AI-Powered Code Review CLI
Cora is a fast, opinionated CLI tool that uses LLMs to review your code changes — directly in your terminal, CI/CD pipeline, or git hooks.
- 🔍 Git-Aware Scanning — Automatically detects staged, committed, or changed files
- 🤖 Multi-LLM Support — Works with OpenAI, Anthropic, Google, Ollama, and any OpenAI-compatible API
- 🎨 Beautiful Output — Colorized, structured review output with severity levels
- 🏗️ CI/CD Ready — Designed for GitHub Actions, GitLab CI, and any pipeline
- ⚡ Fast & Lightweight — Native Rust binary, no runtime dependencies
- 📋 SARIF Output — Upload results to GitHub Code Scanning
- 🔧 Configurable — YAML config file with project-level defaults
- 🪝 Git Hooks — Pre-commit integration for instant feedback
- 📊 Exit Codes — Non-zero exit on critical findings for pipeline gating
- 🧠 Deterministic Reviews — Temperature 0 by default: same diff always produces the same issues
- 💾 Diff-Hash Caching — Reviews cached by diff hash in
~/.cache/cora/reviews/— skip repeat reviews with--no-cache - 🎯 Custom System Prompts — Override review/scan prompts via config or file path
- 🛡️ Anti-Hallucination — File path injection and post-parse filtering keep LLM output grounded
- 🌡️ Configurable LLM Params — Tune temperature, max tokens, timeout, and cache TTL per project
cargo install cora-cliDownload the latest release from GitHub Releases:
# Determine your platform tag from the releases page, e.g.:
# cora-aarch64-unknown-linux-gnu-v0.2.0.tar.gz
# cora-x86_64-unknown-linux-gnu-v0.2.0.tar.gz
# cora-aarch64-apple-darwin-v0.2.0.tar.gz
# cora-x86_64-pc-windows-msvc-v0.2.0.zip
# Example: Linux aarch64
VERSION=$(curl -s https://api.github.com/repos/codecoradev/cora-cli/releases/latest | grep tag_name | cut -d'"' -f4)
curl -L "https://github.com/codecoradev/cora-cli/releases/download/${VERSION}/cora-aarch64-unknown-linux-gnu-${VERSION}.tar.gz" | tar xz
sudo mv cora /usr/local/bin/Tip: Visit the Releases page to find the correct asset name for your platform.
🚧 Homebrew tap is planned — check back soon!
Requires Rust 1.85+.
git clone https://github.com/codecoradev/cora-cli.git
cd cora-cli
cargo install --path .export OPENAI_API_KEY="sk-..."
# or
export ANTHROPIC_API_KEY="sk-ant-..."cora initcora review --stagedcora review --commit HEADcora scanReview code changes using an LLM.
# Review staged files (default)
cora review
# Review unpushed changes
cora review --unpushed
# Review a range of commits
cora review --commit HEAD~3..HEAD
# Review changes vs a base branch
cora review --base origin/main
# Review a pull request diff from a file
cora review --diff-file pr.diff
# Use a specific model
cora review --model gpt-4o
# Output as SARIF
cora review --format sarif
# Output as JSON
cora review --format json
# Upload SARIF to GitHub Code Scanning (implies --format sarif)
cora review --upload
# Set severity threshold
cora review --severity major
# Quiet mode (machine-readable)
cora review --quiet
# Skip cached reviews
cora review --no-cacheScan files for code quality issues without requiring git context.
# Scan current directory
cora scan
# Scan a specific directory
cora scan --path src/
# Scan with focus areas
cora scan --focus security,performance
# Exclude patterns
cora scan --exclude "tests/**" --exclude "examples/**"
# Only scan changed files (incremental)
cora scan --incrementalManage configuration. Supports both project-level (.cora.yaml) and global (~/.cora/config.yaml) config.
# Show current resolved configuration
cora config show
# Set a project-level value (writes to .cora.yaml)
cora config set model claude-sonnet-4-20250514
cora config set base_url https://api.openai.com/v1
cora config set severity major
# Set a global value (writes to ~/.cora/config.yaml)
cora config set --global model gpt-4o-mini
cora config set --global provider anthropic
# Supported keys: model, provider, base_url, format, severityPriority: CLI flags → env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults
Create a .cora.yaml config file in the current directory.
cora initGenerate shell completions.
cora completion bash > ~/.cora-completion.bash
cora completion zsh > ~/.cora-completion.zsh
cora completion fish > ~/.cora-completion.fishManage pre-commit git hooks.
cora hook install
cora hook uninstallCora reads configuration from multiple sources in priority order:
CLI flags → CORA_* env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults
Create a .cora.yaml in your project root, or use ~/.cora/config.yaml for global settings. Project config always overrides global.
# .cora.yaml
# Provider configuration
provider:
provider: openai # openai | anthropic | google | ollama | custom
model: gpt-4o-mini
base_url: https://api.openai.com/v1 # Override for custom/self-hosted endpoints
# LLM parameters
llm:
temperature: 0 # Default: 0 (deterministic — same diff = same issues)
max_tokens: 4096 # Default: 4096
timeout: 120 # Default: 120 (seconds)
cache_ttl: 1440 # Default: 1440 (minutes) — diff-hash cache TTL
# Focus areas for review (empty = all)
focus:
- security
- performance
- bugs
- best_practice
# Review options
review:
system_prompt: "You are a senior Rust code reviewer."
