Introduction
Code review is where bugs hide – and manual reviews miss 30-60% of defects. Traditional static analysis tools produce noisy warnings that developers learn to ignore. Pure LLM reviews are slow, expensive, and prone to position drift where reported issues do not match actual code locations. Neither approach delivers precise, actionable feedback at the line level.
The cost is real: security vulnerabilities like XSS and SQL injection slip through. Null pointer exceptions crash production systems. Thread-safety bugs cause intermittent failures that are nearly impossible to reproduce. Manual review is slow and inconsistent, especially across large codebases with thousands of changes per week.
Open Code Review solves this by combining deterministic engineering with LLM agents. The deterministic pipeline handles what must not go wrong – file selection, rule matching, comment positioning – while the LLM agent provides contextual understanding that static analysis alone cannot achieve. Battle-tested across thousands of code reviews at Alibaba, this hybrid approach delivers precise line-level comments that reduce false positives and catch real bugs.
With over 6,000 GitHub stars and an Apache-2.0 license, Open Code Review is production-ready and available for any team.
The architecture diagram above shows how Open Code Review processes code changes through two parallel paths. The deterministic pipeline applies built-in rulesets covering NPE detection, thread safety, XSS, and SQL injection, while the LLM agent queries OpenAI or Anthropic APIs for contextual understanding. Both paths feed into a result merger that deduplicates findings and produces precise line-level comments.
Key Insight: Open Code Review is the first open-source tool to combine deterministic engineering with an LLM agent for code review. The deterministic pipeline guarantees correctness for steps that must not fail – file selection, rule matching, and comment positioning – while the LLM agent provides contextual understanding that static analysis alone cannot achieve. This hybrid approach, battle-tested across thousands of code reviews at Alibaba, delivers precise line-level comments that reduce false positives and catch real bugs.
What is Open Code Review?
Open Code Review (OCR) is an open-source, free AI-powered code review CLI tool from Alibaba Group. It originated as Alibaba’s internal official AI code review assistant, serving tens of thousands of developers and identifying millions of code defects over two years of production use. After thorough validation at massive scale, Alibaba incubated it as an open-source project for the community.
Written in Go with an npm-based installer, OCR reads Git diffs, sends changed files to a configurable LLM via an agent with tool-use capabilities, and generates structured review comments with line-level precision. The agent can read full file contents, search the codebase, inspect other changed files for context, and produce deep reviews – not just surface-level diff feedback.
Key facts about Open Code Review:
- 6,000+ GitHub stars – significant community adoption
- Written in Go – fast, single-binary deployment
- Apache-2.0 license – fully open source, free for commercial use
- Dual installation – npm package or standalone binary
- OpenAI and Anthropic compatible – works with both major LLM providers
- Line-level precision – comments target exact lines, not entire files
- Built-in ruleset – language-specific review rules for Java, TypeScript, Kotlin, Rust, C/C++, and more
How the Hybrid Architecture Works
The core philosophy of Open Code Review is that deterministic engineering and LLM agents each handle what they do best. This is not just “run static analysis then run LLM” – the two components are deeply integrated at every stage of the review pipeline.
Deterministic Engineering – Hard Constraints
For review steps that must not go wrong, engineering logic – not the language model – guarantees correctness:
- Precise file selection – Determines exactly which files need review and which should be filtered, ensuring no important change is missed. Binary files, test files, and unsupported file types are automatically excluded.
- Smart file bundling – Groups related files into a single review unit (for example,
message_en.propertiesandmessage_zh.propertiesare bundled together). Each bundle runs as a sub-agent with isolated context – a divide-and-conquer strategy that stays stable on very large changesets and naturally supports concurrent review. - Fine-grained rule matching – Matches review rules to each file’s characteristics using template-engine-based rule matching, keeping the model’s attention sharply focused and eliminating information noise at the source. Compared to purely language-driven rule guidance, template-engine-based matching is more stable and predictable.
- External positioning and reflection modules – Independent comment-positioning and comment-reflection modules systematically improve both the location accuracy and content accuracy of AI feedback.
LLM Agent – Dynamic Decision-Making
The agent’s strengths are concentrated where they matter most – dynamic decisions and dynamic context retrieval:
- Scenario-tuned prompts – Prompt templates deeply optimized for code review, improving effectiveness while reducing token consumption.
- Scenario-tuned toolset – Distilled from deep analysis of tool-call traces in large-scale production data, including call frequency distributions, per-tool repetition rates, and the impact of new tools on the overall call chain. The result is a purpose-built toolset that is more stable and predictable for code review than a generic agent toolkit.
