{"slug": "building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team", "title": "Building a Local AI Code Reviewer with Ollama That Catches Bugs Before Your Team", "summary": "A developer built a local AI code reviewer using Ollama and the qwen2.5-coder:7b model that runs as a pre-commit hook. The TypeScript CLI feeds staged git diffs to the LLM and returns structured bug findings without sending code to the cloud. The tool focuses on logic errors, null access, resource leaks, and security issues while ignoring style and formatting suggestions.", "body_md": "Your teammates are busy. Your CI is green but shallow. And the bug you just staged is the kind a second pair of eyes would catch in five seconds. So let's build that second pair of eyes: a small TypeScript CLI that feeds your staged git diff to a local LLM and returns structured findings, before anyone else sees your code. No API key, no cloud, no leaking your private repo to a vendor.\n\nThe whole tool is one loop:\n\n`git diff --cached`\n\n.`pre-commit`\n\nhook.Everything runs locally against `qwen2.5-coder:7b`\n\n. You'll need Ollama running (`ollama serve`\n\n) and the model pulled (`ollama pull qwen2.5-coder:7b`\n\n).\n\nThe reviewer should look at exactly what you're about to commit, nothing more. That's `--cached`\n\n(staged changes only):\n\n``` js\nimport { execSync } from \"node:child_process\";\n\nfunction getStagedDiff(): string {\n  return execSync(\"git diff --cached --no-color -U3\", {\n    encoding: \"utf8\",\n    maxBuffer: 10 * 1024 * 1024,\n  });\n}\n```\n\nA few choices that matter:\n\n`--no-color`\n\nkeeps ANSI escape codes out of the prompt.`-U3`\n\ngives three lines of context around each hunk. Enough for the model to reason, not so much that you blow the context window.`maxBuffer`\n\nbumps Node's default 1MB cap so big diffs don't throw.If the diff is empty, there's nothing to review:\n\n``` js\nconst diff = getStagedDiff();\nif (diff.trim().length === 0) {\n  console.log(\"No staged changes. Stage something first with `git add`.\");\n  process.exit(0);\n}\n```\n\nThis is where the quality lives. A vague prompt gives you vague, hallucinated nitpicks. Be specific about what counts as a finding, and what to ignore.\n\n``` js\nconst SYSTEM_PROMPT = `You are a senior code reviewer. You review git diffs for bugs only.\n\nFocus on:\n- Logic errors (off-by-one, inverted conditions, wrong operators)\n- Null/undefined access and unhandled error cases\n- Resource leaks (unclosed handles, missing awaits)\n- Security issues (injection, hardcoded secrets, unsafe input)\n\nDo NOT report:\n- Style, formatting, or naming preferences\n- Suggestions to add comments or tests\n- Anything you are not confident is an actual bug\n\nLines starting with \"+\" are added. Lines starting with \"-\" are removed.\nOnly review added (\"+\") lines. Respond with ONLY valid JSON.`;\n```\n\nThe \"do NOT report\" block is doing heavy lifting. Small models love to pad output with \"consider adding a comment here.\" Telling them what to suppress is more effective than telling them what to find.\n\nThe instruction to only review `+`\n\nlines matters too. Without it, the model will happily flag a bug in code you just deleted, which is both useless and confusing. Diffs are a strange dialect to a model trained mostly on whole files, so being explicit about what the `+`\n\nand `-`\n\nprefixes mean pays off in fewer nonsense findings.\n\nOllama speaks the OpenAI-compatible API at `localhost:11434`\n\n. Spell out the exact schema in the prompt and set `temperature: 0`\n\nso the output is deterministic:\n\n``` js\nconst RESPONSE_SCHEMA = `Respond with this exact JSON shape:\n{\n  \"findings\": [\n    {\n      \"severity\": \"high\" | \"medium\" | \"low\",\n      \"file\": \"string\",\n      \"line\": \"string (the code snippet or line reference)\",\n      \"issue\": \"string (one sentence: what is wrong)\",\n      \"fix\": \"string (one sentence: how to fix it)\"\n    }\n  ]\n}\nIf there are no bugs, return { \"findings\": [] }.