Cora is a fast, native CLI that uses any LLM to review your code — in your terminal, CI/CD, git hooks, or directly inside AI coding agents. Bring your own key, pick any model, review in seconds.
- 🤖 Multi-LLM — OpenAI, Anthropic, Groq, Ollama, Z.AI, or any OpenAI-compatible API
- ⚡ Native Rust — fast binary, no runtime dependencies, cross-platform
- 🪝 Pre-commit hooks — catch issues before they reach CI
- 📋 SARIF output — upload to GitHub Code Scanning
- 🛡️ Deterministic scanners — 11 security patterns + 12 secret detection patterns that run without LLM
- 🧠 Language-specific analysis — tailored review guidance for Dart/Flutter, Svelte, TypeScript, Go, Rust, Python
- 🚧 Quality gate — configurable pass/fail thresholds for CI enforcement
- 📐 Quality profiles — strict, balanced, or lax presets for different project needs
- 📏 Custom rule engine — write your own regex rules in
.cora.yaml - ✂️ Auto-chunking — splits large PRs into reviewable chunks automatically
- 🔌 MCP server — expose rules and config to AI agents (Claude Code, Cursor, Copilot, Windsurf)
- 💾 Diff-hash caching — skip repeat reviews automatically
- 🔧 Configurable — per-project
.cora.yaml, global~/.cora/config.yaml, or env vars
Pick one install method — mixing channels can leave stale binaries on your PATH.
| Method | When to use |
|---|---|
curl … install.sh (recommended) |
Quick standalone install; fetches the latest GitHub release binary |
cargo install --git … |
You already have a Rust toolchain; builds from source |
| Pre-built binaries | Manual download from Releases |
# Recommended: Cora only (standalone)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install.sh | sh
# Or install both Cora + Uteke (code review with memory)
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install-bundle.sh | sh
# Or build from source with cargo
cargo install --git https://github.com/codecoradev/cora-cliPin a version:
CORA_VERSION=v0.6.1 curl -fsSL ... | sh
Verify which cora you're running — which -a cora will reveal stale copies from other channels:
which -a cora # list every `cora` on your PATH (one entry = healthy)
cora --version # should match the latest releaseIf which -a cora shows more than one path (e.g. ~/.local/bin/cora and ~/.cargo/bin/cora), remove the one you don't want or reorder your PATH. See Issue #314 for background.
macOS note — binary killed on launch (Killed: 9)?
The prebuilt aarch64-apple-darwin binary is not Apple-notarized. On macOS, downloaded
binaries may be tagged with com.apple.quarantine / com.apple.provenance and killed by
Gatekeeper with no error message.
The install.sh installer strips these attributes automatically. If you downloaded the
binary manually (e.g. gh release download), strip them yourself:
xattr -dr com.apple.quarantine /path/to/cora
xattr -dr com.apple.provenance /path/to/coraOr install via cargo / Homebrew to sidestep Gatekeeper entirely.
cora auth loginPick a provider, enter your API key. Done. Provider env vars (ZAI_API_KEY, OPENAI_API_KEY, etc.) are auto-detected.
cora review # staged changes
cora review --base main # vs a branch
cora review --unpushed # unpushed commits
cora commit # review + generate commit msg + commit
cora commit --yolo # auto-commit, no promptscora init # creates .cora.yaml + installs pre-commit hookPriority: CLI flags → env vars → .cora.yaml (project) → ~/.cora/config.yaml (global) → defaults
# .cora.yaml
provider: zai
model: glm-5.1
focus: [security, bugs]
# Quality gate — enforce code quality in CI
quality_gate:
enabled: true
thresholds:
max_critical: 0 # 0 critical = gate FAIL
max_security: 0 # 0 security findings = gate FAIL
categories:
performance:
action: warn # warn only, don't fail CI
max_findings: 5cora config show # effective merged config
cora config show --global # ~/.cora/config.yaml
cora config show --project # .cora.yaml| File | Purpose |
|---|---|
~/.cora/auth.toml |
API key (secret, chmod 600) |
~/.cora/config.yaml |
Global defaults (provider, model, etc.) |
.cora.yaml |
Per-project overrides |
See Configuration → for full reference.
# .github/workflows/cora-review.yml
on: pull_request
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: codecoradev/cora-review-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
cora-api-key: ${{ secrets.CORA_API_KEY }}Required secrets: CORA_API_KEY, CORA_BASE_URL (optional), CORA_MODEL (optional)
See GitHub Marketplace for full documentation.
Works on all CI platforms — Gitea, GitLab, Bitbucket →
| Command | Description |
|---|---|
cora commit |
Review + generate commit message + commit |
cora review |
Review code changes |
cora scan |
Scan files for issues |
cora init |
Create project config + hook |
cora auth login |
Save API key |
cora config show |
Show resolved config |
cora providers |
List available LLM providers |
cora debt |
Show tech debt report from review history |
cora review --memory |
Recall project patterns from Uteke before review |
cora review --learn |
Recall + save findings to Uteke |
cora mcp |
Start MCP server for AI coding agents |
cora hook install |
Install pre-commit hook |
See CLI Reference → for all flags and examples.
Cora works 100% standalone. Install Uteke to unlock memory-powered reviews that learn from your codebase history.
| Mode | Command | What it does |
|---|---|---|
| Standalone (default) | cora review |
AI review, zero deps |
| Memory recall | cora review --memory |
Recall project patterns before review |
| Learning | cora review --memory --learn |
Recall + save findings after review |
# Install Uteke separately
curl -fsSL https://raw.githubusercontent.com/codecoradev/uteke/main/install.sh | sh
# Or install both at once
curl -fsSL https://raw.githubusercontent.com/codecoradev/cora-cli/main/install-bundle.sh | sh
# Enable memory
export PATH="$HOME/.local/bin:$PATH"
cora review --staged --memory --learnYour code review gets smarter every sprint.
| Variable | Description |
|---|---|
CORA_API_KEY |
API key (CI use) |
CORA_PROVIDER |
Override provider |
CORA_MODEL |
Override model |
CORA_BASE_URL |
Override API base URL |
Provider-specific keys are auto-detected: OPENAI_API_KEY, ANTHROPIC_API_KEY, GROQ_API_KEY, ZAI_API_KEY
| Page | Description |
|---|---|
| Getting Started | Install, auth, first review |
| Configuration | Config files, env vars, priority |
| CLI Reference | All commands and flags |
| Providers | Supported LLM providers |
| Examples | Common workflows & CI setup |
| Changelog | Release history |
| Roadmap | Planned features |
See CONTRIBUTING.md for guidelines. PRs welcome!
