patchwork
Patchwork is an open-source CLI framework that automates repetitive software development tasks like code reviews, vulnerability fixes, and documentation generation using AI models. It combines reusable steps and customizable LLM prompts into workflows called Patchflows that can run locally or in CI/CD pipelines.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | patched-codes/patchwork |
| Owner | patched-codes |
| Primary language | Python |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.6k |
| Forks | 103 |
| Open issues | 193 |
| Latest release | v0.0.124 (2025-04-16) |
| Last updated | 2026-06-15 |
| Source | https://github.com/patched-codes/patchwork |
What patchwork is
Python-based agentic framework supporting OpenAI-compatible LLM endpoints (OpenAI, Google, Groq, local models via llama.cpp/ollama). Core architecture uses Steps (atomic actions), Prompt Templates (LLM queries with variable interpolation), and Patchflows (orchestrated workflows). Licensed under AGPL-3.0; integrates with GitHub, Semgrep, Depscan, and Chromadb for security analysis and RAG.
Get the patchwork source
Clone the repository and explore it locally.
git clone https://github.com/patched-codes/patchwork.gitcd patchwork# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- LLM provider costs and latency will scale with repository size and patchflow complexity; budget and test with small repos first.
- AGPL-3.0 copyleft: if used in a service or integrated into proprietary tooling, derivative works must be open-sourced. Clarify licensing intent with legal before production deployment.
- Patchflows depend on optional dependency groups (security, rag, notifications); only install what you need to minimize supply-chain footprint.
- Customization requires understanding template variables, step composition, and LLM prompt engineering; non-trivial for teams unfamiliar with agentic AI patterns.
- GitHub API tokens and LLM keys must be managed securely (environment variables, secrets managers); credentials in config files expose attack surface.
When to avoid it — and what to weigh
- Proprietary or Closed-Source Commercial Product — AGPL-3.0 requires source disclosure if deployed as a service. If you intend to run this as a SaaS without open-sourcing modifications, you need legal review or a commercial license.
- Requirement for Guaranteed Output Quality — LLM-driven automation inherently produces variable results. Patchflows require human review before merging; unsuitable for fully autonomous, unreviewed deployments.
- Non-Git or Proprietary VCS Environments — Framework is tightly coupled to GitHub APIs and Git workflows. Does not support Bitbucket, GitLab, or internal VCS systems without custom step development.
- Teams Without DevOps/ML Infrastructure — Requires API keys, LLM provider accounts (OpenAI, Google, or Groq), and optional tools (Semgrep, Depscan). Onboarding involves credential management and configuration complexity.
License & commercial use
Patchwork is licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license: any modifications or network-based distribution require source code disclosure. Custom patchflows and steps can be authored using the separate patchwork-configs repository, which is Apache-2.0 licensed, allowing proprietary extensions.
AGPL-3.0 is incompatible with most proprietary commercial deployments without modification. If you intend to use Patchwork as a SaaS, incorporate it into a closed-source product, or modify it without disclosing source, you must seek explicit permission from the maintainers or pursue a commercial license. Using it as a CLI tool internally for your own organization is permissible under AGPL-3.0, but deploying it as a hosted service requires compliance with source-disclosure obligations. Requires legal review before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Needs review |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
LLM outputs are not inherently trustworthy; generated code patches and fixes must undergo human review before merging. API keys and GitHub tokens are critical secrets—mismanagement via config files or environment leaks enables repository compromise. Supply-chain risk: depends on Semgrep, Depscan, Chromadb, and upstream LLM providers. AGPL-3.0 source-disclosure requirement may conflict with security-through-obscurity practices. No published security audit data. Recommend: rotate credentials regularly, audit generated outputs, restrict LLM model capabilities, use least-privilege GitHub tokens.
Alternatives to consider
GitHub Copilot / Copilot for PR Review (GitHub)
Native GitHub integration, no setup overhead, but limited scope (PR review only), proprietary licensing, and no local/self-hosted option. Simpler for light-weight use cases; Patchwork offers more customization and broader automation scope.
LangChain / LlamaIndex Agentic Frameworks
Lower-level abstractions for building custom AI agents; more flexible but require significant engineering effort. Patchwork is higher-level and pre-configured for DevOps workflows. Use LangChain if you need domain-specific automation beyond Patchwork's patchflows.
IDE-based code generation with real-time feedback, but not designed for repository-wide, batch automation. Patchwork excels at bulk operations; Codeium excels at inline coding assistance.
Build on patchwork with DEV.co software developers
Evaluate Patchwork for your team. Start with a proof-of-concept on non-critical code, review AGPL-3.0 licensing implications with legal, and test with your LLM provider of choice. Contact Devco for integration guidance.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
patchwork FAQ
Can I use Patchwork in a commercial SaaS without open-sourcing my modifications?
Does Patchwork work with GitLab, Bitbucket, or on-premises Git?
What LLM providers are supported?
How do I ensure generated code patches are safe?
Software developers & web developers for hire
Need help beyond evaluating patchwork? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source devops integrations — and maintain them long-term.
Ready to Automate Your DevOps Workflows?
Evaluate Patchwork for your team. Start with a proof-of-concept on non-critical code, review AGPL-3.0 licensing implications with legal, and test with your LLM provider of choice. Contact Devco for integration guidance.