Sourcegraph Cody

Week 2026-W14 · Published April 5, 2026
32 /100 Significant…

Sourcegraph Cody is a technically potent code intelligence tool undermined by a critical and unresolved strategic pivot by its parent company. The public messaging of 'Goodbye Cody, Hello Amp' signals an imminent product sunset, creating unacceptable long-term risk for enterprise adoption. While its security certifications (SOC 2 Type II, ISO 27001) are robust, they are overshadowed by severe legal ambiguities in its Terms of Service regarding AI data training and a complete lack of IP indemnification. Any engagement must be treated as a high-risk procurement, requiring stringent contractual guarantees regarding product longevity, support, and data confidentiality that are not offered by default.

Verdict: Extended Evaluation Required

Overall Risk: Medium
Key Strength

Detailed community analysis available in report body

Analysis based on 50 data points collected this week from developer forums, code repositories, and community platforms.

Executive Risk Overview

Six-dimension enterprise readiness assessment

Risk Assessment

Seven-category enterprise risk analysis derived from community and vendor signals. Each card shows the evidence tier and the underlying finding.

Critical Vendor Stability Verified

Critical Risk: Explicit product transition from Cody to 'Amp' on the Sourcegraph homepage creates profound uncertainty regarding Cody's future, support, and roadmap. This is an escalation of the previously identified vendor stability risk.

Source
Critical AI Transparency Verified

High Risk: Sourcegraph's Terms of Service do not explicitly forbid the use of customer code for AI model training, posing a critical IP and confidentiality risk. This requires a custom DPA.

Source
Critical Legal & IP Verified

High Risk: Vendor provides no IP indemnification or 'copyright shield' for AI-generated code, shifting 100% of the legal liability for infringement to the customer.

Source
High Vendor Lock-in Community Data

Medium Risk: The tool's value is derived from its deep integration with the proprietary Sourcegraph index. Migrating this indexed knowledge to a competitor would require significant engineering effort, creating high vendor lock-in.

Source
High Reliability Verified

Medium Risk: The official GitHub link for Sourcegraph Cody (`https://github.com/sourcegraph/cody`) is returning a 404, indicating potential operational neglect or removal of public resources.

Source
Medium Compliance Posture Community Data

Medium Risk: API key rotation, a critical security feature, has regressed from supported to unsupported, indicating a potential de-prioritization of security maintenance. [Auto-downgraded: no official source URL]

Medium Cost Predictability Verified

Low Risk: The Terms of Service include an 'AS IS' warranty, which is standard for SaaS but removes contractual recourse for performance or functionality issues without a negotiated SLA.

Source
High Data Privacy Community Data

Compliance score: 61/100. GDPR: dpa_in_progress. Encryption at rest: unknown.

Verified — Confirmed by vendor documentation or disclosure Community — Derived from developer forums, GitHub, and community reports

Segment Fit Matrix

Decision support for procurement by company size

🚀 Startup
< 50 employees		 💼 Midmarket
50–500 employees		 🏢 Enterprise
500+ employees
Fit Level ⚠️ Caution ⚠️ Caution ⚠️ Caution
Rationale The tool is over-engineered for small codebases and the vendor's focus is exclusively on enterprise contracts. The high vendor stability risk is unacceptable for a startup. May derive value from code intelligence if dealing with legacy monoliths, but the vendor instability and need for heavy legal negotiation make it a risky choice. More stable alternatives likely offer better value. This is the target segment. The tool is designed for 'big code' problems. A fit is conditional on the organization's legal and procurement teams successfully negotiating a contract that mitigates the vendor stability, data training, and IP liability risks.

Financial Impact Panel

Cost intelligence and pricing signals for enterprise procurement decisions

TCO per Developer / Month Highly variable, estimated $125-$400+ per developer per month, depending on codebase size, LLM usage, and negotiated enterprise terms. This estimate is based on typical enterprise AI tool pricing and
Switching Cost Estimate 250000-750000 engineering months

Pricing data from public sources — enterprise rates differ. Verify with vendor.

Pain Map

Recurring issues reported by the developer and enterprise community this week. Severity and trend indicators reflect the direction these issues are heading.

Product Transition to Amp 0 mentions medium → Stable
AI Training Data Policy Ambiguity 0 mentions medium → Stable
Lack of IP Indemnification 0 mentions medium → Stable
Broken Public GitHub Link 0 mentions medium → Stable
Weaker Code Generation vs. Competitors 0 mentions medium → Stable

Evaluation Landscape

Community members actively discussing a switch away from Sourcegraph Cody — these tools are appearing as migration targets in developer forums and enterprise discussions. Where counts are significant, migration intent is a procurement signal worth investigating.

