Alibaba Open-Sourced Its Internal AI Code Review Tool: A Practical Setup Guide
Alibaba Group just released Open Code Review (OCR) — the same AI-powered code review assistant their internal teams have used for the past two years. It has served tens of thousands of developers and identified millions of code defects. Now it is open source, and you can run it locally against your own repositories with nothing more than an API key.
This is not another experimental side project. It is a production-hardened tool with a hybrid architecture that combines deterministic engineering pipelines with an LLM agent. The result: precise, line-level review comments that do not drift or hallucinate file paths.
In this guide, you will install OCR, connect it to Anthropic or OpenAI, run your first review, and wire it into CI/CD.
Why Open Code Review Exists
If you have ever asked a general-purpose agent like Claude Code to review a large pull request, you have probably hit three familiar problems:
- Incomplete coverage — The agent reviews some files and silently skips others.
- Position drift — Reported line numbers or file references do not match the actual code.
- Unstable quality — Minor prompt changes cause review quality to swing wildly.
OCR solves this by splitting the work. Deterministic logic handles the parts that must not go wrong: file selection, bundling related files, rule matching, and comment positioning. The LLM agent is reserved for dynamic decisions and context retrieval — exactly where it shines.
The built-in rule set covers NPEs, thread-safety issues, XSS, and SQL injection. You can also add custom JSON rules.
Installation
OCR distributes pre-built binaries for macOS, Linux, and Windows, plus an NPM package.
Option A: NPM (Recommended)
npm install -g @alibaba-group/open-code-review
After installation, the ocr command is available globally.
Option B: Binary (macOS Apple Silicon example)
curl -Lo ocr https://github.com/alibaba/open-code-review/releases/latest/download/opencodereview-darwin-arm64
chmod +x ocr && sudo mv ocr /usr/local/bin/ocr
Linux and Windows binaries are available from the same GitHub Releases page.
Option C: Build from Source
git clone https://github.com/alibaba/open-code-review.git
cd open-code-review
make build
sudo cp dist/opencodereview /usr/local/bin/ocr
Configuration
You must configure a model endpoint before reviewing code. OCR supports Anthropic and OpenAI models.
Interactive Config
ocr config set llm.url https://api.anthropic.com/v1/messages
ocr config set llm.auth_token your-api-key-here
ocr config set llm.model claude-opus-4-6
ocr config set llm.use_anthropic true
Config is stored in ~/.opencodereview/config.json.
Environment Variables (Highest Priority)
export OCR_LLM_URL=https://api.anthropic.com/v1/messages
export OCR_LLM_TOKEN=your-api-key-here
export OCR_LLM_MODEL=claude-opus-4-6
export OCR_USE_ANTHROPIC=true
OCR also auto-detects Claude Code environment variables (ANTHROPIC_BASE_URL, ANTHROPIC_AUTH_TOKEN, ANTHROPIC_MODEL) from your shell config.
Test Connectivity
ocr llm test
If the LLM responds, you are ready to review code.
Running Your First Review
Review Working Directory Changes
cd your-project
ocr review
This reviews all staged, unstaged, and untracked changes.
Review a Branch Range
ocr review --from main --to feature-branch
Review a Single Commit
ocr review --commit abc123
Preview Files Without Calling the LLM
ocr review --preview
This shows exactly which files will be reviewed and how they are bundled — useful for debugging large changesets.
Understanding the Output
OCR produces structured, line-level comments. Each comment includes:
- The exact file and line number
- A severity classification
- A description of the issue
- A suggested fix where applicable
Because of the external positioning module, line numbers are accurate. The reflection module then checks each comment against the actual code to catch hallucinations.
CI/CD Integration
OCR outputs machine-readable JSON for pipeline integration:
ocr review \
--from "origin/main" \
--to "origin/feature-branch" \
--format json
The repository includes ready-made examples for:
- GitHub Actions —
examples/github_actions/ - GitLab CI —
examples/gitlab_ci/
You can parse the JSON output and post comments directly to merge requests, or fail the build when critical issues are found.
Integrating with Claude Code
OCR can be installed as a Claude Code plugin or skill, giving you a /open-code-review:review slash command inside your agent workflow.
As a Plugin
Inside Claude Code, run:
/plugin marketplace add alibaba/open-code-review
/plugin install open-code-review@open-code-review
As a Project-Level Command
mkdir -p .claude/commands
curl -o .claude/commands/open-code-review.md \
https://raw.githubusercontent.com/alibaba/open-code-review/main/plugins/open-code-review/commands/review.md
This makes the command available to anyone who clones the repository.
Key Flags and Tuning
| Flag | Default | What It Does |
|---|---|---|
--concurrency |
8 |
Max concurrent file reviews |
--timeout |
10 |
Timeout in minutes per concurrent task |
--format |
text |
text or json output |
--rule |
built-in | Path to custom JSON review rules |
--max-tools |
built-in | Max tool-call rounds per file |
--audience |
human |
human shows progress; agent gives summary only |
For large monorepos, increase --concurrency cautiously. The default of 8 is already aggressive and keeps most reviews under a minute.
When to Use OCR vs. Copilot / Claude Code
| Tool | Best For |
|---|---|
| OCR | Structured, line-level PR review at scale; CI/CD gating; deterministic rule enforcement |
| GitHub Copilot | Inline suggestions while typing; chat-based explanations |
| Claude Code | Deep codebase exploration; multi-file refactoring; architecture decisions |
OCR is not a replacement for Copilot or Claude Code. It is a specialized layer you add when you need reliable, repeatable code review that does not miss files or drift off target.
Bottom Line
Alibaba's Open Code Review is one of the most mature open-source AI code review tools available today. It is agentic where it helps (dynamic context retrieval) and deterministic where it matters (file selection, positioning, rule matching). For solo developers and small teams, it offers enterprise-grade review discipline without enterprise-grade pricing.
If you are already paying for an LLM API, adding OCR costs nothing extra. Install it, point it at your next PR, and see how many issues it catches that you would have missed.
Follow for more hands-on engineering content. #AI #dev #BuildWithAbdallah