Bubo 🦉

Agentic AI code review with the LLM of your choice. Bubo reviews your GitLab MRs and GitHub PRs with the model you run, and posts only the findings worth acting on as inline threads — no chatbot noise, no praise, no summaries.

🔒 Self-hosted — code, diffs, and review data stay on your infrastructure
🧠 Bring-your-own-LLM — Codex, Claude, or any model your CLI drives
🔀 GitLab & GitHub — one config, identical behavior on both
🎯 Inline findings only — with one "all good" ack on a clean change
🛡️ Governance, provenance & an auditable on-prem report
📊 OpenTelemetry metrics — cosign-signed releases with SBOMs

📖 Full documentation → mountainowl.github.io/bubo

Install

uv tool install bubo     # or: pipx install bubo
bubo init                # idempotent; seeds config + workspace + DB
bubo doctor              # verify before the first poll
bubo-poller              # one poll cycle — dry-run by default, posts nothing

Prefer a container? docker pull ghcr.io/mountainowl/bubo (multi-arch; the review-agent CLI is BYO). Full walkthrough in Install and configure.

Documentation

Everything lives on the docs site — this README is just the front door.


Recipes	Copy-paste GitLab / GitHub / in-house-model setups.
Features	The full capability list.
Configuration	Every setting, per section, plus a quick-start config.
Operate	Deploy, schedule, grade outcomes, governance report.
Troubleshooting	Host / infra fixes (sandbox, AppArmor).
Metrics & telemetry	Emitted `llm_review.*` metrics and dashboards.

Status

GitLab & GitHub posting via polling — production path, at outcome-metric parity. Set [scm].provider = "github" (or BUBO_PROVIDER=github).
MCP server (bubo-mcp) — read-only metrics + triggered reviews; stdio or HTTP.
Codex or Claude — Bubo runs the review through a wrapper around your agent CLI; Codex ships pre-wired.
Webhook-driven triggering — not yet; polling is the only path.

Review execution sits outside CI/CD by design — run it as a poller beside your existing pipelines.

Security

config/env.toml is gitignored and holds tokens. Do not print or commit real values.
Review-agent stdout is redacted (GITLAB_TOKEN=, OPENAI_API_KEY=, glpat-…, sk-…, credentialed Git URLs) before it touches reports, logs, or the database.
The reviewer subprocess runs under a strict env allowlist — host secrets aren't handed wholesale to the LLM agent.
Releases are cosign-signed via Sigstore keyless OIDC, with an SBOM on every release.
Report vulnerabilities per SECURITY.md.

Community

Contributing · Security policy · Support · Code of conduct · License: MIT

Name		Name	Last commit message	Last commit date
Latest commit History 137 Commits
.github		.github
assets		assets
benchmarks		benchmarks
bin		bin
config		config
deploy/templates		deploy/templates
docs		docs
plugins/superpowers		plugins/superpowers
prompts		prompts
skills/code-reviewer		skills/code-reviewer
src/bubo		src/bubo
tests		tests
ui		ui
.dockerignore		.dockerignore
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.release-please-manifest.json		.release-please-manifest.json
CHANGELOG.md		CHANGELOG.md
CODE_OF_CONDUCT.md		CODE_OF_CONDUCT.md
CONTRIBUTING.md		CONTRIBUTING.md
Dockerfile		Dockerfile
LICENSE		LICENSE
README.md		README.md
SECURITY.md		SECURITY.md
SUPPORT.md		SUPPORT.md
action.yml		action.yml
mkdocs.yml		mkdocs.yml
pyproject.toml		pyproject.toml
release-please-config.json		release-please-config.json
uv.lock		uv.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Bubo 🦉

Install

Documentation

Status

Security

Community

About

Uh oh!

Releases 35

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

Bubo 🦉

Install

Documentation

Status

Security

Community

About

Topics

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 35

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages