A complete code review system — 154 patterns + AI deep reasoning, all local, all free.
One tool. Terminal or AI agent. Your code never leaves your machine.
codelens review # 154 patterns, persistent index, <1 secondPerfect for: pre-commit checks, CI/CD pipelines, quick scans.
/codelens # or just say "review my code"
Pattern scan + AI deep review using the codebase index. The AI uses CodeLens's call graph, schema graph, and column registry as context to reason about your code. It catches things patterns can't: business logic bugs, semantic issues, novel vulnerabilities.
| CodeLens | Commercial Tools | SonarQube | CodeRabbit | |
|---|---|---|---|---|
| Price | Free (MIT) | $99-499/mo | $150+/mo | $12/user/mo |
| Privacy | 100% local | Cloud-only | Cloud or self-host | Cloud-only |
| First scan | 4 seconds | 5-15 minutes | Minutes | Minutes |
| Incremental | 60ms | Re-indexes | Seconds | Minutes |
| Pattern matching | 154 patterns | Regex-based | 5,000+ rules | LLM-only |
| AI reasoning | Built-in (agent mode) | LLM-only | None | LLM-only |
| Custom rules | 3-line YAML | No | Complex XML | No |
| AI CLI native | Claude/Codex/Gemini/Cursor | GitHub only | None | GitHub only |
| Runtime deps | 0 | N/A | Java runtime | N/A |
CodeLens is both: fast deterministic pattern matching AND AI-powered deep review when paired with an agent. No other tool does both.
Methodology: Comparison based on documented capabilities and public benchmarks (March 2026). Pattern counts reflect unique detection rules. "AI reasoning" means semantic analysis beyond pattern matching. Performance measured on a 50K-line TypeScript codebase. CodeLens benchmarks are reproducible — run
./benchmarks/run-benchmark.sh.
# Install
git clone https://github.com/shami-ah/codelens.git ~/codelens
cd ~/codelens && npm install
# In any project:
cd /path/to/your/project
npx tsx ~/codelens/bin/codelens.ts init # 4s — builds codebase index
npx tsx ~/codelens/bin/codelens.ts review # <1s — reviews your changesThe AI adapter ships with CodeLens in adapters/ — nothing to configure separately.
| Tool | Setup | Usage |
|---|---|---|
| Claude Code | cp ~/codelens/adapters/claude-code/SKILL.md ~/.claude/commands/codelens.md |
/codelens or "review my code" |
| Codex CLI | cp ~/codelens/adapters/codex/instructions.md .codex/commands/codelens.md |
/codelens |
| Gemini CLI | cp ~/codelens/adapters/gemini/GEMINI.md .gemini/ |
Follow instructions in file |
| Cursor | Add adapters/cursor/ rules to your .cursorrules |
Automatic on save |
One copy command, then CodeLens handles everything — pattern scan runs first, AI reasons over findings using the codebase index.
CodeLens builds a persistent codebase index on first run:
.code-review/
call-graph.json — 62K+ edges: who calls what
type-graph.json — type definitions and usage sites
schema-graph.json — DB tables, columns, RLS policies
column-registry.json — cross-references code queries against DB schema
On each review, it incrementally updates the index (60ms), then runs a 5-pass review:
Pass 0: Pre-flight — detect stack, run linters, map changes by layer
Pass 1: Layer analysis — read full files bottom-up (DB -> API -> Hooks -> UI)
Pass 2: Cross-file — taint analysis, column verification, template injection
Pass 3: Pattern scan — 113 stack-specific + universal patterns
Pass 4: Self-validation — dedup, diff-awareness, FP suppression, OWASP/CWE tags
In AI agent mode, the agent receives the full index + findings as context and adds a reasoning pass on top — catching semantic issues that no pattern can express.
| Module | Patterns | What It Catches |
|---|---|---|
| react-supabase-ts | 48 | Supabase error swallowing, PostgREST truncation, column mismatches, React lifecycle bugs, payment logic, RLS gaps |
| python-django | 25 | N+1 queries, SQL injection, mass assignment, CSRF bypass, template injection, ORM pitfalls |
| go | 20 | Unchecked errors, goroutine leaks, nil pointer, race conditions, SQL injection, missing timeouts |
| universal | 20 | Empty catch blocks, hardcoded secrets, XSS, eval(), open redirect, ReDoS, prototype pollution |
Every pattern includes OWASP Top 10 mapping, CWE IDs, severity scoring, and a concrete fix suggestion.
rules:
- id: TEAM-1
name: "No console.log in production"
severity: WARNING
pattern: "console\\.log\\("
files: "*.ts,*.tsx"
exclude: "*.test.*"
fix: "Use the project logger instead"CodeLens loads custom rules automatically. No compilation, no restart.
# .github/workflows/codelens.yml
name: CodeLens
on: [pull_request]
permissions: { contents: read, pull-requests: write }
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: shami-ah/codelens@main
with: { base-ref: "${{ github.event.pull_request.base.ref }}" }Every PR gets a review comment with findings, severity, and fix suggestions. Critical findings fail the check.
