AI-powered code review system that analyzes code for security vulnerabilities, code quality issues, and best practice violations using Groq's fastest LLM inference.
CodeMentor AI is a full-stack application that leverages artificial intelligence to provide instant, comprehensive code reviews. It detects security vulnerabilities (SQL injection, XSS, command injection), analyzes code quality metrics, and provides actionable recommendations for improvement.
Key Features:
- ✅ Real-time code analysis with AI-powered insights
- ✅ Multi-language support (Python, JavaScript, Java, TypeScript, Go, Ruby, PHP, C++, etc.)
- ✅ OWASP Top 10 vulnerability detection
- ✅ Code quality scoring and metrics
- ✅ Server-Sent Events (SSE) streaming for real-time results
- ✅ Review history and analytics dashboard
- ✅ Beautiful, responsive React UI
- ✅ Docker Compose for easy deployment
- Framework: FastAPI (Python)
- LLM API: Groq API (gpt-oss-20b model)
- Code Analysis: Custom AST parser and vulnerability detector
- Database: MongoDB with Motor (async driver)
- Server: Uvicorn
- Streaming: Server-Sent Events (SSE)
- Framework: React 18 with TypeScript
- Build Tool: Vite
- State Management: Zustand
- Editor: Monaco Editor
- Styling: Tailwind CSS
- HTTP Client: Axios
- Node.js 16+ and npm
- Python 3.9+
- Groq API Key (free from https://console.groq.com)
- Backend Setup
cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
export GROQ_API_KEY=your_api_key_here
python -m uvicorn app.main:app --reload- Frontend Setup
cd frontend
npm install
npm run dev- Access
- Frontend: http://localhost:5173
- Backend API: http://localhost:8000
GET /api/review/stream?code=<code>&language=<language>
CodeMentorAI/
├── backend/
│ ├── app/
│ │ ├── main.py
│ │ ├── config.py
│ │ ├── api/routes.py
│ │ └── models/schemas.py
│ ├── mcp_server/
│ │ ├── server.py
│ │ └── tools/
│ └── requirements.txt
├── frontend/
│ ├── src/
│ │ ├── components/
│ │ ├── hooks/
│ │ ├── services/
│ │ └── App.tsx
│ └── package.json
└── docker-compose.yml
- Real-time code analysis with streaming results
- Multi-language support (10+ languages)
- OWASP vulnerability detection
- Code quality metrics and scoring
- Review history tracking
- Analytics dashboard
- Beautiful responsive UI
CodeMentor AI detects:
- SQL Injection attacks
- Cross-Site Scripting (XSS)
- Command Injection
- Hardcoded credentials
- Insecure deserialization
- Missing input validation
- And more OWASP Top 10 vulnerabilities
┌─────────────────────────────────────────────────────────────┐
│ Browser / Client │
│ (React 18 + TypeScript) │
│ Port: 5173 │
└────────────────────┬────────────────────────────────────────┘
│ HTTP + SSE
▼
┌─────────────────────────────────────────────────────────────┐
│ API Gateway (FastAPI) │
│ http://localhost:8000 │
│ │
│ Routes: │
│ • GET /api/review/stream (SSE) │
│ • POST /api/review (JSON) │
│ • GET /health (Status) │
└────────────────────┬────────────────────────────────────────┘
│
┌────────────┼────────────┐
│ │ │
▼ ▼ ▼
┌─────┐ ┌──────────┐ ┌─────────┐
│ MCP │ │ Groq │ │MongoDB │
│Code │ │API │ │Database │
│Parser │(LLM) │ │(Storage)│
└─────┘ └──────────┘ └─────────┘
App (Main Component)
├── Header
│ └── Navigation Tabs
├── Editor Tab
│ ├── CodeEditor (Monaco)
│ └── ReviewPanel
├── History Tab
│ └── History Table
└── Analytics Tab
└── Dashboard
Using Zustand store:
- Code and language state
- Analysis results
- Review history
- Loading/error states
- UI state (selected tab, etc.)
- Standard HTTP: POST requests for complete reviews
- Server-Sent Events: GET requests with streaming responses
- Real-time Updates: EventSource API for SSE handling
-
main.py: FastAPI application entry point
- Route definitions
- CORS configuration
- Error handlers
- Server lifecycle
-
config.py: Configuration management
- Environment variables
- Database settings
- API credentials
- Server settings
-
api/routes.py: Endpoint definitions
- /api/review (POST) - Standard review
- /api/review/stream (GET) - Streaming review
- /health (GET) - Health check
-
models/schemas.py: Data validation
- CodeReviewRequest model
- Vulnerability model
- CodeQualityMetrics model
- CodeReviewResult model
- Input Parsing: Extract code and language
- Validation: Check code size and language support
- Groq API Call: Send to LLM for analysis
- Response Processing: Parse and structure results
- Quality Calculation: Compute metrics and scores
- Result Streaming: Send via SSE or HTTP response
- server.py: Main analysis engine
- code_parser.py: Multi-language parsing and AST analysis
- vulnerability_rules.py: OWASP and security patterns
GET /api/review/stream?code=<code>&language=<language>
Response: Server-Sent Events
Event 1: {"type": "start"}
Event N: {"type": "analyzing", "progress": N%}
Event N+1: {"type": "complete", "data": {...}}
POST /api/review
Content-Type: application/json
{
"code": "...",
"language": "python"
}
Response:
{
"vulnerabilities": [...],
"quality_metrics": {...},
"score": 0-100
}
{
type: string; // SQL Injection, XSS, etc.
