Introduction
Open Code Review is an open-source code review tool developed and battle-tested at Alibaba's scale. It uses a hybrid architecture that combines deterministic analysis pipelines with LLM-powered agents to produce precise, line-level code review comments on pull requests.
What Open Code Review Does
- Analyzes pull request diffs and posts inline review comments on specific lines
- Combines rule-based static analysis with LLM reasoning for higher accuracy
- Ships with a fine-tuned ruleset covering null pointer exceptions, thread safety, XSS, and SQL injection
- Integrates with GitHub and GitLab via webhooks
- Supports OpenAI and Anthropic-compatible LLM endpoints
Architecture Overview
The system uses a two-stage pipeline. First, deterministic analyzers scan the diff for known patterns (security vulnerabilities, common bugs, style violations) using a built-in rule engine. Then an LLM agent reviews the remaining changes with full repository-level context, focusing on logic errors and design concerns. Results from both stages are merged, deduplicated, and posted as inline comments on the PR.
Self-Hosting & Configuration
- Deploy via Docker Compose with the provided configuration
- Set your LLM API endpoint and key as environment variables
- Configure Git platform webhooks (GitHub or GitLab) to send PR events
- Customize rule severity and enable/disable specific analyzers via config files
- Supports running behind a reverse proxy for enterprise deployments
Key Features
- Hybrid architecture delivers both deterministic precision and LLM flexibility
- Built-in security rules catch vulnerabilities without additional tooling
- Line-level comments appear directly on the PR diff for easy triage
- Repository-level context awareness reduces false positives
- Compatible with any OpenAI or Anthropic API-compatible model
Comparison with Similar Tools
- PR-Agent (Qodo) — general PR review vs. hybrid deterministic + LLM pipeline
- CodeRabbit — SaaS-only vs. fully self-hosted with custom rules
- Semgrep — pure static analysis vs. static + LLM reasoning
- SonarQube — broad code quality vs. focused PR review with AI augmentation
FAQ
Q: Does it support languages beyond Java? A: The deterministic rules focus on Java and common web vulnerabilities. The LLM agent can review code in any language the model supports.
Q: Can I use a local LLM instead of a cloud API? A: Yes. Any OpenAI-compatible endpoint works, including locally hosted models via Ollama or vLLM.
Q: How does it handle false positives? A: The hybrid approach reduces false positives by cross-checking LLM findings against deterministic rules. You can also tune rule thresholds in configuration.
Q: Is it production-ready? A: It has been used at Alibaba's scale and is open-sourced with production deployment documentation.