AI Code Review Platform

Automated PR review with context-aware suggestions, security scanning, and style enforcement

View the interactive project page →

AI Code Review Platform

Part of the worlds-biggest-software-project initiative.

Intelligent, context-aware code review for every PR — self-hosted, extensible, and free for open source.

An AI-native code review platform that automates PR review with semantic reasoning, security scanning, and style enforcement. Unlike rule-based tools, it understands your codebase's architecture, intent, and business logic to surface meaningful issues while eliminating false positives through team-specific learning.

Designed for teams overwhelmed by manual code review, open-source maintainers facing PR backlogs, and organizations requiring data residency or regulatory compliance.


Why AI Code Review Platform?

  • Expensive incumbents pricing out the market: CodeRabbit ($12–$25/user/month), Qodo ($30/user/month for teams), and GitHub Copilot Code Review ($19/user/month) force teams to choose between unaffordable SaaS and no AI-assisted review. A 100-person engineering team pays $14,400/year for review-only capabilities.

  • Rule-based tools miss architectural issues: SonarQube and CodeClimate detect syntactic patterns but generate alert fatigue, with developers ignoring 70% of findings. They cannot understand call graphs, data flows, or whether a PR violates your team's architectural patterns.

  • Self-hosted solutions are immature: pr-agent (open source) is self-hostable but lacks codebase indexing. Commercial platforms (Qodo, Greptile) index your full repository but require cloud deployment, ruling out air-gapped and regulated environments (healthcare, finance, government).

  • Open-source maintainers have no good options: Free tiers of commercial platforms are severely limited. No fully open-source platform combines production-grade review with whole-codebase reasoning.

  • Per-seat pricing doesn't scale: Most platforms charge per developer. A 500-person organization spends $150,000/year. Self-hosting shifts costs to engineering time but eliminates vendor lock-in.


Key Features

Core Review Capabilities

  • Automated PR review on every push: Triggered instantly on PR open/update; block merges on configurable severity thresholds via CI gates.
  • Line-level findings with severity ranking: Critical, high, medium, low classifications with plain-language explanations instead of terse alerts.
  • PR summary auto-generation: Understand what changed and why in seconds without reading the full diff.
  • 10+ language support: Python, JavaScript/TypeScript, Go, Java, C#, Rust, PHP, Ruby, C/C++, Kotlin, and more.

Semantic Intelligence

  • Whole-codebase indexing: Build a code graph of every function, class, and import relationship — not just the PR diff.
  • Cross-file vulnerability detection: Trace taint flows, injection paths, and race conditions that span multiple files; detect patterns rule-based tools miss.
  • Git history awareness: Explain why code was written a certain way by referencing past commits and PRs.
  • Intent-drift detection: Warn when a PR's code changes diverge from its description — catching scope creep and undocumented side effects.

Team Learning & Customization

  • False-positive learning loop: Learn from your team's accept/dismiss decisions; dynamically tune signal-to-noise per repository.
  • Mentorship mode: Generate educational explanations with CVE references, code examples, and documentation links for junior developers.
  • Repository-level rules: Configure review behaviour per project via committed .aicr.yaml configuration file.

Deployment & Integration

  • Self-hosted by default: Run entirely on your infrastructure; no data leaves your network.
  • Bring-your-own LLM: Use OpenAI, Anthropic, Ollama, or any OpenAI-compatible endpoint; keep API keys under your control.
  • Air-gapped support: Operate fully offline with local models (Ollama, GGUF, Hugging Face).
  • Multi-platform VCS: GitHub, GitLab, Bitbucket, Azure DevOps, Gitea.
  • CI/CD first: Native GitHub Actions, GitLab CI, and generic webhook support for custom runners.

AI-Native Advantage

Traditional static analysis tools (SonarQube, CodeClimate) apply fixed rule sets to every codebase regardless of context — they flag unused variables, missing imports, and style violations equally across teams with different standards. AI code review systems trained on billions of lines of code can reason about semantic intent, business logic, and architectural patterns your team has established.

What makes this project meaningfully different:

  1. Context-aware false-positive suppression — The platform learns from your team's review patterns (which findings your reviewers accept vs. dismiss) and adjusts its severity scoring dynamically. Rule-based systems cannot implement this feedback loop.

  2. Whole-codebase semantic reasoning — By indexing your full repository, the platform understands call graphs, data flows, and module boundaries. It can detect security vulnerabilities that span three files, or flag when a PR violates your team's layering rules — impossible for diff-bounded analysis.