The hybrid pipeline diagram illustrates the complete flow from code diff input through the two parallel analysis paths. On the left, the static analysis path runs pattern matching, data flow analysis, and taint analysis. On the right, the LLM review path builds context and applies reasoning. Both paths feed into a deduplication engine that eliminates redundant findings, followed by priority ranking that ensures the most important issues surface first. The result is a set of precise, line-level comments that combine the speed of deterministic analysis with the depth of LLM understanding.
The Review Pipeline in Detail
When you run ocr review, the tool follows a structured pipeline:
- Diff parsing – Reads Git diffs for the specified range (workspace, branch, or commit)
- File filtering – Applies include/exclude rules and extension filters to select reviewable files
- Rule resolution – Matches each file to its appropriate review rule using a four-layer priority chain
- Plan phase – For larger changes, the LLM first creates a review plan identifying risk areas
- Main task loop – The LLM reviews each file with tool-use capabilities (reading files, searching code)
- Comment collection – Tool calls generate structured comments with line-level positioning
- Review filter – A separate LLM pass removes provably incorrect comments based on the diff
- Output – Results are presented as text or JSON
Built-in Security Ruleset
Open Code Review ships with a comprehensive built-in ruleset that covers the most critical vulnerability categories. These rules are not just simple pattern matches – they are detailed review checklists written in Markdown, matched to files based on path patterns, and injected into the LLM’s prompt to focus its attention.
Four-Layer Rule Resolution
Rules are resolved through a priority chain:
| Priority | Source | Path | Description |
|---|---|---|---|
| 1 (highest) | --rule flag | User-specified path | CLI explicit override |
| 2 | Project config | <repoDir>/.opencodereview/rule.json | Per-project rules, committable to git |
| 3 | Global config | ~/.opencodereview/rule.json | User-wide personal preferences |
| 4 (lowest) | System default | Embedded system_rules.json | Built-in rules covering common languages |
Language-Specific Rules
The built-in ruleset includes specialized review checklists for 14 file types:
- Java – NPE detection, thread safety, dead code, logic errors, performance issues
- TypeScript/JavaScript – Type safety, async patterns, error handling
- Kotlin – Null safety, coroutine patterns, extension function misuse
- Rust – Ownership and borrowing, unsafe blocks, error propagation
- C/C++ – Memory management, buffer overflows, undefined behavior
- Properties, YAML, JSON – Configuration errors, missing keys, type mismatches
- Mapper XML – SQL injection, parameter errors, missing closing tags
- POM/XML, build.gradle, package.json, Cargo.toml – Dependency issues, version conflicts
Security-Focused Detection
The Java rule, for example, explicitly checks for:
- NPE (Null Pointer Exception) – Code patterns that may cause NPE, verified by inspecting the data source call chain using
file_readandcode_searchtools - Thread Safety – Race conditions, non-atomic compound operations, unsafe lazy initialization, concurrent writes to thread-unsafe collections
- SQL Injection – Unsanitized user input in SQL queries, string concatenation in SQL statements
- XSS (Cross-Site Scripting) – Unescaped user input in HTML output, unsafe DOM manipulation
The security ruleset diagram shows how the built-in ruleset organizes detection into four major categories. NPE detection catches missing null checks and unsafe dereferences. Thread safety analysis identifies race conditions and deadlock risks. XSS detection finds unescaped output and unsafe DOM manipulation. SQL injection detection flags string concatenation in queries and ORM misuse. Each detection produces precise line-level comments that point developers to the exact location of the vulnerability.
Amazing: The built-in ruleset is fine-tuned from Alibaba’s production code review data, covering critical vulnerability categories across 14 file types. Each rule has been calibrated against real-world code at Alibaba’s scale – meaning the false-positive rate has been optimized through millions of code reviews, not just theoretical analysis. The Java rule alone explicitly checks for NPE patterns by instructing the LLM to use
file_readandcode_searchtools to verify the data source call chain before flagging a potential null dereference.
LLM Agent Integration
Open Code Review supports both OpenAI and Anthropic APIs out of the box. The LLM integration is not a simple “send diff, get comments” pipeline – it is a sophisticated agent with tool-use capabilities that can read full file contents, search the codebase, and inspect other changed files for context.
Configuration
Setting up the LLM is straightforward:
# Option A: Interactive config
ocr config set llm.url https://api.anthropic.com/v1/messages
ocr config set llm.auth_token your-api-key-here
ocr config set llm.model claude-opus-4-6
ocr config set llm.use_anthropic true
# Option B: Environment variables (highest priority)
export OCR_LLM_URL=https://api.anthropic.com/v1/messages
export OCR_LLM_TOKEN=your-api-key-here
export OCR_LLM_MODEL=claude-opus-4-6
export OCR_USE_ANTHROPIC=true
Config is stored in ~/.opencodereview/config.json. Environment variables take precedence over the config file.