`;\n\nasync function reviewDiff(diff: string, model: string): Promise<unknown> {\n  const response = await fetch(\"http://localhost:11434/v1/chat/completions\", {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify({\n      model,\n      messages: [\n        { role: \"system\", content: `${SYSTEM_PROMPT}\\n\\n${RESPONSE_SCHEMA}` },\n        { role: \"user\", content: `Review this diff:\\n\\n${diff}` },\n      ],\n      temperature: 0,\n      response_format: { type: \"json_object\" },\n      stream: false,\n    }),\n  });\n\n  if (!response.ok) {\n    throw new Error(`Ollama returned ${response.status}. Is \\` ollama serve\\` running?`);\n  }\n\n  const data = await response.json();\n  return JSON.parse(data.choices[0].message.content);\n}\n```\n\n`response_format: { type: \"json_object\" }`\n\nnudges Ollama into JSON mode, which cuts down on the \"Here's your review:\" preamble that breaks `JSON.parse`\n\n. It isn't a guarantee, though, which is why the next step exists.\n\nNever trust raw model output. A 1.5b model will occasionally hand you a string where you expected an array, or invent a severity level. Parse it at the boundary and fail loudly if it's malformed:\n\n``` js\nimport { z } from \"zod\";\n\nconst FindingSchema = z.object({\n  severity: z.enum([\"high\", \"medium\", \"low\"]),\n  file: z.string(),\n  line: z.string(),\n  issue: z.string(),\n  fix: z.string(),\n});\n\nconst ReviewSchema = z.object({\n  findings: z.array(FindingSchema),\n});\n\ntype Review = z.infer<typeof ReviewSchema>;\n\nfunction parseReview(raw: unknown): Review {\n  const result = ReviewSchema.safeParse(raw);\n  if (!result.success) {\n    throw new Error(`Model returned invalid review JSON:\\n${result.error.message}`);\n  }\n  return result.data;\n}\n```\n\n`safeParse`\n\nover `parse`\n\nso you can give a useful error instead of an unhandled throw. When this fires, it's almost always the model wandering off-schema, and the fix is usually a smaller diff or a bigger model.\n\nMake the output scannable. A reviewer nobody reads is useless:\n\n```\nfunction printReview(review: Review): number {\n  if (review.findings.length === 0) {\n    console.log(\"Local review passed. No bugs found.\");\n    return 0;\n  }\n\n  const icon = { high: \"[HIGH]\", medium: \"[MED] \", low: \"[LOW] \" };\n  let hasHigh = false;\n\n  for (const f of review.findings) {\n    if (f.severity === \"high\") hasHigh = true;\n    console.log(`\\n${icon[f.severity]} ${f.file}`);\n    console.log(`  where: ${f.line}`);\n    console.log(`  issue: ${f.issue}`);\n    console.log(`  fix:   ${f.fix}`);\n  }\n\n  console.log(`\\n${review.findings.length} finding(s).`);\n  return hasHigh ? 1 : 0;\n}\n```\n\nNotice the exit code: only `high`\n\nseverity blocks the commit. Medium and low get printed as a heads-up but don't stand in your way. Tune that threshold to your team's tolerance.\n\n``` js\nasync function main() {\n  const model = process.argv[2] ?? \"qwen2.5-coder:7b\";\n  const diff = getStagedDiff();\n\n  if (diff.trim().length === 0) {\n    console.log(\"No staged changes.\");\n    process.exit(0);\n  }\n\n  try {\n    const raw = await reviewDiff(diff, model);\n    const review = parseReview(raw);\n    process.exit(printReview(review));\n  } catch (err) {\n    console.error(`Review failed: ${(err as Error).message}`);\n    // Don't block commits on tooling failure. Warn and pass.