DEV.co
Open-Source DevOps · patched-codes

patchwork

Patchwork is an open-source CLI framework that automates repetitive software development tasks like code reviews, vulnerability fixes, and documentation generation using AI models. It combines reusable steps and customizable LLM prompts into workflows called Patchflows that can run locally or in CI/CD pipelines.

Source: GitHub — github.com/patched-codes/patchwork
1.6k
GitHub stars
103
Forks
Python
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypatched-codes/patchwork
Ownerpatched-codes
Primary languagePython
LicenseAGPL-3.0 — OSI-approved
Stars1.6k
Forks103
Open issues193
Latest releasev0.0.124 (2025-04-16)
Last updated2026-06-15
Sourcehttps://github.com/patched-codes/patchwork

What patchwork is

Python-based agentic framework supporting OpenAI-compatible LLM endpoints (OpenAI, Google, Groq, local models via llama.cpp/ollama). Core architecture uses Steps (atomic actions), Prompt Templates (LLM queries with variable interpolation), and Patchflows (orchestrated workflows). Licensed under AGPL-3.0; integrates with GitHub, Semgrep, Depscan, and Chromadb for security analysis and RAG.

Quickstart

Get the patchwork source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/patched-codes/patchwork.gitcd patchwork# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Automated Security Patching

Use AutoFix and DependencyUpgrade patchflows to identify vulnerabilities via Semgrep, generate fixes with LLMs, and create PRs automatically—reducing security backlog.

Code Review Acceleration

PRReview patchflow automates PR summarization and comment generation, freeing senior engineers from routine review work on non-critical changes.

Documentation Generation at Scale

GenerateDocstring and GenerateREADME patchflows create docstrings and repository documentation, enforcing consistency across codebases without manual effort.

Implementation considerations

  • LLM provider costs and latency will scale with repository size and patchflow complexity; budget and test with small repos first.
  • AGPL-3.0 copyleft: if used in a service or integrated into proprietary tooling, derivative works must be open-sourced. Clarify licensing intent with legal before production deployment.
  • Patchflows depend on optional dependency groups (security, rag, notifications); only install what you need to minimize supply-chain footprint.
  • Customization requires understanding template variables, step composition, and LLM prompt engineering; non-trivial for teams unfamiliar with agentic AI patterns.
  • GitHub API tokens and LLM keys must be managed securely (environment variables, secrets managers); credentials in config files expose attack surface.

When to avoid it — and what to weigh

  • Proprietary or Closed-Source Commercial Product — AGPL-3.0 requires source disclosure if deployed as a service. If you intend to run this as a SaaS without open-sourcing modifications, you need legal review or a commercial license.
  • Requirement for Guaranteed Output Quality — LLM-driven automation inherently produces variable results. Patchflows require human review before merging; unsuitable for fully autonomous, unreviewed deployments.
  • Non-Git or Proprietary VCS Environments — Framework is tightly coupled to GitHub APIs and Git workflows. Does not support Bitbucket, GitLab, or internal VCS systems without custom step development.
  • Teams Without DevOps/ML Infrastructure — Requires API keys, LLM provider accounts (OpenAI, Google, or Groq), and optional tools (Semgrep, Depscan). Onboarding involves credential management and configuration complexity.

License & commercial use

Patchwork is licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license: any modifications or network-based distribution require source code disclosure. Custom patchflows and steps can be authored using the separate patchwork-configs repository, which is Apache-2.0 licensed, allowing proprietary extensions.

AGPL-3.0 is incompatible with most proprietary commercial deployments without modification. If you intend to use Patchwork as a SaaS, incorporate it into a closed-source product, or modify it without disclosing source, you must seek explicit permission from the maintainers or pursue a commercial license. Using it as a CLI tool internally for your own organization is permissible under AGPL-3.0, but deploying it as a hosted service requires compliance with source-disclosure obligations. Requires legal review before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityNeeds review
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

LLM outputs are not inherently trustworthy; generated code patches and fixes must undergo human review before merging. API keys and GitHub tokens are critical secrets—mismanagement via config files or environment leaks enables repository compromise. Supply-chain risk: depends on Semgrep, Depscan, Chromadb, and upstream LLM providers. AGPL-3.0 source-disclosure requirement may conflict with security-through-obscurity practices. No published security audit data. Recommend: rotate credentials regularly, audit generated outputs, restrict LLM model capabilities, use least-privilege GitHub tokens.

Alternatives to consider

GitHub Copilot / Copilot for PR Review (GitHub)

Native GitHub integration, no setup overhead, but limited scope (PR review only), proprietary licensing, and no local/self-hosted option. Simpler for light-weight use cases; Patchwork offers more customization and broader automation scope.

LangChain / LlamaIndex Agentic Frameworks

Lower-level abstractions for building custom AI agents; more flexible but require significant engineering effort. Patchwork is higher-level and pre-configured for DevOps workflows. Use LangChain if you need domain-specific automation beyond Patchwork's patchflows.

IDE-based code generation with real-time feedback, but not designed for repository-wide, batch automation. Patchwork excels at bulk operations; Codeium excels at inline coding assistance.

Software development agency

Build on patchwork with DEV.co software developers

Evaluate Patchwork for your team. Start with a proof-of-concept on non-critical code, review AGPL-3.0 licensing implications with legal, and test with your LLM provider of choice. Contact Devco for integration guidance.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

patchwork FAQ

Can I use Patchwork in a commercial SaaS without open-sourcing my modifications?
No, not without a commercial license or source-code disclosure. AGPL-3.0 requires copyleft compliance. Internal use (CLI on your infrastructure) is permissible; network-based services require source availability. Consult with legal before production deployment.
Does Patchwork work with GitLab, Bitbucket, or on-premises Git?
No. Out-of-the-box support is GitHub-only. GitLab/Bitbucket require custom step development. On-premises Git (Gitea, GitLab self-hosted) may work if API-compatible, but is unsupported and untested.
What LLM providers are supported?
Any OpenAI-compatible endpoint: OpenAI, Google Gemini, Groq, Hugging Face, Together AI, and local models (llama.cpp, ollama, vLLM, TGI). Select via `client_base_url` and `model` parameters.
How do I ensure generated code patches are safe?
All LLM-generated outputs are untrusted. Mandatory human review is required before merging. Use GitHub branch protections to enforce review workflows. Monitor LLM behavior and rotate API keys regularly if suspicious activity detected.

Software developers & web developers for hire

Need help beyond evaluating patchwork? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.

Ready to Automate Your DevOps Workflows?

Evaluate Patchwork for your team. Start with a proof-of-concept on non-critical code, review AGPL-3.0 licensing implications with legal, and test with your LLM provider of choice. Contact Devco for integration guidance.