Cursor 5 migration mentions this week
Amp 3 migration mentions this week
Claude Code 3 migration mentions this week
GitHub Copilot 3 migration mentions this week
Aider 2 migration mentions this week
Tabby 2 migration mentions this week
Codeium 2 migration mentions this week
Tabnine 2 migration mentions this week
Continue.dev 2 migration mentions this week
Phind 1 migration mention this week
Sweep 1 migration mention this week
Gemini 1 migration mention this week
Grit.io 1 migration mention this week
Amazon Q 1 migration mention this week
Windsurf 1 migration mention this week
Codex CLI 1 migration mention this week
Replit AI 1 migration mention this week

Due Diligence Alerts

Priority reviews, recommended inquiries, and verified strengths — based on 100+ community data points

Priority Review Critical Vendor Actively Pivoting to New Product 'Amp'

The vendor's homepage explicitly states 'Goodbye Cody, Hello Amp', signaling Cody is being superseded. This creates critical risk regarding future support, development, and product viability. Do not procure without a contractually-binding long-term support guarantee.

Sources: Web Why Sourcegraph and Amp Are Becoming Independent … ×7
Priority Review Critical Terms of Service Permit AI Training on Customer Data

The vendor's AI Terms do not explicitly forbid the use of customer code or prompts for AI model training. This is a critical IP and confidentiality breach risk that must be closed with a custom Data Processing Addendum before any use.

Sources: Web Sourcegraph | AI Terms ×4
Priority Review High No IP Indemnification for AI-Generated Code

Sourcegraph offers no 'copyright shield' or legal protection if Cody generates code that infringes on third-party IP. The customer bears 100% of the legal liability, a risk unacceptable for most enterprise deployments.

Sources: Web Based on historical data from W13 ×3
Recommended Inquiry Medium Official GitHub Repository is Inaccessible (404 Error)

The primary public link to Cody's GitHub repository is broken. The vendor must clarify if this is intentional and explain what this means for the future of community support, issue tracking, and source code availability.

Sources: GH [Bot] Broken Links found (Report)
Recommended Inquiry Medium Reported Regression in API Key Rotation Feature

Recent data indicates that API key rotation is no longer supported, a regression from previous capabilities. The vendor must explain this change and provide a timeline for reinstating this essential enterprise security feature.

Sources: Web Based on historical data from W13
Verified Strength Low Robust Enterprise Compliance Posture Verified

Sourcegraph has achieved and maintains critical enterprise certifications, including SOC 2 Type II, ISO 27001, and FedRAMP authorization. This demonstrates a mature security program that can meet stringent procurement requirements.

Sources: Web Sourcegraph is now ISO 27001:2022 certified ×3

Compliance & AI Transparency

Based on publicly available vendor disclosures

Compliance information is based solely on publicly accessible vendor disclosures. "Undisclosed" means no public information was found — it does not confirm non-compliance. Always verify directly with the vendor.

Cumulative Intelligence

Patterns and signals detected over time — based on 50+ community data points from GitHub, X/Twitter, Reddit, Hacker News, Stack Overflow

Patterns Detected

  • A recurring pattern is the vendor's struggle to balance its core 'code search' identity with the 'AI code generation' market. The split into two companies (Sourcegraph and Amp) is the culmination of this identity crisis. The product excels at understanding code but consistently receives feedback that it's weaker at writing it. This suggests a fundamental misalignment with the primary user expectation for AI assistants.

Early Warnings

  • The explicit transition from Cody to 'Amp' is a strong predictor of Cody's eventual deprecation or relegation to a minor feature within the main Sourcegraph search product. Enterprise customers should anticipate a forced migration to 'Amp' or a need to seek alternative solutions within 18 months. The continued ambiguity in legal terms, despite market pressure, signals a reluctance to assume liability, which will likely remain a permanent feature of their offering.

Opportunities

  • The underlying code graph technology is the real asset. If the vendor can stabilize its strategy, there is a significant opportunity to position itself as the essential 'intelligence layer' that powers multiple AI agents (both their own and third-party), rather than just competing as another code assistant.

Long-term Trends

  • The trend over the last three weeks shows a rapid escalation of vendor risk. It began with the announcement of a corporate split (high risk), which has now been clarified with messaging that effectively sunsets the Cody brand in favor of Amp (critical risk). The product's technical capabilities have remained stable, but its strategic viability has plummeted.

