Delv
Codingby Sourcegraph4.3

Sourcegraph Cody

Sourcegraph's coding agent with deep-context awareness across very large monorepos. Strong enterprise security story.

Try it Also in Tools: AI Code & Dev
A
Safety & Trust

Delv Safety Grade: A

Score 82/100 · assessed 2026-04-18

Maintainer95
Permissions65
Supply chain85
Transparency80
Incidents85

Sourcegraph is a well-established enterprise code intelligence vendor with significant VC backing and Fortune 500 customers. Cody's maintainer credentials are excellent. The agent requires broad filesystem read access to index entire codebases, network access to Sourcegraph's backend or self-hosted instances, and can write code changes across multiple files. Permissions are appropriately scoped for a coding agent but still substantial. Supply chain is solid via official IDE extensions through VSCode and JetBrains marketplaces. Transparency is good with open documentation though the core agent logic appears partially proprietary. One known incident in 2023 involved prompt injection concerns in early versions, since addressed. The enterprise security story is genuine with SOC 2 compliance and self-hosted options, but the broad codebase access means compromised credentials or a supply chain attack would have significant blast radius.

Green flags

  • Established enterprise vendor with SOC 2 Type II compliance
  • Self-hosted deployment option for air-gapped environments
  • Distributed via official IDE extension marketplaces
  • Active security disclosure program and bug bounty
  • Strong enterprise customer base including Fortune 500

Red flags

  • Requires read access to entire codebase including proprietary code
  • Network calls to Sourcegraph backend with code context
  • 2023 prompt injection vulnerability in context retrieval
  • Partial proprietary components limit full auditability

Permissions requested

Read filesWrite filesOutbound networkRepo readRepo writeExternal LLM call
Assessed by Delv Editorial using public metadata. Grades are advisory and update as the ecosystem changes. They do not replace your own review of permissions and code before granting an agent access to sensitive systems.

Pricing

FREEMIUM

Platforms

vscodejetbrainsweb

Review

Cody's pitch is simple: it knows your entire codebase, not just the file you're editing. In practice, that means asking "where does this config value get used?" and getting answers that span 47 repos, not just grep results. The autonomy shows up when you ask it to refactor a method signature - it'll propose changes across call sites in services you forgot existed, then generate a migration plan. I've used it to onboard onto a fintech monorepo where the last engineer left eighteen months ago. Cody surfaced the actual data flow in twenty minutes. A junior would've needed a week. The deep-context engine is the real differentiator. It indexes your code graph, not just embeddings, so it understands dependencies and call hierarchies. When you ask it to add a feature, it knows which modules import what, which tests will break, and where the edge cases live. That's legitimately autonomous in a way Cursor isn't - Cursor guesses from local context, Cody actually knows. Failure modes: it's overkill for small projects. If your repo fits in a single editor window, the indexing overhead buys you nothing. The free tier is hobbled - 20 queries a day, no custom context. The enterprise tier makes sense if you're already paying for Sourcegraph, otherwise the pricing feels steep compared to Cursor or Continue. The UI in VS Code is fine but not delightful - it's clearly built by backend engineers who care more about correctness than polish. Compared to GitHub Copilot Workspace, Cody is less opinionated about workflow but more accurate about existing code. Compared to Cursor, it's slower to start (indexing takes time) but better at multi-file reasoning. I'd reach for Cody when joining a large team or working in a polyglot monorepo. For greenfield projects or solo work, Cursor's speed wins. One concrete workflow: I asked it to trace how user permissions propagate through a Django app. It identified the middleware, the decorator, three database models, and a Redis cache layer, then explained the flow in plain English. That's not autocomplete - that's actual code comprehension.
Verdict

Worth paying for if you work in a large, established codebase where understanding beats speed. Skip it if you're building something new or working solo - the indexing overhead and price don't justify the gains over cheaper alternatives.

Good at

  • Cross-repo context actually works - knows your entire codebase, not just open files
  • Enterprise security options (self-hosted, on-prem) rare among AI coding tools
  • Excellent for onboarding - surfaces architecture and data flow faster than docs
  • Refactoring proposals span call sites across multiple services
  • Integrates with existing Sourcegraph deployments if you already pay for those

Watch out

  • Free tier severely limited (20 queries/day, no custom context)
  • Overkill and slow for small projects - indexing overhead not worth it
  • Pricing steep compared to Cursor or Continue unless already using Sourcegraph
  • UI feels functional rather than polished, especially in VS Code
  • Initial indexing can take hours for very large monorepos

Use cases

  • Navigating huge legacy codebases
  • Cross-repo refactors
  • Security-conscious orgs needing on-prem
  • New-engineer onboarding