# Open Code Review — Hybrid AI Code Review by Alibaba > A battle-tested open-source code review tool combining deterministic static analysis pipelines with LLM agents to deliver precise, line-level review comments. ## Install Save in your project root: # Open Code Review — Hybrid AI Code Review by Alibaba ## Quick Use ```bash git clone https://github.com/alibaba/open-code-review.git cd open-code-review docker compose up -d # Configure your Git webhook to point at the running service ``` ## Introduction Open Code Review is an open-source code review tool developed and battle-tested at Alibaba's scale. It uses a hybrid architecture that combines deterministic analysis pipelines with LLM-powered agents to produce precise, line-level code review comments on pull requests. ## What Open Code Review Does - Analyzes pull request diffs and posts inline review comments on specific lines - Combines rule-based static analysis with LLM reasoning for higher accuracy - Ships with a fine-tuned ruleset covering null pointer exceptions, thread safety, XSS, and SQL injection - Integrates with GitHub and GitLab via webhooks - Supports OpenAI and Anthropic-compatible LLM endpoints ## Architecture Overview The system uses a two-stage pipeline. First, deterministic analyzers scan the diff for known patterns (security vulnerabilities, common bugs, style violations) using a built-in rule engine. Then an LLM agent reviews the remaining changes with full repository-level context, focusing on logic errors and design concerns. Results from both stages are merged, deduplicated, and posted as inline comments on the PR. ## Self-Hosting & Configuration - Deploy via Docker Compose with the provided configuration - Set your LLM API endpoint and key as environment variables - Configure Git platform webhooks (GitHub or GitLab) to send PR events - Customize rule severity and enable/disable specific analyzers via config files - Supports running behind a reverse proxy for enterprise deployments ## Key Features - Hybrid architecture delivers both deterministic precision and LLM flexibility - Built-in security rules catch vulnerabilities without additional tooling - Line-level comments appear directly on the PR diff for easy triage - Repository-level context awareness reduces false positives - Compatible with any OpenAI or Anthropic API-compatible model ## Comparison with Similar Tools - **PR-Agent (Qodo)** — general PR review vs. hybrid deterministic + LLM pipeline - **CodeRabbit** — SaaS-only vs. fully self-hosted with custom rules - **Semgrep** — pure static analysis vs. static + LLM reasoning - **SonarQube** — broad code quality vs. focused PR review with AI augmentation ## FAQ **Q: Does it support languages beyond Java?** A: The deterministic rules focus on Java and common web vulnerabilities. The LLM agent can review code in any language the model supports. **Q: Can I use a local LLM instead of a cloud API?** A: Yes. Any OpenAI-compatible endpoint works, including locally hosted models via Ollama or vLLM. **Q: How does it handle false positives?** A: The hybrid approach reduces false positives by cross-checking LLM findings against deterministic rules. You can also tune rule thresholds in configuration. **Q: Is it production-ready?** A: It has been used at Alibaba's scale and is open-sourced with production deployment documentation. ## Sources - https://github.com/alibaba/open-code-review - https://github.com/alibaba/open-code-review/blob/main/README.md --- Source: https://tokrepo.com/en/workflows/asset-c67e2ccf Author: AI Open Source