Configs2026年7月3日·1 分钟阅读

Open Code Review — Hybrid AI Code Review by Alibaba

A battle-tested open-source code review tool combining deterministic static analysis pipelines with LLM agents to deliver precise, line-level review comments.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Open Code Review
直接安装命令
npx -y tokrepo@latest install c67e2ccf-771d-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

Open Code Review is an open-source code review tool developed and battle-tested at Alibaba's scale. It uses a hybrid architecture that combines deterministic analysis pipelines with LLM-powered agents to produce precise, line-level code review comments on pull requests.

What Open Code Review Does

  • Analyzes pull request diffs and posts inline review comments on specific lines
  • Combines rule-based static analysis with LLM reasoning for higher accuracy
  • Ships with a fine-tuned ruleset covering null pointer exceptions, thread safety, XSS, and SQL injection
  • Integrates with GitHub and GitLab via webhooks
  • Supports OpenAI and Anthropic-compatible LLM endpoints

Architecture Overview

The system uses a two-stage pipeline. First, deterministic analyzers scan the diff for known patterns (security vulnerabilities, common bugs, style violations) using a built-in rule engine. Then an LLM agent reviews the remaining changes with full repository-level context, focusing on logic errors and design concerns. Results from both stages are merged, deduplicated, and posted as inline comments on the PR.

Self-Hosting & Configuration

  • Deploy via Docker Compose with the provided configuration
  • Set your LLM API endpoint and key as environment variables
  • Configure Git platform webhooks (GitHub or GitLab) to send PR events
  • Customize rule severity and enable/disable specific analyzers via config files
  • Supports running behind a reverse proxy for enterprise deployments

Key Features

  • Hybrid architecture delivers both deterministic precision and LLM flexibility
  • Built-in security rules catch vulnerabilities without additional tooling
  • Line-level comments appear directly on the PR diff for easy triage
  • Repository-level context awareness reduces false positives
  • Compatible with any OpenAI or Anthropic API-compatible model

Comparison with Similar Tools

  • PR-Agent (Qodo) — general PR review vs. hybrid deterministic + LLM pipeline
  • CodeRabbit — SaaS-only vs. fully self-hosted with custom rules
  • Semgrep — pure static analysis vs. static + LLM reasoning
  • SonarQube — broad code quality vs. focused PR review with AI augmentation

FAQ

Q: Does it support languages beyond Java? A: The deterministic rules focus on Java and common web vulnerabilities. The LLM agent can review code in any language the model supports.

Q: Can I use a local LLM instead of a cloud API? A: Yes. Any OpenAI-compatible endpoint works, including locally hosted models via Ollama or vLLM.

Q: How does it handle false positives? A: The hybrid approach reduces false positives by cross-checking LLM findings against deterministic rules. You can also tune rule thresholds in configuration.

Q: Is it production-ready? A: It has been used at Alibaba's scale and is open-sourced with production deployment documentation.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产