# Open Code Review — Battle-Tested AI Code Review Tool by Alibaba > Open-source hybrid code review tool from Alibaba combining deterministic analysis pipelines with LLM agents for precise line-level feedback. ## Install Save as a script file and run: # Open Code Review — Battle-Tested AI Code Review Tool by Alibaba ## Quick Use ```bash git clone https://github.com/alibaba/open-code-review.git cd open-code-review make build ./ocr review --repo . --diff HEAD~1..HEAD ``` ## Introduction Open Code Review is an open-source code review tool developed at Alibaba and battle-tested at scale across their engineering organization. It uses a hybrid architecture combining deterministic static analysis pipelines with LLM-powered agents to deliver precise, line-level code review comments. ## What Open Code Review Does - Analyzes pull requests and diffs to find bugs, security issues, and style problems - Posts precise line-level inline comments on code changes - Applies a built-in fine-tuned ruleset covering NPE, thread safety, XSS, and SQL injection - Supports both OpenAI and Anthropic compatible model backends - Integrates with GitHub and GitLab for automated PR reviews ## Architecture Overview Open Code Review uses a two-phase approach. First, deterministic pipelines run pattern-based checks against a curated ruleset derived from real production incidents at Alibaba. Then, an LLM agent reviews the remaining changes with repository-level context, producing findings that are cross-referenced against the deterministic results to reduce false positives. ## Self-Hosting & Configuration - Build from source with Go 1.21+ or use the provided Docker image - Configure your LLM endpoint (OpenAI, Anthropic, or local) in the YAML config - Set up GitHub/GitLab webhooks or run reviews manually via CLI - Customize rulesets by adding or disabling specific check categories - Supports per-repository configuration for team-specific review standards ## Key Features - Hybrid deterministic-plus-LLM architecture minimizes false positives - Built-in ruleset covers common Java, Go, and Python vulnerability patterns - Line-level comments pinpoint exactly where issues occur in the diff - Repository-level context awareness reduces irrelevant findings - Extensible plugin system for adding custom review rules ## Comparison with Similar Tools - **PR-Agent** — AI code review focused on PR description and inline suggestions - **CodeRabbit** — commercial AI review service with broad language support - **SonarQube** — traditional static analysis without LLM-powered contextual review - **Semgrep** — pattern-based analysis with custom rules but no AI reasoning - **Codacy** — automated review platform focused on code quality metrics ## FAQ **Q: What languages does Open Code Review support?** A: The deterministic ruleset covers Java, Go, Python, and TypeScript. The LLM agent can review any language supported by the configured model. **Q: How does it compare to purely LLM-based reviewers?** A: The hybrid approach catches deterministic bugs that LLMs might miss while using the LLM for nuanced issues that rules cannot express. **Q: Can I use it without an LLM backend?** A: Yes. The deterministic pipeline runs independently and provides value without any LLM configuration. **Q: Does it support monorepos?** A: Yes. Path-based configuration lets you apply different rulesets to different parts of a monorepo. ## Sources - https://github.com/alibaba/open-code-review --- Source: https://tokrepo.com/en/workflows/asset-c68a4b62 Author: Script Depot