Alibaba/Open-Code-Review

Alibaba Group has open-sourced its internal AI code review tool, Open Code Review, which has served tens of thousands of developers and identified millions of code defects over the past two years. The CLI tool reads Git diffs and uses a configurable large language model agent to generate structured, line-level review comments, combining deterministic engineering for precise file selection and rule matching with agent-driven dynamic decision-making. The release aims to address common pain points in AI code review, such as incomplete coverage and unstable quality, by providing a more stable and predictable open-source alternative.

The open source AI code review agent. English | 简体中文 /alibaba/open-code-review/blob/main/README.zh-CN.md Open Code Review is an AI-powered code review CLI tool. It originated as Alibaba Group's internal official AI code review assistant — over the past two years, it has served tens of thousands of developers and identified millions of code defects. After thorough validation at massive scale, we incubated it into an open source project for the community. Simply configure a model endpoint to get started. It reads Git diffs, sends changed files to a configurable LLM via an agent with tool-use capabilities, and generates structured review comments with line-level precision. The agent can read full file contents, search the codebase, inspect other changed files for context, and produce deep reviews — not just surface-level diff feedback. If you've used general-purpose agents like Claude Code with Skills for code review, you've likely encountered these pain points: Incomplete coverage — On larger changesets, agents tend to "cut corners," selectively reviewing only some files and missing others. Position drift — Reported issues frequently don't match the actual code location, with line numbers or file references drifting off target. Unstable quality — Natural-language-driven Skills are hard to debug, and review quality fluctuates significantly with minor prompt variations. The root cause: a purely language-driven architecture lacks hard constraints on the review process. Open Code Review's core philosophy is to combine deterministic engineering with an agent, each handling what it does best. Deterministic Engineering — Hard Constraints For review steps that must not go wrong , engineering logic — not the language model — guarantees correctness: Precise file selection — Determines exactly which files need review and which should be filtered, ensuring no important change is missed. Smart file bundling — Groups related files into a single review unit e.g., message en.properties and message zh.properties are bundled together . Each bundle runs as a sub-agent with isolated context — a divide-and-conquer strategy that stays stable on very large changesets and naturally supports concurrent review. Fine-grained rule matching — Matches review rules to each file's characteristics, keeping the model's attention sharply focused and eliminating information noise at the source. Compared to purely language-driven rule guidance, template-engine-based rule matching is more stable and predictable. External positioning and reflection modules — Independent comment-positioning and comment-reflection modules systematically improve both the location accuracy and content accuracy of AI feedback. Agent — Dynamic Decision-Making The agent's strengths are concentrated where they matter most — dynamic decisions and dynamic context retrieval: Scenario-tuned prompts — Prompt templates deeply optimized for code review, improving effectiveness while reducing token consumption. Scenario-tuned toolset — Distilled from deep analysis of tool-call traces in large-scale production data — including call frequency distributions, per-tool repetition rates, and the impact of new tools on the overall call chain — resulting in a purpose-built toolset that is more stable and predictable for code review than a generic agent toolkit. Via NPM Recommended npm install -g @alibaba-group/open-code-review After installation, the ocr command is available globally. From GitHub Release Download the latest binary from GitHub Releases https://github.com/alibaba/open-code-review/releases : macOS Apple Silicon curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-arm64 chmod +x ocr && sudo mv ocr /usr/local/bin/ocr macOS Intel curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-amd64 chmod +x ocr && sudo mv ocr /usr/local/bin/ocr Linux x86 64 curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-linux-amd64 chmod +x ocr && sudo mv ocr /usr/local/bin/ocr Linux ARM64 curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-linux-arm64 chmod +x ocr && sudo mv ocr /usr/local/bin/ocr Windows x86 64 — move ocr.exe to a directory in your PATH curl -Lo ocr.exe https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-windows-amd64.exe Windows ARM64 — move ocr.exe to a directory in your PATH curl -Lo ocr.exe https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-windows-arm64.exe From Source git clone https://github.com/alibaba/open-code-review.git cd open-code-review make build sudo cp dist/opencodereview /usr/local/bin/ocr 1. Configure LLM You must configure an LLM before reviewing code. Option A: Interactive config ocr config set llm.url https://api.anthropic.com/v1/messages ocr config set llm.auth token your-api-key-here ocr config set llm.model claude-opus-4-6 ocr config set llm.use anthropic true Option B: Environment variables highest priority export OCR LLM URL=https://api.anthropic.com/v1/messages export OCR LLM TOKEN=your-api-key-here export OCR LLM MODEL=claude-opus-4-6 export OCR USE ANTHROPIC=true Config is stored in ~/.opencodereview/config.json . It is also compatible with Claude Code environment variables ANTHROPIC BASE URL , ANTHROPIC AUTH TOKEN , ANTHROPIC MODEL and parses ~/.zshrc / ~/.bashrc for those exports. 