OpenAI Integration
For OpenAI-compatible endpoints (including custom deployments):
ocr config set llm.url https://api.openai.com/v1/chat/completions
ocr config set llm.auth_token sk-xxxxxxx
ocr config set llm.model gpt-4
Anthropic Integration
For Anthropic’s Claude models:
ocr config set llm.url https://api.anthropic.com/v1/messages
ocr config set llm.auth_token sk-ant-xxxxxxx
ocr config set llm.model claude-opus-4-6
ocr config set llm.use_anthropic true
ocr config set llm.auth_header x-api-key
How the Agent Works
The LLM agent receives both the code diff and pipeline findings as context. It uses a set of purpose-built tools:
code_search– Search the codebase for symbols, patterns, and referencesfile_read– Read full file contents for context beyond the difffile_read_diff– Read the diff of other changed files for cross-file analysisfile_find– Find files by name or patterncode_comment– Submit a review comment with line-level positioningtask_done– Signal that the review is complete
This tool-use approach means the agent can verify its findings before reporting them. For example, before flagging a potential NPE, the agent can use code_search to check whether the variable is actually nullable, and file_read to examine the call chain.
The LLM integration diagram shows how Open Code Review connects to LLM providers. Configuration provides API keys and model selection. The prompt constructor builds prompts that include code context and pipeline findings, giving the LLM both the raw diff and the deterministic analysis results. The LLM provider (OpenAI or Anthropic) processes the prompt and returns a response, which is then parsed into structured line-level comments. This architecture means the LLM receives richer context than it would from the diff alone, enabling more accurate and targeted review feedback.
Takeaway: Open Code Review supports both OpenAI and Anthropic APIs out of the box, letting you choose the LLM provider that best fits your code review needs. The LLM agent receives both the code diff and pipeline findings as context, enabling it to provide more targeted and accurate review comments than a standalone LLM could achieve. The tool-use architecture means the agent can verify its findings before reporting them, reducing false positives.
Installation and Setup
Prerequisites
- Git (for diff parsing)
- An LLM API key (OpenAI or Anthropic)
Installation
Via NPM (Recommended)
npm install -g @alibaba-group/open-code-review
After installation, the ocr command is available globally.
From GitHub Release
Download the latest binary from GitHub Releases:
# macOS (Apple Silicon)
curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-arm64
chmod +x ocr && sudo mv ocr /usr/local/bin/ocr
# Linux (x86_64)
curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-linux-amd64
chmod +x ocr && sudo mv ocr /usr/local/bin/ocr
# Windows (x86_64)
curl -Lo ocr.exe https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-windows-amd64.exe
From Source
git clone https://github.com/alibaba/open-code-review.git
cd open-code-review
make build
sudo cp dist/opencodereview /usr/local/bin/ocr
Quick Start
# 1. Configure LLM
ocr config set llm.url https://api.anthropic.com/v1/messages
ocr config set llm.auth_token your-api-key-here
ocr config set llm.model claude-opus-4-6
ocr config set llm.use_anthropic true
# 2. Test connectivity
ocr llm test
# 3. Review code
cd your-project
ocr review
Configuration Reference
Config file: ~/.opencodereview/config.json
| Key | Type | Example |
|---|---|---|
llm.url | string | https://api.openai.com/v1/chat/completions |
llm.auth_token | string | sk-xxxxxxx |
llm.auth_header | string | Anthropic: x-api-key or authorization |
llm.model | string | claude-opus-4-6 |
llm.use_anthropic | boolean | true or false |
language | string | English or Chinese (default: Chinese) |
telemetry.enabled | boolean | true or false |
Environment variables take precedence over the config file:
| Variable | Purpose |
|---|---|
OCR_LLM_URL | LLM API endpoint URL |
OCR_LLM_TOKEN | API key / auth token |
OCR_LLM_AUTH_HEADER | Anthropic auth header (x-api-key or authorization) |
OCR_LLM_MODEL | Model name |
OCR_USE_ANTHROPIC | true = Anthropic, false = OpenAI |
Usage Examples
Example 1: Basic Code Review
# Review all staged, unstaged, and untracked changes
cd your-project
ocr review
# Review a branch range
ocr review --from main --to feature-branch
# Review a specific commit
ocr review --commit abc123
Example 2: Preview Mode (No LLM Calls)
# Preview which files will be reviewed without running the LLM
ocr review --preview
# Preview for a specific commit
ocr review --commit abc123 --preview
Example 3: JSON Output for CI/CD
# Machine-readable JSON output
ocr review --from main --to feature-branch --format json
# Agent mode (summary only, no progress lines)
ocr review --commit abc123 --format json --audience agent
Example 4: Custom Review Rules
{
"rules": [
{
"path": "force-api/**/*.java",
