open-code-review
AI-powered code review tool that detects AI-generated code defects invisible to traditional linters — hallucinated packages, deprecated APIs, cross-file contradictions, hidden security anti-patterns, and over-engineering. Works as a standalone CLI, GitHub Action, or MCP server. Supports TypeScript, Python, Java, Go, and Kotlin. Free for individuals, no API key required.
README
Open Code Review
The first open-source CI/CD quality gate built specifically for AI-generated code. Detects hallucinated imports, stale APIs, over-engineering, and security anti-patterns — powered by local LLMs and any OpenAI-compatible provider. Free. Self-hostable. 6 languages.
Works With
Any AI tool that generates code — if it writes it, OCR reviews it.
What AI Linters Miss
AI coding assistants (Copilot, Cursor, Claude) generate code with defects that traditional tools miss entirely:
| Defect | Example | ESLint / SonarQube |
|---|---|---|
| Hallucinated imports | import { x } from 'non-existent-pkg' |
❌ Miss |
| Stale APIs | Using deprecated APIs from training data | ❌ Miss |
| Context window artifacts | Logic contradictions across files | ❌ Miss |
| Over-engineered patterns | Unnecessary abstractions, dead code | ❌ Miss |
| Security anti-patterns | Hardcoded example secrets, eval() |
❌ Partial |
Open Code Review detects all of them — across 6 languages, for free.
Demo
📄 View full interactive HTML report
Quick Preview
$ ocr scan src/ --sla L3
╔══════════════════════════════════════════════════════════════╗
║ Open Code Review — Deep Scan Report ║
╚══════════════════════════════════════════════════════════════╝
Project: packages/core/src
SLA: L3 Deep — Structural + Embedding + LLM Analysis
112 issues found in 110 files
Overall Score: 67/100 D
Threshold: 70 | Status: FAILED
Files Scanned: 110 | Languages: typescript | Duration: 12.3s
Deep Scan (L3) — How It Works
L3 combines three analysis layers for maximum coverage:
Layer 1: Structural Detection Layer 2: Semantic Analysis Layer 3: LLM Deep Scan
├── Hallucinated imports (npm/PyPI) ├── Embedding similarity recall ├── Cross-file coherence check
├── Stale API detection ├── Risk scoring ├── Logic bug detection
├── Security patterns ├── Context window artifacts ├── Confidence scoring
├── Over-engineering metrics └── Enhanced severity ranking └── AI-powered fix suggestions
└── A+ → F quality scoring
Powered by local LLMs or any OpenAI-compatible API. Run Ollama for 100% local analysis, or connect to any remote LLM provider — the interface is the same.
# Local analysis (Ollama)
ocr scan src/ --sla L3 --provider ollama --model qwen3-coder
# Any OpenAI-compatible provider
ocr scan src/ --sla L3 --provider openai-compatible \
--api-base https://your-llm-endpoint/v1 --model your-model --api-key YOUR_KEY
AI Auto-Fix — ocr heal
Let AI automatically fix the issues it finds. Review changes before applying.
# Preview fixes without changing files
ocr heal src/ --dry-run
# Apply fixes + generate IDE rules
ocr heal src/ --provider ollama --model qwen3-coder --setup-ide
# Only generate IDE rules (Cursor, Copilot, Augment)
ocr setup src/
Multi-Language Detection
Language-specific detectors for 6 languages, plus hallucinated package databases (npm, PyPI, Maven, Go modules):
| Language | Specific Detectors |
|---|---|
| TypeScript / JavaScript | Hallucinated imports (npm), stale APIs, over-engineering |
| Python | Bare except, eval(), mutable default args, hallucinated imports (PyPI) |
| Java | System.out.println leaks, deprecated Date/Calendar, hallucinated imports (Maven) |
| Go | Unhandled errors, deprecated ioutil, panic in library code |
| Kotlin | !! abuse, println leaks, null-safety anti-patterns |
How It Compares
| Open Code Review | Claude Code Review | CodeRabbit | GitHub Copilot | |
|---|---|---|---|---|
| Price | Free | $15–25/PR | $24/mo/seat | $10–39/mo |
| Open Source | ✅ | ❌ | ❌ | ❌ |
| Self-hosted | ✅ | ❌ | Enterprise | ❌ |
