Open Code Review
π€ AI code quality gate for AI-generated code. Detects hallucinated packages, phantom dependencies, stale APIs, and more. MCP Server + CLI + CI/CD Action.
Ask AI about Open Code Review
Powered by Claude Β· Grounded in docs
I know everything about Open Code Review. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Reviews
Documentation
Open Code Review
The first open-source CI/CD quality gate built specifically for AI-generated code. Detects hallucinated imports, stale APIs, over-engineering, and security anti-patterns β powered by local LLMs and any OpenAI-compatible provider. Free. Self-hostable. 6 languages.
Works With
Any AI tool that generates code β if it writes it, OCR reviews it.
What AI Linters Miss
AI coding assistants (Copilot, Cursor, Claude) generate code with defects that traditional tools miss entirely:
| Defect | Example | ESLint / SonarQube |
|---|---|---|
| Hallucinated imports | import { x } from 'non-existent-pkg' | β Miss |
| Stale APIs | Using deprecated APIs from training data | β Miss |
| Context window artifacts | Logic contradictions across files | β Miss |
| Over-engineered patterns | Unnecessary abstractions, dead code | β Miss |
| Security anti-patterns | Hardcoded example secrets, eval() | β Partial |
Open Code Review detects all of them β across 6 languages, for free.
Demo
π View full interactive HTML report
Quick Preview
$ ocr scan src/ --sla L3
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Open Code Review β Deep Scan Report β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Project: packages/core/src
SLA: L3 Deep β Structural + Embedding + LLM Analysis
112 issues found in 110 files
Overall Score: 67/100 D
Threshold: 70 | Status: FAILED
Files Scanned: 110 | Languages: typescript | Duration: 12.3s
Deep Scan (L3) β How It Works
L3 combines three analysis layers for maximum coverage:
Layer 1: Structural Detection Layer 2: Semantic Analysis Layer 3: LLM Deep Scan
βββ Hallucinated imports (npm/PyPI) βββ Embedding similarity recall βββ Cross-file coherence check
βββ Stale API detection βββ Risk scoring βββ Logic bug detection
βββ Security patterns βββ Context window artifacts βββ Confidence scoring
βββ Over-engineering metrics βββ Enhanced severity ranking βββ AI-powered fix suggestions
βββ A+ β F quality scoring
Powered by local LLMs or any OpenAI-compatible API. Run Ollama for 100% local analysis, or connect to any remote LLM provider β the interface is the same.
# Local analysis (Ollama)
ocr scan src/ --sla L3 --provider ollama --model qwen3-coder
# Any OpenAI-compatible provider
ocr scan src/ --sla L3 --provider openai-compatible \
--api-base https://your-llm-endpoint/v1 --model your-model --api-key YOUR_KEY
AI Auto-Fix β ocr heal
Let AI automatically fix the issues it finds. Review changes before applying.