"rule": "All new methods must validate required parameters for null values"
},
{
"path": "**/*mapper*.xml",
"rule": "Check SQL for injection risks, parameter errors, and missing closing tags"
}
]
}
# Use custom rules
ocr review --rule /path/to/my-rules.json
# Preview which rule applies to a file
ocr rules check src/main/java/com/example/Foo.java
Example 5: Context-Aware Review
# Provide requirement context for more targeted review
ocr review --background "Adding rate limiting to the login API"
# Higher concurrency for large codebases
ocr review --from main --to feature-branch --concurrency 4
Example 6: Configuration File
{
"llm": {
"url": "https://api.anthropic.com/v1/messages",
"auth_token": "",
"auth_header": "x-api-key",
"model": "claude-opus-4-6",
"use_anthropic": true
},
"language": "English",
"telemetry": {
"enabled": false
}
}
Example 7: CI/CD Integration (GitHub Actions)
# .github/workflows/ocr-review.yml
name: OpenCodeReview PR Review
on:
pull_request_target:
types: [opened]
permissions:
contents: read
pull-requests: write
jobs:
code-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install OpenCodeReview
run: npm install -g @alibaba-group/open-code-review
- name: Configure OCR
run: |
ocr config set llm.url $
ocr config set llm.auth_token $
ocr config set llm.model $
- name: Run OpenCodeReview
run: |
ocr review \
--from "origin/$" \
--to "$" \
--format json
Comparison with Alternatives
Open Code Review vs. Traditional Static Analysis (SonarQube, CodeQL)
Traditional static analysis tools are fast and deterministic, but they produce noisy warnings that developers learn to ignore. They cannot understand business logic, intent, or context beyond what their rules explicitly encode. Open Code Review’s hybrid approach uses deterministic engineering for what must be correct (file selection, rule matching, comment positioning) and LLM reasoning for what requires understanding (business logic, intent, cross-file context). The result is fewer false positives and more actionable feedback.
Open Code Review vs. Pure LLM Code Review (CodeRabbit, Codiumate)
Pure LLM review tools send diffs to an LLM and hope for the best. They suffer from three problems that Open Code Review explicitly addresses: incomplete coverage (agents skip files on large changesets), position drift (reported line numbers do not match actual code), and unstable quality (minor prompt variations cause significant quality fluctuations). Open Code Review’s deterministic engineering provides hard constraints on the review process, ensuring every file is reviewed, comments are positioned correctly, and quality remains stable.
Open Code Review vs. Other Hybrid Tools
Open Code Review is unique in several ways: it is the only open-source hybrid code review tool that combines deterministic engineering with LLM agents, it provides a built-in ruleset fine-tuned from production data at Alibaba’s scale, and it supports both OpenAI and Anthropic APIs with a single configuration. The tool-use architecture means the LLM can verify its findings before reporting them, reducing false positives in a way that pure prompt-based approaches cannot achieve.
Conclusion
Open Code Review delivers the best of both worlds: deterministic pipeline speed and LLM depth. The deterministic engineering guarantees correctness for steps that must not fail – file selection, rule matching, and comment positioning – while the LLM agent provides contextual understanding that static analysis alone cannot achieve.
The best use cases for Open Code Review are:
- Security-focused code review – Built-in rules for NPE, thread safety, XSS, and SQL injection
- Large-scale codebases – Smart file bundling and concurrent review handle thousands of changes
- CI/CD integration – JSON output and GitHub Actions/GitLab CI examples make automation straightforward
- Teams using OpenAI or Anthropic – First-class support for both providers with easy configuration
Getting started is simple:
npm install -g @alibaba-group/open-code-review
ocr config set llm.url https://api.anthropic.com/v1/messages
ocr config set llm.auth_token your-api-key
ocr config set llm.model claude-opus-4-6
ocr config set llm.use_anthropic true
ocr review
Links:
- GitHub: https://github.com/alibaba/open-code-review
- Documentation: https://alibaba.github.io/open-code-review/
- NPM Package: @alibaba-group/open-code-review
Important: The hybrid architecture of Open Code Review means you get the speed of deterministic analysis for known vulnerability patterns and the depth of LLM reasoning for nuanced code issues. This dual approach eliminates the false-positive noise of traditional static analysis while catching bugs that pure LLM reviews would miss – delivering actionable, line-level comments that developers actually want to read. With 6,000+ GitHub stars, Apache-2.0 licensing, and production validation at Alibaba’s scale, Open Code Review is ready for any team that takes code quality seriously.
Enjoyed this post? Never miss out on future posts by following us
