Documentation

Get started with Open Code Review in minutes. Detect AI code hallucinations, logic gaps, and quality issues — then auto-fix them with AI.

Detect & Heal — end-to-end self-healing code review

🚀 New here? Read the 2-minute Getting Started guide

Install → Configure → Scan → Heal → CI/CD in 5 steps

# Quick Start

Scan your project in one command. No account needed for local scans.

npx @opencodereview/cli@latest scan ./src

This scans all files in ./src using local AI models (Ollama) and outputs a quality score (0-100).

# Installation

Using npx (no install)

npx @opencodereview/cli@latest scan ./src

Global install

npm install -g @opencodereview/cli
ocr scan ./src

GitHub Actions

# .github/workflows/ci.yml
name: Code Quality Check
on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: raye-deng/open-code-review@v1
        with:
          threshold: 70
          paths: 'src/**/*.ts'
          fail-on-low-score: true

GitLab CI

# .gitlab-ci.yml
include:
  - component: open-code-review/validate@v1
    inputs:
      threshold: 70
      paths: src

Register

Create a free account to unlock team features, dashboards, and license management.

Sign up for free →

License Key

Activate your license to unlock Pro and Enterprise features.

ocr license activate ocr-xxxx-xxxx-xxxx

# Detect & Heal — Complete Workflow

OCR's killer feature: detect issues, then auto-fix them with AI. Other tools just report — OCR heals.

ScanDetectHealClean Code

Step 1: Scan your code

npx @opencodereview/cli@latest scan ./src --level l3 --provider glm --api-key your-key

OCR analyzes your code across 3 levels and detects AI-specific defects.

Step 2: Preview fixes (dry-run)

npx @opencodereview/cli@latest heal ./src --dry-run

Preview AI-generated fixes without modifying any files.

Step 3: Auto-fix

npx @opencodereview/cli@latest heal ./src

AI auto-fixes all detected issues. Done. Zero human intervention.

Generate IDE rules for Cursor / Copilot / Augment

npx @opencodereview/cli@latest heal ./src --generate-rules
# Creates .cursorrules, .copilot-rules, or .augmentrules

# CI/CD Self-Heal Integration

Integrate detect & heal into your CI/CD pipeline for fully automated code quality — scan, fix, and commit automatically.

GitHub Actions — Scan + Auto-Heal

# .github/workflows/ci.yml
name: AI Code Review & Self-Heal
on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Scan
        run: npx @opencodereview/cli@latest scan ./src --threshold 70
      - name: Heal (auto-fix)
        run: npx @opencodereview/cli@latest heal ./src
        env:
          OCR_PROVIDER: glm
          OCR_API_KEY: ${{ secrets.OCR_API_KEY }}
      - name: Commit fixes
        run: |
          git config --global user.name "OCR Bot"
          git config --global user.email "[email protected]"
          git add -A
          git diff --cached --quiet || git commit -m "fix: OCR auto-heal applied"
          git push

GitLab CI — Scan + Heal

# .gitlab-ci.yml
ocr-review:
  stage: test
  image: node:20
  script:
    - npx @opencodereview/cli@latest scan ./src
    - npx @opencodereview/cli@latest heal ./src
  variables:
    OCR_PROVIDER: "glm"
    OCR_API_KEY: "$OCR_API_KEY"

# Supported LLM Providers

OCR supports 8 LLM providers for scan and heal. GLM and Ollama are completely free.

Provider--provider valueCostNotes
GLM (智谱)glmFREERecommended — free, high quality
OllamaollamaFREELocal models, no API needed
OpenAIopenaiPaidGPT-4o, GPT-4
DeepSeekdeepseekPaidDeepSeek-V3
Together AItogetherPaidMultiple models
FireworksfireworksPaidFast inference
AnthropicanthropicPaidClaude models
OpenAI-compatiblecustomVariesAny LLM service with --api-base

# Configuration

Create an .ocrrc.yml file in your project root:

# .ocrrc.yml
threshold: 70
paths:
  - "src/**/*.ts"
  - "src/**/*.tsx"
exclude:
  - "node_modules/**"
  - "**/*.test.ts"
analysis:
  - hallucination
  - logic-gap
  - quality-score
fail-on-low-score: true
output: json

# What It Detects

Hallucinated Packages

Detects npm packages that don't exist but are imported as if they do. Common in AI-generated code.

Logic Gaps

Empty catch blocks, unreachable code, TODO markers, and missing error handling from context limits.

Quality Score

0-100 score across 4 dimensions: completeness, coherence, consistency, conciseness.

Multi-Language AI Defects

Language-specific detectors for TypeScript/JS, Python, Java, Go, Kotlin, Rust.

L3 Deep Analysis

Suspicious code blocks sent to remote LLMs for thorough analysis. Foundation for precise auto-fix.

AI Auto-Heal

Not just detection — auto-fix. OCR heals your code with LLM reasoning, supports dry-run preview.

# L3 Deep Scan

L3 Deep Scan sends suspicious code blocks to a remote LLM for deep analysis. It's the foundation for precise healing — you can't fix what you can't detect deeply.

Quick Start with L3

npx @opencodereview/cli@latest scan ./src --level l3 --provider openai --api-key sk-xxx

Using Free Providers (GLM)

# GLM (智谱) — free
npx @opencodereview/cli@latest scan ./src --level l3 --provider glm --api-key your-glm-key

# Multi-Language AI Detection

Language-specific AI defect detectors for maximum precision.