# system_prompt_file: ./review-prompt.md # Load prompt from file
response_format: json_object # Opt-in structured JSON output
# Scan options
# scan:
# system_prompt: "Focus on security vulnerabilities."
# system_prompt_file: ./scan-prompt.md
# Custom rules
rules:
- "no unwrap"
# Ignore configuration
ignore:
files:
- "tests/**"
- "vendor/**"
- "*.generated.*"
rules:
- "skip-rule-1"
# Hook configuration
hook:
mode: warn # warn | block
min_severity: major # info | minor | major | critical
max_diff_size: 51200 # Max diff size in bytes (50 KB)
# Output settings
output:
format: pretty # pretty | json | compact | sarif
color: true| Variable | Description | Default |
|---|---|---|
OPENAI_API_KEY |
OpenAI API key | — |
ANTHROPIC_API_KEY |
Anthropic API key | — |
GOOGLE_API_KEY |
Google AI API key | — |
CORA_API_KEY |
API key (overrides provider-specific keys) | — |
CORA_MODEL |
Override model | — |
CORA_PROVIDER |
Override provider | — |
CORA_BASE_URL |
Override API base URL | — |
CORA_CONFIG |
Path to config file | .cora.yaml |
CORA_FORMAT |
Output format (pretty, json, compact, sarif) |
pretty |
CORA_NO_COLOR |
Disable colored output | — |
CORA_NO_CACHE |
Skip diff-hash cache (same as --no-cache) |
— |
API keys can be provided via environment variable (CORA_API_KEY), provider-specific env vars (OPENAI_API_KEY, etc.), or stored in ~/.cora/auth.toml (auto-created by cora auth login, permission 0600).
# Interactive login (stores key in ~/.cora/auth.toml)
cora auth login
# Or set via environment variable
export CORA_API_KEY=sk-...Using the official cora-review composite action:
name: CI
on:
pull_request:
branches: [develop]
jobs:
cora-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: ./.github/actions/cora-review
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
infisical-identity-id: ${{ secrets.INFISICAL_IDENTITY_ID }}
severity: major
upload-sarif: 'true'Or install manually:
# Manual install in CI
- name: Install cora-cli
run: |
curl -fsSL https://github.com/codecoradev/cora-cli/releases/latest/download/cora-x86_64-unknown-linux-gnu.tar.gz | tar xz
sudo mv cora /usr/local/bin/# .gitlab-ci.yml
code-review:
stage: test
image: rust:latest
before_script:
- cargo install cora-cli
script:
- cora review --base origin/main --severity major
variables:
OPENAI_API_KEY: $CI_OPENAI_API_KEY
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"Add cora as a git pre-commit hook for instant feedback:
# Install as pre-commit hook
cora hook install
# Review only staged files before each commit
# This runs automatically on `git commit`
# Remove the hook
cora hook uninstallOr add it manually to .git/hooks/pre-commit:
#!/bin/sh
# cora-cli pre-commit hook
cora review --quiet --severity major
if [ $? -ne 0 ]; then
echo "❌ Code review found critical issues. Commit blocked."
echo " Run 'cora review' to see details, or use 'git commit --no-verify' to skip."
exit 1
fiWith pre-commit framework
🚧 Planned — the pre-commit hook repo will be available soon. For now, use
cora hook installdirectly.
| Feature | cora-cli | AI Agent IDE Tools | Standard Linters |
|---|---|---|---|
| Semantic code understanding | ✅ | ✅ | ❌ |
| Security vulnerability detection | ✅ | ✅ | |
| Performance suggestions | ✅ | ✅ | ❌ |
| Runs in CI/CD pipeline | ✅ | ❌ | ✅ |
| SARIF / structured output | ✅ | ❌ | ✅ |
| Zero-config quick start | ✅ | ❌ | |
| No IDE required | ✅ | ❌ | ✅ |
| Understands business context | ✅ | ❌ | |
| Near-instant feedback | ✅ | ✅ | |
| Cost per review | 💰 | 💰💰💰 | Free |
| Works with any codebase | ✅ |
cora-cli sits between traditional linters and AI IDE agents: it provides semantic understanding that static tools can't match, while being lightweight enough to run in any CI pipeline or terminal — no IDE plugin required.
- vs. Linters (clippy, eslint, etc.): Cora understands intent and context, catching logical errors, security flaws, and design issues that pattern-based tools miss.
- vs. AI IDE Agents (Copilot, Cursor): Cora is pipeline-first — it runs in CI/CD, pre-commit hooks, and headless environments. It's the tool you use when you want AI review baked into your development workflow, not tied to a specific editor.
Requires Rust 1.85+.
# Build
cargo build
# Test
cargo test
# Lint
cargo clippy -- -D warnings
# Format
cargo fmtSee CONTRIBUTING.md for detailed guidelines.
Contributions are welcome! Please read our Contributing Guide before submitting PRs.
This project is licensed under the MIT License — see the LICENSE file for details.
Made with 🦀 by Anaz S Aji