| AI Hallucination Detection | ✅ | ❌ | ❌ | ❌ |
| Stale API Detection | ✅ | ❌ | ❌ | ❌ |
| Deep LLM Analysis | ✅ | ❌ | ❌ | ❌ |
| AI Auto-Fix | ✅ | ❌ | ❌ | ❌ |
| Multi-Language | ✅ 6 langs | ❌ | JS/TS | JS/TS |
| Registry Verification | ✅ npm/PyPI/Maven | ❌ | ❌ | ❌ |
| Unicode Security Detection | ✅ | ❌ | ❌ | ❌ |
| SARIF Output | ✅ | ❌ | ❌ | ❌ |
| GitHub + GitLab | ✅ Both | GitHub only | Both | GitHub only |
| Data Privacy | ✅ 100% local | ❌ Cloud | ❌ Cloud | ❌ Cloud |
Quick Start
# Install
npm install -g @opencodereview/cli
# Fast scan — no AI needed
ocr scan src/
# Deep scan — with local LLM (Ollama)
ocr scan src/ --sla L3 --provider ollama --model qwen3-coder
# Deep scan — with any OpenAI-compatible provider
ocr scan src/ --sla L3 --provider openai-compatible \
--api-base https://your-provider/v1 --model your-model --api-key YOUR_KEY
CI/CD Integration
GitHub Actions (30 seconds)
name: Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: raye-deng/open-code-review@v1
with:
sla: L1
threshold: 60
github-token: ${{ secrets.GITHUB_TOKEN }}
GitLab CI
code-review:
script:
- npx @opencodereview/cli scan src/ --sla L1 --threshold 60 --format json --output ocr-report.json
artifacts:
reports:
codequality: ocr-report.json
Output Formats
ocr scan src/ --format terminal # Pretty terminal output
ocr scan src/ --format json # JSON for CI pipelines
ocr scan src/ --format sarif # SARIF for GitHub Code Scanning
ocr scan src/ --format html # Interactive HTML report
Configuration
# .ocrrc.yml
sla: L3
ai:
embedding:
provider: ollama
model: nomic-embed-text
baseUrl: http://localhost:11434
llm:
provider: ollama
model: qwen3-coder
endpoint: http://localhost:11434
# Or use any OpenAI-compatible provider:
# provider: openai-compatible
# apiBase: https://your-llm-endpoint/v1
# model: your-model
MCP Server — Use in Claude Desktop, Cursor, Windsurf
Integrate Open Code Review directly into your AI IDE via the Model Context Protocol:
npx @opencodereview/mcp-server
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"open-code-review": {
"command": "npx",
"args": ["-y", "@opencodereview/mcp-server"]
}
}
}
Cursor / Windsurf / VS Code Copilot: Add the same configuration in your MCP settings.
Available MCP Tools: ocr_scan (quality gate scan), ocr_heal (AI auto-fix), ocr_explain (issue explanation).
💡 Chrome DevTools MCP Compatible: The OCR MCP Server follows the standard Model Context Protocol. Pair it with Google's Chrome DevTools MCP Server for a complete AI-native dev workflow — one inspects your running app, the other inspects your source code.
Project Structure
packages/
core/ # Detection engine + scoring (@opencodereview/core)
cli/ # CLI tool — ocr command (@opencodereview/cli)
mcp-server/ # MCP Server for AI IDEs (@opencodereview/mcp-server)
github-action/ # GitHub Action wrapper
Who Is This For?
- Teams using AI coding assistants — Copilot, Cursor, Claude Code, Codex, or any LLM-based tool that generates production code
- Open-source maintainers — Review AI-generated PRs for hallucinated imports, stale APIs, and security anti-patterns before merging
- DevOps / Platform engineers — Add a quality gate to CI/CD pipelines without sending code to cloud services
- Security-conscious teams — Run everything locally (Ollama), keep your code on your machines
- Solo developers — Free, fast, and works with zero configuration (
npx @opencodereview/cli scan src/)
Featured On
<a href="https://www.producthunt.com/products/open-code-review"><img src="https://api.producthunt.com/widgets/embed-image/v1/top-post-badge.svg?post_id=XXXXX&theme=dark&period=daily" alt="Product Hunt" width="250" /></a>
License
BSL-1.1 — Free for personal and non-commercial use. Converts to Apache 2.0 on 2030-03-11. Commercial use requires a Team or Enterprise license.
Star this repo if you find it useful — it helps more than you think!
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.