TS

TypeScript / JS

npm hallucinations, unused imports, broken async patterns

PY

Python

pip hallucinations, type errors, broken numpy patterns

JV

Java

Maven hallucinations, wrong annotations, deprecated APIs

GO

Go

module hallucinations, error handling patterns, goroutine leaks

KT

Kotlin

Gradle hallucinations, coroutine misuse, wrong extensions

RS

Rust

crate hallucinations, unsafe patterns, lifetime issues

# Provider Configuration Reference

Configure providers via CLI flags, environment variables, or ocr.config.json.

CLI Flags

npx @opencodereview/cli@latest scan ./src \
  --level l3 \
  --provider glm \
  --api-key your-glm-key \
  --model glm-4

Config File (ocr.config.json)

{
  "level": "l3",
  "provider": "glm",
  "apiKey": "your-glm-key",
  "model": "glm-4",
  "paths": ["src/**/*.ts"],
  "threshold": 70
}

Environment Variables

export OCR_PROVIDER=glm
export OCR_API_KEY=your-glm-key
export OCR_MODEL=glm-4

# Output Format

{
  "score": 82,
  "dimensions": {
    "completeness": 85,
    "coherence": 80,
    "consistency": 78,
    "conciseness": 85
  },
  "issues": [
    {
      "type": "hallucination",
      "severity": "high",
      "message": "Package 'lodash-utils' not found on npm",
      "file": "src/utils/helpers.ts",
      "line": 3,
      "fix": "Replace with 'lodash' or install the package"
    }
  ],
  "passed": true
}

# SARIF Output

Open Code Review can output results in SARIF (Static Analysis Results Interchange Format) — the industry standard supported by GitHub Code Scanning, VS Code, and other tools.

Generate SARIF Report

npx @opencodereview/cli@latest scan ./src --output sarif --output-file ocr-results.sarif

GitHub Code Scanning Integration

Upload SARIF to GitHub Code Scanning for inline PR annotations and the Security tab:

# .github/workflows/ocr.yml
name: OCR Code Scanning
on: [pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - name: Run OCR scan
        run: |
          npx @opencodereview/cli@latest scan ./src \
            --output sarif \
            --output-file ocr-results.sarif
      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ocr-results.sarif
          category: open-code-review

SARIF Structure

OCR's SARIF output follows the v2.1.0 schema. Each finding maps to a SARIF result with rule metadata, severity levels, and file locations:

{
  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
  "version": "2.1.0",
  "runs": [{
    "tool": {
      "driver": {
        "name": "open-code-review",
        "version": "2.1.1",
        "rules": [{
          "id": "OCR001",
          "name": "HallucinatedPackage",
          "shortDescription": {
            "text": "Import references a package that does not exist on npm"
          },
          "defaultConfiguration": {
            "level": "error"
          }
        }]
      }
    },
    "results": [{
      "ruleId": "OCR001",
      "level": "error",
      "message": {
        "text": "Package 'lodash-utils' not found on npm registry"
      },
      "locations": [{
        "physicalLocation": {
          "artifactLocation": { "uri": "src/utils/helpers.ts" },
          "region": { "startLine": 3, "startColumn": 1 }
        }
      }]
    }]
  }]
}

SARIF Rule IDs

Rule IDCategoryDescription
OCR001HallucinationPackage does not exist on registry
OCR002HallucinationAPI or method does not exist on package
OCR010Stale APIDeprecated or removed API usage
OCR020Logic GapEmpty catch block, unreachable code, missing error handling
OCR030SecurityInsecure crypto, hardcoded secrets, unsafe defaults
OCR040Over-engineeringUnnecessary abstraction layers or complexity

# Cloud API Reference

The Open Code Review Cloud provides a REST API for managing licenses, scans, and reports programmatically.

1. Get Your License Key

Register at opencodereview.com/register to create an account. Your License Key is available in the Dashboard after sign-up, or via the API:

# Register a new account
curl -X POST https://cloud.opencodereview.com/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"your-password"}'

# Login to get your API token
curl -X POST https://cloud.opencodereview.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"your-password"}'

# Response includes your access token:
# { "accessToken": "eyJ...", "licenseKey": "ocr-xxxx-xxxx-xxxx" }

2. API Authentication

All API requests require a Bearer token in the Authorization header:

curl https://cloud.opencodereview.com/api/licenses \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

3. Activate License in CLI

ocr license activate ocr-xxxx-xxxx-xxxx

4. API Endpoints

MethodEndpointDescription
POST/api/auth/registerRegister new account
POST/api/auth/loginLogin & get access token
GET/api/licensesList your licenses
GET/api/licenses/:idGet license details
POST/api/scansSubmit a new scan
GET/api/scans/:idGet scan results
GET/api/scansList scan history
GET/api/reports/:scanIdGet scan report
GET/api/users/meGet current user profile
PUT/api/users/meUpdate profile
GET/api/usageGet usage statistics

5. Submit a Scan via API

curl -X POST https://cloud.opencodereview.com/api/scans \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{
    "repositoryUrl": "https://github.com/your/repo",
    "branch": "main",
    "level": "l3",
    "paths": ["src/**/*.ts"]
  }'

# FAQ

Do I need an AI API key?

For L1 and local scans, no — Ollama runs locally for free. For L3 Deep Scan and heal, you need an API key from one of 8 supported providers. GLM is completely free.

What is Detect & Heal?

OCR's core differentiator: ocr scan detects issues, ocr heal auto-fixes them. Other tools just tell you what's wrong — OCR fixes it for you.

What languages are supported?

TypeScript, JavaScript, Python, Java, Go, Kotlin, and Rust. Each has its own AI-specific defect detector.

How is this different from ESLint?

ESLint checks code style. Open Code Review detects AI-specific issues and auto-fixes them — not just reports.