  3. Intent-drift analysis — Comparing PR descriptions against code changes surfaces incomplete implementations, scope creep, and undocumented side effects that no static analyzer detects.

  4. Explanation-first feedback — Rather than "SQL injection risk," the platform generates actionable guidance: "This query concatenates user input. Refactor to use parameterized queries. Example. OWASP-A03-SQL-Injection"


Tech Stack & Deployment

Architecture

  • Backend: Modular review engine with pluggable LLM adapters; code graph builder for repository indexing; finding aggregation and severity scoring.
  • Frontend: Lightweight PR comment interface (no separate UI required) or optional dashboard for org-wide technical debt trending.
  • Data storage: Git-local indexing (no external database for MVP); optional PostgreSQL for enterprise dashboard and learning loop.

Deployment Modes

  • Self-hosted open source: Dockerized stack; run on your VPC or on-premises. Designed for low operational overhead.
  • Open-core model (future): Free open-source tier plus optional commercial extensions (managed cloud, advanced analytics, training for your team's custom models).
  • Standards: OpenAPI 3.1 for REST API; SARIF 2.1.0 for findings export (interoperable with GitHub CodeQL, SonarQube, and other tools).

Integrations

  • Code platforms: GitHub, GitLab, Bitbucket, Azure DevOps, Gitea
  • LLM providers: OpenAI, Anthropic, Azure OpenAI, Ollama, vLLM, or any OpenAI-compatible endpoint
  • CI/CD: GitHub Actions, GitLab CI, Jenkins, CircleCI, or generic webhooks
  • Notification channels: Slack, Teams, email

Market Context

The global AI code tools market was valued at $7.37B in 2025 and is projected to reach $23.97B by 2030 at a 26.6% compound annual growth rate. PR volume grew 29% YoY in 2025 driven by AI-assisted coding, creating acute demand for automated review.

Incumbent pricing:

  • Free / open source: SonarQube Community, pr-agent (~$0)
  • Developer SaaS: GitHub Copilot Code Review, CodeRabbit Basic ($10–$19/user/month)
  • Professional SaaS: CodeRabbit Pro, Qodo Teams, Greptile ($24–$30/user/month)
  • Enterprise: Custom pricing ($50+/user/month or seat-based)

Primary buyer personas:

  • Engineering managers at mid-size SaaS companies (50–500 devs) seeking to scale review throughput without headcount
  • Security/DevSecOps leads in regulated industries needing audit trails and OWASP/NIST compliance
  • Platform engineering teams building internal developer portals requiring self-hosted, no-data-egress solutions
  • Open-source maintainers overwhelmed by community PRs seeking zero-cost triage

Project Status

This project is in the research and specification phase.
We are actively designing the architecture, feature scope, and API contracts based on community feedback.

Completed:

  • Competitive landscape analysis and research (research.md)
  • Feature gap analysis across 8 incumbent platforms (features.md)
  • Industry standards and API reference (standards.md)
  • This README

Next steps:

  1. Formal specification and API design
  2. Prototype of core review engine (diff parsing → LLM → findings)
  3. GitHub integration reference implementation
  4. Community feedback and contribution guidelines

Contribution opportunities:

  • Architecture and API design review
  • LLM prompt engineering and evaluation
  • Code graph construction and indexing (Python, JavaScript, Go)
  • Integration work (GitHub Apps, webhooks)
  • Testing frameworks and benchmarking

Contributing

We welcome contributions from developers, security professionals, and potential users. See CONTRIBUTING.md for guidelines.

Getting Involved

  • Architecture discussion? Open an issue with the design label.
  • Want to prototype a feature? Fork the repo and open a draft PR; we'll discuss approach first.
  • Running a review service internally? Share your deployment patterns and feedback.
  • Security researcher? We take vulnerability reports seriously; see SECURITY.md.

Important: All contributions must be your own original work or clearly attributed open-source material with a compatible licence. Copyright infringement and licence violations will not be tolerated and will result in immediate removal of the offending contribution. If you are unsure whether a piece of code, text, or other material is safe to contribute, open an issue and ask before submitting.


Licence

To be determined. The project will be released under a permissive open-source licence (MIT, Apache 2.0, or GPL) to maximize adoption and community contribution.

See discussion for context and community input on licence choice.


Learn More

  • Research: research.md — Competitive landscape, market analysis, and AI-native opportunities
  • Features: features.md — Detailed analysis of incumbent platforms and recommended feature scope
  • Standards: standards.md — Industry standards (IEEE 1028, OWASP, NIST SSDF, SARIF, OpenAPI, MCP) and API reference for similar products