Critiq is an open source code review toolchain. The public CLI (`@critiq/cli`) and rules catalog (`@critiq/rules`) scan your repository locally and return deterministic findings you can use in the terminal or CI.

Does Critiq send my code to the cloud?

The OSS CLI runs locally on your machine or in your CI runner. It analyzes files in your checkout and does not upload your source to Critiq by default. Hosted Critiq Cloud features are optional and separate from the open source CLI.

How is this different from AI review tools?

Critiq findings come from explicit, testable rules, not probabilistic model output. You can inspect each rule, reproduce results, and tune what runs in CI. That makes feedback consistent and auditable.

Is Critiq open source?

Yes. The core engine, public CLI, and OSS rules catalog are open source under the Critiq GitHub organization. Premium rule packs and hosted product features are separate offerings.

Open source

The CLI that reviews your code against rules you can read.

Install the Critiq CLI and the public rules catalog, then run a full review in your terminal or CI. Every finding maps to a rule you can open, test, and tune.

Get Started for Free View on GitHub

Open source
Runs locally
No black box

bash

$ npx critiq check .critiq v1.0.0   @critiq/rules · 435 rules loadedscanning 128 files ............ done (1.2s)src/api/session.ts:9   high   ts.security.hardcoded-credentials  Literal secret in source. Load it from the environment.src/db/users.ts:24     high   ts.security.sql-interpolation  User input concatenated into SQL. Use a parameterized query.src/lib/price.ts:5     med    ts.correctness.use-number-is-nan2 high · 1 medium across 3 files# critiq rules explain <id> to read any rule

Quickstart

Install and scan in under a minute

Install Critiq globally, then run a scan from any repo. The same commands work on your machine and on your CI runner.

No account and no upload. Critiq reads your files and prints findings right in the terminal.

bash

$ npm install -g @critiq/cli @critiq/rules$ critiq check .

What it checks

Four lanes of feedback, one transparent catalog.

The public @critiq/rules catalog spans security, correctness, performance, and quality, with framework packs for the stacks you already use.

TypeScript
JavaScript
Python
Java
Go
Ruby
Rust
PHP

Security: Auth gaps, injection, unsafe execution, SSRF, weak crypto, and framework-specific misconfigurations. Security rules cite CWE and OWASP references where relevant.
Correctness: Logic footguns, async mistakes, empty catches, and language-specific correctness patterns that slip past review.
Performance: Hot-loop allocations, redundant fetches, unbounded concurrency, and render-path inefficiencies.
Quality: Maintainability smells, testing hygiene, and consistency rules that keep reviews calm and actionable.

Browse the rules catalog

How it works

From install to a gated pull request.

Install the CLI
Install the CLI and public rules catalog globally, or pin them in CI with npm.
$ npm install -g @critiq/cli @critiq/rules
Run a review
Point Critiq at your repo, a diff against main, or just your staged changes.
$ critiq check .
Read the rule
Every finding prints a rule id you can open and inspect, with references and the fix it expects.
$ critiq rules explain ts.security.sql-interpolation
Gate in CI
Emit JSON or SARIF and fail the build on the severities your team actually cares about.
$ critiq check . --format sarif --fail-on high

High-value rules

The findings teams keep merging without.

A look at rules that catch real bugs before they ship. Each one is a small file you can open, test, and tune.

TSsrc/api/session.ts

8 export function signSession(user: User) {
9-  const secret = "sk_live_7f3a9c2e1b4d";
9+  const secret = process.env.SESSION_SIGNING_SECRET;
10   return jwt.sign({ sub: user.id }, secret);

HighSecurity

Hardcoded credentials

Surfaces literal secrets in source so signing keys never land in git history.

ts.security.hardcoded-credentialsView this rule

Browse the rules catalog

CLI reference

One binary, every review workflow.

The CLI runs the same rules locally and in CI. Switch tabs to see the commands your team will reach for most.

Scan a directory with the configured rules catalog.

Read the full CLI reference

npx critiq check .

Run it locally. Read every rule. Decide from the output.

Install the CLI, run your first scan, and open the rules behind each finding.

Read the docs View on GitHub

The CLI that reviews your code against rules you can read.

Install and scan in under a minute

Four lanes of feedback, one transparent catalog.

From install to a gated pull request.

Install the CLI

Run a review

Read the rule

Gate in CI

The findings teams keep merging without.

Hardcoded credentials

One binary, every review workflow.

Run it locally. Read every rule. Decide from the output.