Esta página se muestra en inglés. Una traducción al español está en curso.
ConfigsJul 3, 2026·3 min de lectura

Open Code Review — Hybrid AI Code Review by Alibaba

A battle-tested open-source code review tool combining deterministic static analysis pipelines with LLM agents to deliver precise, line-level review comments.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
Open Code Review
Comando de instalación directa
npx -y tokrepo@latest install c67e2ccf-771d-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

Open Code Review is an open-source code review tool developed and battle-tested at Alibaba's scale. It uses a hybrid architecture that combines deterministic analysis pipelines with LLM-powered agents to produce precise, line-level code review comments on pull requests.

What Open Code Review Does

  • Analyzes pull request diffs and posts inline review comments on specific lines
  • Combines rule-based static analysis with LLM reasoning for higher accuracy
  • Ships with a fine-tuned ruleset covering null pointer exceptions, thread safety, XSS, and SQL injection
  • Integrates with GitHub and GitLab via webhooks
  • Supports OpenAI and Anthropic-compatible LLM endpoints

Architecture Overview

The system uses a two-stage pipeline. First, deterministic analyzers scan the diff for known patterns (security vulnerabilities, common bugs, style violations) using a built-in rule engine. Then an LLM agent reviews the remaining changes with full repository-level context, focusing on logic errors and design concerns. Results from both stages are merged, deduplicated, and posted as inline comments on the PR.

Self-Hosting & Configuration

  • Deploy via Docker Compose with the provided configuration
  • Set your LLM API endpoint and key as environment variables
  • Configure Git platform webhooks (GitHub or GitLab) to send PR events
  • Customize rule severity and enable/disable specific analyzers via config files
  • Supports running behind a reverse proxy for enterprise deployments

Key Features

  • Hybrid architecture delivers both deterministic precision and LLM flexibility
  • Built-in security rules catch vulnerabilities without additional tooling
  • Line-level comments appear directly on the PR diff for easy triage
  • Repository-level context awareness reduces false positives
  • Compatible with any OpenAI or Anthropic API-compatible model

Comparison with Similar Tools

  • PR-Agent (Qodo) — general PR review vs. hybrid deterministic + LLM pipeline
  • CodeRabbit — SaaS-only vs. fully self-hosted with custom rules
  • Semgrep — pure static analysis vs. static + LLM reasoning
  • SonarQube — broad code quality vs. focused PR review with AI augmentation

FAQ

Q: Does it support languages beyond Java? A: The deterministic rules focus on Java and common web vulnerabilities. The LLM agent can review code in any language the model supports.

Q: Can I use a local LLM instead of a cloud API? A: Yes. Any OpenAI-compatible endpoint works, including locally hosted models via Ollama or vLLM.

Q: How does it handle false positives? A: The hybrid approach reduces false positives by cross-checking LLM findings against deterministic rules. You can also tune rule thresholds in configuration.

Q: Is it production-ready? A: It has been used at Alibaba's scale and is open-sourced with production deployment documentation.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados