bundling of related files into sub-agent contexts, and per-language rule matching all happen before the model sees a single token. The result is consistent, predictable coverage with no file-skipping on large changesets, precise line-number attribution for every comment, and token consumption roughly one-ninth that of a raw general-purpose agent approach on the same diff.

The built-in ruleset covers language-specific patterns across Java, TypeScript/JavaScript, Go, Rust, Kotlin, C/C++, and configuration formats like YAML, JSON, and Maven POM files. Rules target high-value classes of bugs — NPE chains, thread-safety violations, XSS injection, SQL injection, dead code, and logic boundary errors — keeping the model focused and comment noise low.

Integration paths are flexible: a global npm install exposes the ocr CLI, pre-built binaries cover all major platforms, and ready-made workflow files enable automated PR review in GitHub Actions and GitLab CI. It also ships as a Claude Code plugin and a Codex plugin for inline agent-driven reviews.

What You Get

  • A CLI (ocr) installable via npm or pre-built binaries for macOS, Linux, and Windows on both x86 and ARM
  • Deterministic file selection and smart bundling that groups related files into isolated sub-agent contexts, preventing oversights on large changesets
  • Built-in language-specific rulesets covering Java, TypeScript, JavaScript, Go, Rust, Kotlin, C/C++, and common config formats
  • Precise line-level comment positioning with an independent re-location module that queries the LLM to recover accurate line numbers when text matching fails
  • A comment reflection and filtering pass that removes false positives before results are surfaced
  • Support for any OpenAI-compatible or Anthropic endpoint, with interactive provider setup via ocr config provider
  • Ready-made GitHub Actions and GitLab CI workflow files for automatic PR review and inline comment posting
  • Plugin integrations for Claude Code and OpenAI Codex so agents can invoke reviews as slash commands

Common Use Cases

  • Pre-commit local review — running ocr review against staged or unstaged workspace changes before committing to catch bugs without waiting for CI
  • Automated PR review in CI — integrating the GitHub Actions workflow to post inline review comments on every pull request using a team-shared LLM endpoint
  • Branch diff review — comparing feature branches against main with ocr review --from main --to feature-branch to audit the full changeset before merge
  • Agent-driven review inside Claude Code — installing the plugin so the /open-code-review:review command runs OCR and auto-fixes high-confidence issues in-context
  • Security-focused audits — leveraging built-in rules for XSS, SQL injection, NPE chains, and thread-safety violations across mixed-language monorepos
  • Token-budget-constrained pipelines — replacing verbose general-purpose agent reviews with OCR to cut LLM API costs by roughly 9x on the same codebase

Under The Hood

Architecture Open Code Review is built around a divide-and-conquer agent harness that separates what must be deterministic from what benefits from language model judgment. The outer pipeline — implemented in Go — handles file enumeration, extension and path filtering, smart bundling of semantically related files (such as paired locale property files), and path-based rule resolution. Each bundle becomes an isolated sub-agent that runs concurrently, keeping context windows tight and enabling parallel execution on large changesets. Two post-processing modules — comment positioning and comment reflection — run outside the LLM loop as independent passes, correcting line-number drift and filtering out false positives before any output is surfaced. This architectural discipline is why the tool achieves higher precision than general-purpose agents while consuming far fewer tokens.

Tech Stack The core is written in Go 1.25, compiled to statically linked binaries distributed for six platform/architecture targets. The LLM layer wraps both the Anthropic SDK and the OpenAI Go SDK, with a unified LLMClient interface that abstracts protocol differences. A provider registry ships with first-class configurations for Anthropic Claude, OpenAI, Alibaba DashScope, and several others. The interactive TUI for provider and model selection is built on Bubbletea and Lipgloss. Observability is wired through OpenTelemetry with both gRPC and stdout exporters. The npm package simply wraps the platform binary download, making npm install -g @alibaba-group/open-code-review the primary distribution path.

Code Quality The codebase has comprehensive test coverage at all layers — the diff parsing and hunk resolution modules, the LLM client and provider registry, the review command flag parsing, the output formatter, and the agent template renderer all carry dedicated test files with race-detector-enabled runs (go test -race). Error handling is explicit and propagated with fmt.Errorf("context: %w", err) wrapping throughout rather than being swallowed. The task template system is stored as an embedded JSON file and validated at startup. CI runs build, vet, and test on every push with release automation generating signed binaries and an npm package on each tag.

What Makes It Unique The genuinely novel contribution is the external positioning and reflection architecture. Rather than asking the LLM to produce a correctly positioned comment in a single shot — which general-purpose agents do and fail at on large diffs — Open Code Review separates comment generation from comment positioning into two independent pipeline stages. When hunk-based text matching fails to locate a comment, a dedicated re-location LLM call renders a fresh existing_code snippet from the diff and retries. A separate reflection pass then acts as a fact-checker, reading only the diff to veto comments that contradict visible evidence. This combination of deterministic engineering guards around a language model core is what allows the tool to report both higher precision and lower token consumption on the same benchmark workloads compared to vanilla agent approaches.

Self-Hosting

Open Code Review is released under the Apache License 2.0. This is a permissive open-source license that allows you to use, modify, and distribute the software freely in commercial products and internal tooling without any copyleft obligations. There are no dual-license restrictions, no enterprise tiers requiring a paid license, and no feature flags that unlock themselves only in a paid build. The full source code as shipped to production at Alibaba is what you get.

Running Open Code Review yourself is operationally lightweight compared to typical self-hosted AI infrastructure. The tool is a single statically linked binary with no external database, no sidecar services, and no persistent daemon — it runs as a CLI command and exits. The only runtime dependency you supply is an LLM API endpoint (any OpenAI-compatible service or Anthropic). Configuration is stored in a JSON file under ~/.opencodereview/. For CI integration, the GitHub Actions workflow file handles everything; there is no server to maintain, no container to keep healthy, and no persistent state to back up. Scaling to more concurrent reviewers means adding more CI runners, not provisioning more infrastructure.

Because there is no hosted SaaS tier, there is also no vendor-managed upgrade path, no support SLA, and no cloud-managed audit log of review sessions. If your organization needs a guaranteed response time on issues or a fully managed review pipeline with role-based access and SSO, you would build that wrapper yourself around the CLI. The project is very actively maintained — releasing multiple times per week at the time of writing — so staying current requires periodic binary upgrades on your side. The trade-off is full control over which LLM endpoint and model you use, no data leaving your chosen provider, and zero per-seat licensing cost.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search