Alibaba has open-sourced Open Code Review, the AI reviewer it says ran internally for two years across tens of thousands of its own engineers and flagged millions of defects. It reads a Git diff, hands the changed files to a configurable LLM, and returns structured, line-level comments.
The design choice that sets it apart is hybrid. Rather than throwing a diff at a model and hoping, it runs deterministic pipelines alongside an LLM agent, with a fine-tuned ruleset aimed at concrete bug classes: null-pointer exceptions, thread-safety, cross-site scripting and SQL injection. The agent can read full file contents and search the wider codebase for context, so reviews reach past the surface of the diff. It is compatible with OpenAI and Anthropic endpoints.
There is also an agent-native angle. You can install it via npx as a slash command inside an existing coding agent, teaching that agent to call the reviewer, sort issues by priority and optionally apply fixes. The catch is the usual one for self-hosted review: you supply the model endpoint and the token budget. Whether a battle-tested internal tool survives contact with everyone else's messier codebases is the thing to watch.