# Preview fixes without changing files
ocr heal src/ --dry-run
# Apply fixes + generate IDE rules
ocr heal src/ --provider ollama --model qwen3-coder --setup-ide
# Only generate IDE rules (Cursor, Copilot, Augment)
ocr setup src/
Multi-Language Detection
Language-specific detectors for 6 languages, plus hallucinated package databases (npm, PyPI, Maven, Go modules):
| Language | Specific Detectors |
|---|---|
| TypeScript / JavaScript | Hallucinated imports (npm), stale APIs, over-engineering |
| Python | Bare except, eval(), mutable default args, hallucinated imports (PyPI) |
| Java | System.out.println leaks, deprecated Date/Calendar, hallucinated imports (Maven) |
| Go | Unhandled errors, deprecated ioutil, panic in library code |
| Kotlin | !! abuse, println leaks, null-safety anti-patterns |
How It Compares
| Open Code Review | Claude Code Review | CodeRabbit | GitHub Copilot | |
|---|---|---|---|---|
| Price | Free | $15β25/PR | $24/mo/seat | $10β39/mo |
| Open Source | β | β | β | β |
| Self-hosted | β | β | Enterprise | β |
| AI Hallucination Detection | β | β | β | β |
| Stale API Detection | β | β | β | β |
| Deep LLM Analysis | β | β | β | β |
| AI Auto-Fix | β | β | β | β |
| Multi-Language | β 6 langs | β | JS/TS | JS/TS |
| Registry Verification | β npm/PyPI/Maven | β | β | β |
| Unicode Security Detection | β | β | β | β |
| SARIF Output | β | β | β | β |
| GitHub + GitLab | β Both | GitHub only | Both | GitHub only |
| Data Privacy | β 100% local | β Cloud | β Cloud | β Cloud |
Quick Start
# Install
npm install -g @opencodereview/cli
# Fast scan β no AI needed
ocr scan src/
# Deep scan β with local LLM (Ollama)
ocr scan src/ --sla L3 --provider ollama --model qwen3-coder
# Deep scan β with any OpenAI-compatible provider
ocr scan src/ --sla L3 --provider openai-compatible \
--api-base https://your-provider/v1 --model your-model --api-key YOUR_KEY
CI/CD Integration
GitHub Actions (30 seconds)
name: Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: raye-deng/open-code-review@v1
with:
sla: L1
threshold: 60
github-token: ${{ secrets.GITHUB_TOKEN }}
GitLab CI
code-review:
script:
- npx @opencodereview/cli scan src/ --sla L1 --threshold 60 --format json --output ocr-report.json
artifacts:
reports:
codequality: ocr-report.json
Output Formats
ocr scan src/ --format terminal # Pretty terminal output
ocr scan src/ --format json # JSON for CI pipelines
ocr scan src/ --format sarif # SARIF for GitHub Code Scanning
ocr scan src/ --format html # Interactive HTML report
Configuration
# .ocrrc.yml
sla: L3
ai:
embedding:
provider: ollama
model: nomic-embed-text
baseUrl: http://localhost:11434
llm:
provider: ollama
model: qwen3-coder
endpoint: http://localhost:11434
# Or use any OpenAI-compatible provider:
# provider: openai-compatible
# apiBase: https://your-llm-endpoint/v1
# model: your-model
MCP Server β Use in Claude Desktop, Cursor, Windsurf
Integrate Open Code Review directly into your AI IDE via the Model Context Protocol:
npx @opencodereview/mcp-server
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"open-code-review": {
"command": "npx",
"args": ["-y", "@opencodereview/mcp-server"]
}
}
}
Cursor / Windsurf / VS Code Copilot: Add the same configuration in your MCP settings.
Available MCP Tools: ocr_scan (quality gate scan), ocr_heal (AI auto-fix), ocr_explain (issue explanation).
π‘ Chrome DevTools MCP Compatible: The OCR MCP Server follows the standard Model Context Protocol. Pair it with Google's Chrome DevTools MCP Server for a complete AI-native dev workflow β one inspects your running app, the other inspects your source code.
Project Structure
packages/
core/ # Detection engine + scoring (@opencodereview/core)
cli/ # CLI tool β ocr command (@opencodereview/cli)
mcp-server/ # MCP Server for AI IDEs (@opencodereview/mcp-server)
github-action/ # GitHub Action wrapper
Who Is This For?
- Teams using AI coding assistants β Copilot, Cursor, Claude Code, Codex, or any LLM-based tool that generates production code
- Open-source maintainers β Review AI-generated PRs for hallucinated imports, stale APIs, and security anti-patterns before merging
- DevOps / Platform engineers β Add a quality gate to CI/CD pipelines without sending code to cloud services
- Security-conscious teams β Run everything locally (Ollama), keep your code on your machines
- Solo developers β Free, fast, and works with zero configuration (
npx @opencodereview/cli scan src/)
Featured On
License
BSL-1.1 β Free for personal and non-commercial use. Converts to Apache 2.0 on 2030-03-11. Commercial use requires a Team or Enterprise license.
Star this repo if you find it useful β it helps more than you think!