2. Test Connectivity ocr llm test 3. Review cd your-project Workspace mode — review all staged, unstaged, and untracked changes ocr review Branch range — compare two refs ocr review --from main --to feature-branch Single commit ocr review --commit abc123 OCR can be seamlessly integrated into AI coding agents as a slash command, enabling code review directly within your agent workflow. Use npx to install the OCR skill into your project: npx skills add alibaba/open-code-review --skill open-code-review This installs the open-code-review skill from the skills registry /alibaba/open-code-review/blob/main/skills/open-code-review/SKILL.md , which teaches your coding agent how to invoke ocr for code review, classify issues by priority, and optionally apply fixes. For Claude Code https://docs.anthropic.com/en/docs/claude-code , install the command plugin through the following command in Claude Code: /plugin marketplace add alibaba/open-code-review /plugin install open-code-review@open-code-review This registers the /open-code-review:review slash command, which runs OCR and automatically filters and fixes issues. For a quick setup without any package manager, simply copy the command file to use the /open-code-review slash command in Claude Code. Project-level shared with team via git : mkdir -p .claude/commands curl -o .claude/commands/open-code-review.md \ https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md User-level personal global use across all projects : mkdir -p ~/.claude/commands curl -o ~/.claude/commands/open-code-review.md \ https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md Prerequisite: All integration methods require the ocr CLI to be installed and an LLM configured. See Install and Configure LLM above. OCR can be integrated into CI/CD pipelines to automate code review on Merge Requests / Pull Requests. The core command for CI integration: ocr review \ --from "origin/main" \ --to "origin/feature-branch" \ --format json The --format json flag outputs machine-readable results suitable for parsing in CI scripts. See the examples/ /alibaba/open-code-review/blob/main/examples directory for integration examples: — GitHub Actions integration example github actions/ — GitLab CI integration example gitlab ci/ | Command | Alias | Description | |---|---|---| ocr review | ocr r | Start a code review | ocr rules check <file | — | Preview which review rule applies to a file path | ocr config set <key <value | — | Set configuration values | ocr llm test | — | Test LLM connectivity | ocr viewer | ocr v | Launch WebUI session viewer on localhost:5483 | ocr version | — | Show version info | | Flag | Shorthand | Default | Description | |---|---|---|---| --repo | — | current dir | Git repository root | --from | — | — | Source ref e.g., main | --to | — | — | Target ref e.g., feature-branch | --commit | -c | — | Single commit to review | --preview | -p | false | Preview which files will be reviewed without running the LLM | --format | -f | text | Output format: text or json | --concurrency | — | 8 | Max concurrent file reviews | --timeout | — | 10 | Concurrent task timeout in minutes | --audience | — | human | human show progress or agent summary only | --rule | — | — | Path to custom JSON review rules | --max-tools | — | built-in | Max tool call rounds per file; only takes effect when greater than template default | --tools | — | — | Path to custom JSON tools config | Preview which files will be reviewed no LLM calls ocr review --preview ocr review -c abc123 -p Review workspace changes with default settings ocr review Review branch diff with higher concurrency ocr review --from main --to my-feature --concurrency 4 Review a specific commit with verbose JSON output ocr review --commit abc123 --format json --audience agent Use custom review rules ocr review --rule /path/to/my-rules.json Preview which rule applies to a file ocr rules check src/main/java/com/example/Foo.java ocr rules check --rule custom.json src/main/resources/mapper/UserMapper.xml View review session history in browser ocr viewer ocr viewer --addr :3000 The viewer serves session JSONL contents LLM request messages and responses over HTTP. It enforces a Host-header allowlist on every request: loopback names localhost , 127.0.0.0/8 , ::1 and the concrete bind host are always allowed. Wildcard binds --addr :3000 , --addr 0.0.0.0:3000 and other non-loopback Hostnames must be added via the OCR VIEWER ALLOWED HOSTS environment variable comma-separated : OCR VIEWER ALLOWED HOSTS=review.internal,ocr.lan ocr viewer --addr :3000 This blocks DNS-rebinding attacks against the local viewer. OCR resolves review rules using a four-layer priority chain. Each layer uses first-match-wins: if a file path matches a pattern, that rule is used; otherwise it falls through to the next layer. | Priority | Source | Path | Description | |---|---|---|---| | 1 highest | --rule flag | User-specified path | CLI explicit override | | 2 | Project config | <repoDir /.opencodereview/rule.json | Per-project rules, can be committed to git | | 3 | Global config | ~/.opencodereview/rule.json | User-wide personal preferences | | 4 lowest | System default | Embedded system rules.json | Built-in rules covering common languages and file types | Layers 1–3 share the same JSON format: { "rules": { "path": "force-api/ / .java", "rule": "All new methods must validate required parameters for null values" }, { "path": " / mapper .xml", "rule": "Check SQL for injection risks, parameter errors, and missing closing tags" } } path supports recursive matching and {java,kt} brace expansion.- Within each layer, rules are evaluated in declaration order — the first match wins. - If a rule file does not exist, it is silently skipped. Config file: ~/.opencodereview/config.json | Key | Type | Example | |---|---|---| llm.url | string | https://api.openai.com/v1/chat/completions | llm.auth token | string | sk-xxxxxxx | llm.model | string | claude-opus-4-6 | llm.use anthropic | boolean | true | false | language | string | English | Chinese default: Chinese | telemetry.enabled | boolean | true | false | telemetry.exporter | string | console | otlp | telemetry.otlp endpoint | string | OTLP collector address | telemetry.content logging | boolean | Include prompts in telemetry | Environment variables take precedence over the config file. | Variable | Purpose | |---|---| OCR LLM URL | LLM API endpoint URL | OCR LLM TOKEN | API key / auth token | OCR LLM MODEL | Model name | OCR USE ANTHROPIC | true = Anthropic, false = OpenAI | OpenTelemetry integration for observability spans, metrics . Disabled by default. ocr config set telemetry.enabled true ocr config set telemetry.exporter otlp ocr config set telemetry.otlp endpoint localhost:4317 Set telemetry.content logging to include LLM prompts and responses in exported data. See CONTRIBUTING.md /alibaba/open-code-review/blob/main/CONTRIBUTING.md for development setup, coding guidelines, and how to submit pull requests. Apache-2.0 /alibaba/open-code-review/blob/main/LICENSE — Copyright 2026 Alibaba