# Open Code Review — AI-Augmented Code Review Tool by Alibaba > A hybrid code review tool combining deterministic static analysis pipelines with LLM agents for precise, line-level review comments, built-in security rule detection, and OpenAI/Anthropic API compatibility. ## Install Save in your project root: # Open Code Review — AI-Augmented Code Review Tool by Alibaba ## Quick Use ```bash git clone https://github.com/alibaba/open-code-review.git cd open-code-review go build -o ocr ./cmd/ocr # Review a local git diff ./ocr review --diff HEAD~1..HEAD --model openai/gpt-4o ``` ## Introduction Open Code Review is an open-source code review tool developed by Alibaba that combines deterministic static analysis pipelines with LLM-powered agents. It produces precise, line-level comments identifying null pointer exceptions, thread-safety issues, XSS vulnerabilities, and SQL injection risks. The tool is battle-tested at Alibaba's scale and supports OpenAI and Anthropic-compatible APIs. ## What Open Code Review Does - Runs deterministic analysis pipelines for common bug patterns (NPE, thread-safety, XSS, SQL injection) - Uses LLM agents to provide context-aware code review comments on specific lines - Supports repository-level context for understanding cross-file dependencies - Generates structured review reports with severity levels and fix suggestions - Integrates with CI/CD pipelines for automated pull request reviews ## Architecture Overview Open Code Review uses a hybrid architecture. The first pass runs deterministic rule-based analyzers that detect known vulnerability patterns and coding anti-patterns with high precision. The second pass sends flagged code segments and surrounding context to an LLM agent that evaluates semantic correctness, suggests fixes, and identifies issues that static rules miss. Results are merged, deduplicated, and attached as line-level comments. The system is written in Go for performance and supports parallel analysis of multiple files. ## Self-Hosting & Configuration - Build from source with Go or use pre-built binaries from releases - Configure LLM provider endpoint and API key via environment variables or config file - Customize rule sets by enabling or disabling specific detectors - Integrate with GitHub, GitLab, or Bitbucket for automated PR reviews via webhooks - Runs as a CLI tool or as a long-running service behind your CI/CD pipeline ## Key Features - Built-in fine-tuned ruleset covering NPE, thread-safety, XSS, and SQL injection - Precise line-level comments rather than generic file-level feedback - Repository-level context awareness for cross-file analysis - Compatible with OpenAI and Anthropic API formats - Battle-tested at Alibaba's engineering scale ## Comparison with Similar Tools - **PR-Agent** — LLM-only reviews; Open Code Review adds deterministic pipelines for higher precision - **SonarQube** — static analysis without LLM augmentation; no contextual fix suggestions - **Semgrep** — pattern matching only; Open Code Review combines rules with AI reasoning - **CodeRabbit** — hosted service; Open Code Review is fully self-hosted and open-source - **GitHub Copilot code review** — closed-source and platform-locked; Open Code Review is provider-agnostic ## FAQ **Q: Which programming languages does Open Code Review support?** A: It supports Java, Python, Go, JavaScript, TypeScript, and other languages via its rule engine and LLM analysis. **Q: Can I use it with self-hosted LLMs?** A: Yes. Any OpenAI-compatible API endpoint works, including Ollama and vLLM. **Q: Does it support automated PR comments?** A: Yes. It can post line-level comments directly on pull requests via GitHub and GitLab integrations. **Q: How does it handle false positives?** A: The deterministic pipeline has a built-in confidence scoring system, and the LLM agent acts as a second filter to reduce false positives. ## Sources - https://github.com/alibaba/open-code-review --- Source: https://tokrepo.com/en/workflows/asset-cc410e6d Author: AI Open Source