π§π· Leia em PortuguΓͺs
Iara is an automated, project-agnostic, configurable code review tool designed to run in CI/CD pipelines or locally via CLI. It connects directly to the LLM provider of your choice β OpenRouter (free models), OpenAI, Google Gemini, or Anthropic Claude.
- Features
- Capabilities
- Installation and Setup
- How to Use
- Privacy & Security
- Documentation
- Tests
- Contributing
- License
- Agnostic: Configure your project context (Tech Stack, Rules) via JSON.
- Multi-Provider: Connect directly to OpenRouter, OpenAI, Google Gemini, Anthropic Claude, Groq, or Ollama (local, no API key).
- Smart Fallback: Automatically tries free models if the preferred one fails (OpenRouter only).
- Rules-Based (Static): Identifies dangerous patterns instantly without spending tokens (e.g.,
GetComponentin loops in Unity). - LLM-Based (Intelligent): Uses AI to understand logic, security, and context, going beyond syntax.
- GitHub + GitLab: Native integration with both platforms, with automatic comments on PRs/MRs.
- Multi-Language Reviews: Configure the output language β reviews can be written in English, Portuguese, Spanish, French, and more.
Iara combines different types of analysis for a complete review:
| Type | What does it do? | Does Iara cover it? | How? |
|---|---|---|---|
| Static Analysis | Finds bugs by reading code (fast). | β Yes | Via Extensions (Regex) and LLM. |
| Linting | Fixes style and formatting. | β Yes | LLM can suggest Clean Code. |
| SAST | Finds security flaws in code. | β Yes | Primary focus on vulnerability detection. |
| Dynamic Analysis | Finds bugs by running the app (slow). | β No | Focus on fast CI/CD (Code Review). |
-
Unity / Game Dev:
- Use of slow APIs (
Find,GetComponent) in critical loops (Update). - Excessive memory allocation (Garbage Collection).
- Excess logging (
Debug.Log) in final builds.
- Use of slow APIs (
-
Security (General):
- Hardcoded credentials (Passwords, API Keys).
- Injection vulnerabilities (SQL, Command).
- Missing input validation.
-
Code Quality:
- Complex or confusing logic.
- Exception handling errors.
- Refactoring suggestions for readability.
pip install iara-revieweriara initThe wizard guides you through 5 steps:
- Language β Choose the review output language (en, pt-br, es, fr, etc.)
- Provider β Choose your LLM provider:
openrouter(default, free),openai,gemini,anthropic,groq, orollama(local) - API Key β Enter the key for the chosen provider (skipped for Ollama; validated and saved to
~/.iara/config.json) - Project β Name, tech stack, description
- Preferences β Focus areas (Security, Performance, etc.)
Done! Project config is saved at .iara.json.
git diff main | iaraiara auth statusSet the provider and its key via environment variables:
# OpenRouter (default β free models available)
export OPENROUTER_API_KEY="sk-or-..."
# OpenAI
export IARA_PROVIDER="openai"
export OPENAI_API_KEY="sk-..."
# Google Gemini
export IARA_PROVIDER="gemini"
export GEMINI_API_KEY="AIza..."
# Anthropic Claude
export IARA_PROVIDER="anthropic"
export ANTHROPIC_API_KEY="sk-ant-..."API key resolution priority: environment variable > global config (~/.iara/config.json).
git clone https://github.com/felipefernandes/iara.git
cd iara
pip install -e .git diff main | iaraexport PR_DIFF=$(git diff main)
iaraiara --scan ./path/to/project# Anthropic Claude
export IARA_PROVIDER="anthropic"
export ANTHROPIC_API_KEY="sk-ant-..."
export IARA_MODEL="claude-sonnet-4-5-20250929"
git diff | iara
# OpenAI GPT-4o
export IARA_PROVIDER="openai"
export OPENAI_API_KEY="sk-..."
export IARA_MODEL="gpt-4o"
git diff | iara
# Google Gemini
export IARA_PROVIDER="gemini"
export GEMINI_API_KEY="AIza..."
export IARA_MODEL="gemini-2.5-flash"
git diff | iaraImportant: Iara sends your code to third-party LLM providers for analysis. While convenient, this has privacy implications you should be aware of.
- Code diffs are sent to external APIs (OpenRouter, OpenAI, Gemini, Anthropic, Groq)
- Providers may temporarily store data for processing
- Data retention and training policies vary by provider
| Provider | Training on API Data | Data Retention | Enterprise Options | Best For |
|---|---|---|---|---|
| Ollama (local) | β None β code never leaves your machine | None | β Yes | Regulated / sensitive code |
| Anthropic | β No | Temporary | β Yes | Sensitive code |
| OpenAI | 30 days | β Yes | General use | |
| Gemini | Not documented | β Yes | General use | |
| Groq | Not documented | β No | Public code | |
| OpenRouter | Varies | β No | Public code |
- Open Source Projects: Any provider (code is already public)
- Private Projects (non-sensitive): Anthropic or Groq
- Sensitive/Proprietary Code: Anthropic Enterprise or Ollama (local)
- Regulated Industries (HIPAA, PCI-DSS, GDPR): Ollama β zero data leakage, free, works offline
For detailed privacy information and self-hosted options, see Privacy & Security Guide.
For detailed guides and configuration options, see:
- Configuration Guide - Project configuration, providers, models, RAG memory setup
- CI/CD Integration - GitHub Actions, GitLab CI, Docker, inline PR comments
- Privacy & Security Guide - Data privacy, provider policies, self-hosted options
- Contributing Guide - Development setup, testing, pull requests
Complete configuration examples are available in examples/:
examples/iara-example.json- Standard configurationexamples/iara-example-inline.json- Inline PR comments modeexamples/github-workflow.yml- GitHub Actions workflowexamples/gitlab-ci.yml- GitLab CI pipeline
- GitHub Marketplace - Add Iara to your repository
- PyPI Package - Install via pip
- Changelog - Version history and release notes
python -m unittest discover testsWe welcome contributions! See our Contributing Guide for:
- Development setup
- Running tests
- Code quality standards
- Pull request guidelines
- Release process
MIT