.png)
free, open-source, self-hosted GitHub PR reviewer that replaces coderabbit.
%20(1).png)
Thanks to the contributors and maintainers for making OpenRabbit possible.
OpenRabbit is a free (you can even get a free llm api explained below), open-source, self-hosted GitHub Pull Request reviewer. It analyzes PR diffs, consults a pluggable LLM provider (Groq / OpenRouter / others), and posts a concise, structured review: a human-readable summary and accurate inline comments or suggestions.
You don't need to pay for a subscription or manage a server. OpenRabbit runs completely on your own GitHub Actions environment. Your code stays in your runner; it is never proxied or stored by a central authority.
Simply create a file at .github/workflows/reviewer.yml and paste the following:
name: OpenRabbit Reviewer
on:
pull_request_target:
types: [opened, reopened, edited, synchronize]
permissions:
contents: read
pull-requests: write
jobs:
review:
runs-on: ubuntu-latest
steps:
- name: OpenRabbit
uses: aryan6673/openrabbit@main
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
llm_api_key: ${{ secrets.LLM_API_KEY }}
llm_provider: openrouter # Or groq
llm_model: openrouter/free # Use world-class models for $0
review_mode: both
tone_mode: balancedImportant
Never hardcode your API key directly into your workflow file or commit it to GitHub.
Instead, store it safely using GitHub Actions Secrets:
- Open your GitHub repository
- Go to Settings
- Navigate to Secrets and variables → Actions
- Click New repository secret
- Create a secret named
LLM_API_KEY - Paste your API key as the value
- Click Add secret
OpenRabbit will automatically use the secret securely inside your GitHub Actions workflow.
This keeps your API key encrypted and prevents accidental leaks in commits, logs, or pull requests.
OpenRabbit is a stand for Open Source Ethics.
Centralized companies like CodeRabbit have become "blast-radius multipliers". In late 2025, a critical security vulnerability in their platform exposed over 1 million repositories to potential Remote Code Execution (RCE) because users were forced to grant broad write access to a third-party cloud.
OpenRabbit destroys this risk by shifting the power back to the developer. By running client-side in your own CI/CD, you maintain total data sovereignty. We believe you shouldn't have to trade your project's security for AI productivity.
-
Fixes the "Context Blindness" Problem
Most AI reviewers act like your code exists in isolation, which is kinda dumb. OpenRabbit actually tries to understand the whole project:- Two-Stage File Fetch: If it feels like it’s missing context, it can pull in extra files instead of just judging the diff blindly.
- Linked Issue Awareness: It reads linked GitHub issues so it knows what the code is supposed to do, not just if it compiles.
-
"Socratic Scaffold" (Basically a Mentor Mode)
Instead of just dumping the answer, it acts like a mentor and asks questions so you figure stuff out yourself. It explains why something is wrong or risky, not just what is wrong. It only gives direct fixes when it’s something simple or obvious. -
"Performance & Scalability Expert"
This one is for serious code. It checks for things like race conditions, memory leaks, and slow logic (like O(n²)). It also makes sure you’re not ignoring caching or rewriting stuff that already exists. Basically, it asks: “Will this still work if traffic becomes 10x?” -
"Security Auditor" (Catches Real Issues, Not Fake Ones)
It ignores the PR description at first so it doesn’t get biased and just looks at the code. Then it checks for real problems like SQL injection, XSS, or broken auth. It also calls out fake “security improvements” where someone removes checks but claims things got safer. -
No More "AI Slop"
You know that polished but useless AI feedback? Yeah, this avoids that:- Suggestion Validation: It checks if suggestions actually match your code before showing them.
- Senior Engineer Voice: It talks more like a real tech lead instead of nitpicking random naming stuff.
-
Stops "Vibe Coding" (DRIFT Detection)
It flags when you change stuff that has nothing to do with the PR. Like random refactors or cleanup. It tells you to move that into a separate PR so things stay clean and easy to review.
By default, this project uses the OpenRouter free model pool.
It’s not perfect, the main issue is rate limits. To deal with that, it automatically rotates between different free models on OpenRouter so you don’t keep hitting the same limit again and again. It works, but it’s not super reliable or consistent.
If you want better performance and fewer interruptions, you should use your own API key.
- summary: single summary review comment (no inline comments)
- inline: post only inline comments and suggestions
- both: post both the summary and inline comments (default)
- Open an issue or PR
- See
src/llmfor adding new provider adapters
Licensed under the MIT license.