severity: 'critical' | 'high' | 'medium' | 'low';
line: number;
column: number;
description: string;
recommendation: string;
cwe_id?: string; // CWE reference
}{
complexity: number; // 0-100
maintainability: number; // 0-100
duplication: number; // 0-100
documentation: number; // 0-100
error_handling: number; // 0-100
}{
code: string;
language: string;
vulnerabilities: Vulnerability[];
quality_metrics: CodeQualityMetrics;
score: number; // 0-100
timestamp: Date;
}reviews
- Code submissions and analysis results
- Indexed by user_id, created_at, severity
- Stores full review history
users (Future)
- User accounts
- Authentication data
- Subscription information
- Code splitting
- Lazy component loading
- Memoization
- Request debouncing
- Async/await for concurrency
- Connection pooling
- Streaming responses
- Result caching
- Indexed queries
- Connection pooling
- Document optimization
Three services:
- Frontend: Node.js development server or Nginx
- Backend: Python FastAPI server
- MongoDB: Database service
Services will be available at:
- Frontend: http://localhost:5173
- Backend: http://localhost:8000
- MongoDB: localhost:27017
- Health checks configured
- Volume management for database
- Network isolation
- Restart policies
- Code size limit (50KB)
- Language whitelist
- Language parameter validation
- Request rate limiting (ready)
- CORS policy enforcement
- Environment variable management
- No credentials in code
- Request/response logging
- MongoDB connection with auth (configurable)
- No sensitive data in logs
- HTTPS ready for production
- Secure error messages
# Build and start all services
docker-compose up -d
# View logs
docker-compose logs -f
# Stop services
docker-compose downCreate a .env file in the backend directory:
# API Keys
GROQ_API_KEY=your_groq_api_key
LANGSMITH_API_KEY=optional_langsmith_key
# Database
MONGODB_URL=mongodb://localhost:27017
DATABASE_NAME=codementor
# Server
API_HOST=0.0.0.0
API_PORT=8000
API_TITLE=CodeMentor AI
API_VERSION=1.0.0
# Frontend
FRONTEND_URL=http://localhost:5173backend/app/main.py- FastAPI server with Groq integrationbackend/app/config.py- Configuration managementbackend/app/api/routes.py- API endpoint definitionsbackend/app/models/schemas.py- Pydantic data modelsbackend/app/utils/prompts.py- AI prompt templatesbackend/mcp_server/server.py- Code analysis enginebackend/mcp_server/tools/code_parser.py- Multi-language parserbackend/mcp_server/tools/vulnerability_rules.py- Vulnerability patternsbackend/requirements.txt- Python dependenciesbackend/Dockerfile- Backend container configuration
frontend/src/main.tsx- React entry pointfrontend/src/App.tsx- Root componentfrontend/src/components/Header.tsx- Navigation headerfrontend/src/components/CodeEditor.tsx- Monaco editorfrontend/src/components/ReviewPanel.tsx- Results displayfrontend/src/components/History.tsx- Review historyfrontend/src/components/Analytics.tsx- Dashboardfrontend/src/hooks/useReview.ts- Review logic hookfrontend/src/services/api.ts- API clientfrontend/src/store/reviewStore.ts- Zustand storefrontend/src/types/index.ts- TypeScript typesfrontend/src/styles/globals.css- Global stylesfrontend/package.json- Node dependenciesfrontend/vite.config.ts- Vite configurationfrontend/tailwind.config.js- Tailwind CSS configfrontend/tsconfig.json- TypeScript configfrontend/Dockerfile- Frontend container config
docker-compose.yml- Multi-container orchestration.env.example- Environment variables template.gitignore- Git ignore patternsrequirements.txt- Root level dependencies
README.md- This fileSETUP_GUIDE.md- Detailed setup instructionsARCHITECTURE.md- Technical architecture detailsCONTRIBUTING.md- Contribution guidelinesCHANGELOG.md- Version historyLICENSE- MIT License
The repository includes comprehensive test code examples in test_code.txt:
- Python examples (SQL injection, hardcoded credentials, command injection)
- JavaScript examples (XSS, insecure API calls, unvalidated redirects)
- Java examples (SQL injection, security misconfiguration)
- TypeScript examples (unsafe type assertions)
- Code quality issues (poor naming, high complexity)
Q: What LLM model does it use? A: Groq's gpt-oss-20b model via free Groq API (https://groq.com)
Q: Is my code private? A: Code is analyzed in-memory and not stored unless you explicitly save reviews to MongoDB.
Q: Can I self-host? A: Yes, clone the repo and follow the local development setup. Docker Compose makes it easy.
Q: What programming languages are supported? A: Python, JavaScript, TypeScript, Java, Go, Ruby, PHP, C++, C#, Rust, Swift, and more.
Q: How accurate are the vulnerability detections? A: Achieved 85% vulnerability detection accuracy in testing. Results vary by code complexity.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit changes (
git commit -m 'Add amazing feature') - Push to branch (
git push origin feature/amazing-feature) - Open a Pull Request
See CONTRIBUTING.md for detailed guidelines.
MIT License - see LICENSE file for details
Shoaib - Full Stack Developer
- GitHub: @shoaib1522
- Email: sa1670001@gmail.com
- User authentication and account management
- Team collaboration features
- Integration with GitHub, GitLab, Bitbucket
- Automated CI/CD pipeline checks
- Custom rule creation for organizations
- Performance benchmarking dashboard
- Mobile app
- API rate limiting and quotas
For issues, feature requests, or questions:
- Open an issue on GitHub
- Check existing issues and discussions
- Review the documentation
Star ⭐ this repository if you find it helpful!