\n    process.exit(0);\n  }\n}\n\nmain();\n```\n\nThe `catch`\n\nis deliberate: if Ollama is down or the JSON is garbage, you log it and let the commit through. A review tool that hard-blocks commits when it itself breaks is a tool people will rip out by Friday.\n\nBuild the CLI, then drop a hook into `.git/hooks/pre-commit`\n\n:\n\n``` bash\n#!/usr/bin/env bash\nset -euo pipefail\n\necho \"Running local AI review...\"\nnode /path/to/review.js qwen2.5-coder:7b\nchmod +x .git/hooks/pre-commit\n```\n\nFor a hook the whole team shares, use [husky](https://typicode.github.io/husky) instead so it lives in the repo. Either way, every `git commit`\n\nnow runs the diff past a local model first. Need to skip it for a quick WIP commit? `git commit --no-verify`\n\n.\n\nOne thing to watch: the first call after the model loads into memory is slow, often several seconds on CPU. That's Ollama paging the weights in, not your code being slow. Keep `ollama serve`\n\nrunning in the background and subsequent commits feel near-instant. If you commit rarely enough that the model unloads between commits, that cold start is the price you pay each time.\n\nThis is the part most tutorials skip. A local `qwen2.5-coder:7b`\n\nis not a staff engineer. Here's the realistic picture:\n\n| Bug type | 1.5b | 7b | Notes |\n|---|---|---|---|\n| Null/undefined access | Decent | Good | The model's bread and butter |\n| Inverted conditions / wrong operator | Spotty | Decent | Needs enough context (`-U3` helps) |\nMissing `await`\n|\nDecent | Good | Easy pattern to catch |\n| Subtle race conditions | Misses | Misses | Needs cross-file context it lacks |\n| Logic spanning multiple files | Misses | Misses | A diff is a keyhole, not the room |\n| False positives | Frequent | Occasional | The main cost of running local |\n\nTwo failure modes dominate: it invents bugs that aren't there (false positives), and it misses anything that requires understanding code outside the diff. Here's how to keep it useful anyway:\n\n`temperature: 0`\n\nalways.`7b`\n\nfor the hook, `1.5b`\n\nfor fast local iteration.`1.5b`\n\nis ~1GB and quick, but its false-positive rate makes it annoying as a gate. Save it for `--dry-run`\n\nstyle checks.`high`\n\nonly.A local AI reviewer won't replace your team, and it shouldn't try to. What it does well is catch the careless, three-in-the-afternoon bugs before they reach a pull request: the missing `await`\n\n, the `!`\n\nyou meant to delete, the unhandled `null`\n\n. It runs free, it runs private, and it runs every time you commit.\n\nI built the same Claude-plus-Ollama pattern at a larger scale in [spectr-ai](https://github.com/pavelEspitia/spectr-ai), an AI smart contract auditor where `--model ollama:qwen2.5-coder:1.5b`\n\nruns the entire audit locally with no API key. The diff-reviewer here is the same idea shrunk to fit in a git hook. Steal it, scope your diffs, and let the small model earn its keep.", "url": "https://wpnews.pro/news/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team", "canonical_source": "https://dev.to/pavelespitia/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team-49d3", "published_at": "2026-06-15 16:04:52+00:00", "updated_at": "2026-06-15 16:06:46.549137+00:00", "lang": "en", "topics": ["artificial-intelligence", "large-language-models", "developer-tools"], "entities": ["Ollama", "qwen2.5-coder:7b", "TypeScript", "Git"], "alternates": {"html": "https://wpnews.pro/news/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team", "markdown": "https://wpnews.pro/news/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team.md", "text": "https://wpnews.pro/news/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team.txt", "jsonld": "https://wpnews.pro/news/building-a-local-ai-code-reviewer-with-ollama-that-catches-bugs-before-your-team.jsonld"}}