Strategic Insights

For Vendors

CRITICAL

Your 'Goodbye Cody, Hello Amp' messaging is destroying customer trust and creating market confusion. You must immediately clarify if Cody is being deprecated or if it has a distinct, long-term role alongside Amp.

Estimated impact: high

Affects: All Customers & Prospects

HIGH

The lack of IP indemnification is a factor that enterprise buyers typically evaluate carefully for a growing number of enterprise customers. Offering a 'Copyright Shield', even as a premium add-on, would unblock a significant portion of the market.

Estimated impact: high

Affects: Enterprise

HIGH

Your ambiguous AI training policy is a major compliance area warranting further due diligence. Adopting an explicit 'zero-data-retention, no-training' default policy would align with enterprise expectations and remove a key sales obstacle.

Estimated impact: medium

Affects: Regulated Industries (Finance, Healthcare)

For Buyers & Evaluators

CRITICAL

The vendor is signaling a product pivot. Do not sign any multi-year agreement for 'Cody' without a contractual clause guaranteeing support and a no-cost migration path to its successor product, 'Amp'.

Ask vendor: Will you contractually commit to a 36-month support lifecycle for Cody and a feature-parity, no-cost license transfer to Amp should Cody be discontinued?

Verify independently: Monitor the Sourcegraph blog and changelog for any further deprecation notices for Cody features.

CRITICAL

The default Terms of Service expose your organization to significant IP and confidentiality risks. Legal review and a custom DPA are non-negotiable prerequisites for adoption.

Ask vendor: Can you provide a DPA that explicitly opts our organization out of any and all AI model training using our data, and includes IP indemnification for generated code?

Verify independently: Have corporate counsel review the vendor's standard DPA and ToS against your company's risk policies.

Trust Score Trend

12-month rolling window

Sentiment X-Ray

Community feedback breakdown — 100 total mentions

Positive 45 Neutral 35 Negative 20 100 total

📈 Search Interest & Popularity Signals

Real-time data from Google Trends and VS Code Marketplace. Reflects public search momentum — not a quality indicator.

🔍
Google Search Interest
Relative index (0–100) · Last 90 days
This Week
100
90-day Peak
-100.0%
Week-over-Week
-100.0%
Month-over-Month

Source: Google Trends · Interest is relative to the peak in the period (100 = peak). Does not reflect absolute search volume.

Methodology

Coverage
7 Day Window
Trust Score Methodology

Trust Score (0–100) is a weighted composite: positive/negative sentiment ratio (40%), issue severity and frequency (25%), source volume and diversity (20%), momentum signals (15%). Evidence confidence tiers — Verified, Community, Undisclosed — indicate the quality of underlying data for each assessment.

Update Cadence

Reports are published weekly. Each edition is independent and reflects only the 7-day data window for that period. Historical trend lines are derived from prior weekly reports in the same series. All data is collected from publicly accessible sources.

This report analyzed 100+ community data points over a 7-day window.

Enterprise Intelligence

Deep-dive sections for procurement, security, and vendor evaluation.

⚖️
Legal & IP Risk License terms, IP indemnification, litigation history
🛡️
Security Assessment SOC 2, ISO 27001, GDPR, HIPAA, SSO, MFA
🏦
Vendor Financial Health Funding, runway, stability score, acquisition risk
🔗
Integration Matrix API, SSO, Slack, Jira, SCIM, webhooks
🧭
Buyer Decision Framework Go/No-go criteria, procurement checklist
💡
Negotiation Hacks Leverage points, discount tactics, alternatives
🗺️
Data Flow & Sub-processors Where data goes, who processes it
🔧
IT Hardening Guide Config recommendations for secure deployment

Email only · No credit card · 30-day access

Independent analysis — signals aggregated from GitHub, Reddit, HN, Stack Overflow, Twitter/X, G2 & Capterra. Not affiliated with any vendor. Corrections?

© 2026 Swanum. All rights reserved. This report is provided “as is” for informational purposes only. It does not constitute legal, financial, or technical advice. Community-sourced data may contain inaccuracies. Reproduction or redistribution requires written permission. Vendors seeking corrections may contact us.

📄

Download Full PDF Report

Enter your email to get the complete enterprise-grade PDF — trust score, compliance, legal risk, hardening guide, and more.

No spam. Unsubscribe anytime.