CodeLens tracks its own accuracy and auto-adjusts:
- Pattern scoring — tracks
times_firedvstimes_suppressed_as_fp. Noisy patterns (>50% FP) auto-downgrade. Proven patterns (<5% FP) boost to HIGH confidence. - Learn from fixes —
codelens learn HEADanalyzes your commit diff against known patterns and marks confirmed ones as effective. - Pattern suggestions — after 10+ reviews, suggests new patterns based on recurring findings.
No black-box ML. No cloud training. Deterministic scoring you can inspect in .code-review/*.json.
Benchmarked on a 1,622-file React+Supabase+Stripe production app:
| Operation | Time |
|---|---|
| First index (1,622 files) | 4.0s |
| Incremental (no changes) | 60ms |
| Review 7 changed files | 780ms |
| Review 456 files (full PR) | 12s |
Every review auto-generates a diagram based on what changed:
| Change Type | Diagram |
|---|---|
| API/edge functions | Sequence diagram (Client → API → DB flow) |
| Database migrations | ER diagram (table relationships) |
| Types/interfaces | Class diagram (type hierarchy) |
| Components/hooks | Flowchart (data flow) |
Findings are annotated on the diagram with
CodeLens tracks which findings developers address vs ignore, and auto-suppresses noise:
codelens noise status # See noise profile
codelens noise threshold 0.8 # Adjust sensitivityUses TF-IDF similarity (zero dependencies) — findings similar to 3+ previously-ignored ones are auto-suppressed. Per-project, grows smarter with every review.
codelens init Build codebase index (~4s)
codelens review Review uncommitted changes
codelens review --since <ref> Review since branch/commit
codelens review --staged Review staged changes only
codelens review --format json|sarif Machine-readable output
codelens index status Show index health
codelens index rebuild Full rebuild
codelens detect Show detected stack
codelens patterns list Show loaded pattern modules
codelens learn <sha> Learn from a fix commit
codelens learn-from-prs Discover patterns from team PR comments
codelens stats Pattern effectiveness + history
codelens suggest Suggested new patterns
codelens summary [week|day|month] What was done this period
codelens noise status Noise filter profile
codelens noise threshold <0-1> Set noise sensitivity
codelens feedback fp <p> <f> <l> Suppress false positive
Changed Files → Stack Detection → Index Lookup
↓
Pass 0: Pre-flight (linter, lockfile, layer map)
Pass 1: Bottom-up layer analysis (DB → API → Hooks → UI)
Pass 2: Cross-file data flow tracing (taint, UX, permissions)
Pass 3: 154 stack-specific patterns + dependency scan + test coverage
Pass 3.5: Test coverage delta analysis
Pass 3.6: Dependency vulnerability scanning (42+ known vulns)
Pass 4: Self-validation (dedup, diff-awareness, confidence scoring, noise filter)
↓
PR Risk Score (1-10) + Unified Report (markdown/JSON/SARIF)
| Decision | Why |
|---|---|
| Zero runtime dependencies | Portability — works anywhere Node.js runs, no native binaries |
| Regex-based parsing | Speed — 60ms incremental vs minutes for AST. Catches 95% of patterns |
| Persistent index | Context — call graph, schema graph, fingerprints survive across reviews |
| 4-module pattern system | Precision — stack-specific patterns reduce false positives |
| SARIF output | Integration — standard format for GitHub, VS Code, CI/CD tools |
| Self-learning | Improvement — tracks pattern effectiveness, learns from FP feedback |
| PR Risk Score | Transparency — weighted score (1-10) explaining WHY a change is risky |
| Diff-awareness | Precision — distinguishes new bugs from pre-existing, downgrades accordingly |
| Operation | Time | Details |
|---|---|---|
| First index | ~4 seconds | Full codebase scan, call graph, schema extraction |
| Incremental index | ~60ms | Git diff-based, only re-parses changed files |
| Pattern review | <1 second | 154 patterns across matched stack modules |
| AI agent review | 10-30 seconds | Pattern scan + full AI deep analysis |
Built from analyzing thousands of real code review comments across hundreds of PRs on production applications. The review methodology evolved through 12 iterations, competing head-to-head with commercial review tools until CodeLens matched — then exceeded — their accuracy while running 100x faster.
Built from analyzing 300+ production PRs and 1,500+ code review comments:
- Regex catches 95% of what AST does for code review — the remaining 5% (cross-file type inference, complex control flow) will come in v0.2 with tree-sitter
- False positive rate matters more than detection count — 154 high-confidence patterns beat 5,000 noisy rules
- Persistent indexing is the unlock — without call graphs and schema context, cross-file bugs are invisible
- Stack-specific patterns >> generic rules — a Supabase error pattern is 10x more precise than a generic "unchecked error" rule
- Self-learning compounds — tracking which patterns fire and which get suppressed automatically improves precision over time
- PR Risk Score adds transparency — developers trust reviews more when they understand WHY something is flagged as risky
- v0.1 (shipped): 154 patterns, 5-pass engine, 4 AI adapters, self-learning, PR risk score
- v0.2 (current): Security taint tracking,
codelens explain, npm publish ready, benchmarks - v0.3 (next): Tree-sitter AST integration for semantic analysis beyond regex
- v0.4: VS Code extension with inline findings
- v0.5: GitHub App for automated PR reviews
- v1.0: Pattern marketplace — community-contributed rule modules
MIT — free for personal and commercial use. Your code stays on your machine.